Link to home
Get AccessLog in
Avatar of Allan_Fernandes

asked on

Windows Security Choking Me

My Application runs at Startup via HKML\...CurrentVersion\Run.

One fine day one customer complains that the application is not starting.
I notice that 'security warning' has stopped the exe due to attribute set in 'Group Policy Editor'
Next day another call with same complain but this time it is 'User Access Control' and Elevation issue.

The sad part is that these interrupting messages do not show if loaded during startup. They just kill the application even if is running as administrator.

Is there an end to this menace ?
Please Note: My application uses Sockets (Delphi 2007).

Allan Fernandes

Avatar of systan
Flag of Philippines image

I thought this is an anti-spyware anti-malware issue, it's impossible that Delphi behaved like that, try to communicate to your clients, ask them what's going on with there additional softwares.
Avatar of jimyX

What happens if your application is started manually?
That seems to be system configuration rather than issue within your application.
The Network/Computer Administrator might use the Group Policy and block a lot of options such as the Registry keys opening. Also the firewall might be configured to block ports opening then your application will be unable to open any port. You need to ask the customer to verify whether your application is excepted on the firewall.
You need to communicate with the system administrator to find out.
Avatar of Allan_Fernandes



Delphi is King, I have no issue with it. Neither is there an issue with my application.
The problem:
1) One of my customers installed Windows 2008 and all there was this issue of 'User Access Control' where I had to manually do changes in Security Policy.
2) Another customer's place I had to manually do change in Group policy.
3) One customer had unticked 'Display a notification where firewall blocks a program'

As far as Firewall is concerned the question is asked and most Windows users know they have to say 'Unblock', but if I plan to have hundreds of customers I will not be able to service them.

There is a way to add your application to the list of exceptions in Windows Firewall:
>>One of my customers installed Windows 2008
I though your application was installed on an old operating system and is running but suddenly problem occurs, that's why I say about "additional softwares"

anyway, jimX has the good solution, and I've tested that too, its working fine in any windows system.
I had tried using the same code as in 'addApplicationToFirewall' about a year ago. I do not remember very well because I had to remove the logic in a hurry as it was causing more problems with security and customers anxiety. I will attempt adding the code once again.
How about the other issue, can that be tackled too ?  ie: Security Messages poping up everytime my application is executed. Can I tell Windows at Setup of my application that it is Trusted. My Customers will willingly enter the administrative password especially in impersonation mode.

Might I suggest you alter your program, instead of a standalone application why not make it a system service?

There are many advantages to system services, esp when the application needs to be run actively on the target machine.
One advantage is to install the service under the administrator account on the target system, this should alleviate many security issues you may run into, as your app now has full access to the system.

Any service installed under the administrator account becomes a (somewhat) trusted application.

If you go the service route there are many considerations to be made, for example do your users have to actively use the program? I ask this because a user should never be able to interact directly with  a windows service (no GUI), in fact this functionality is disabled in all windows operating systems after Server 2003 (I may stand corrected).
With that said, you can still interact with a service via many methods (my opinion the best being Named Pipes, you could even communicate via a local port seeing as your app is already using sockets).
My Application is all about Automated backup and requires considerable GUI. But taking your suggestion I can always create a separate service that is just there to watch if my main application is loaded or not.
Please advice if I will encounter a whole new set of hurdles upon creating this Service and also if my plan makes sense.


A quick and dirty solution would be to make a service that runs under the administrator account (or one with sufficient access) that actually executes your GUI (when needed by the user), doing this should eliminate security restrictions.

1. Service will be active on the system (i.e. runs automatically on start up).
2. Create a ghost app that sends a command to the service that in turn runs your "real" app (if the app is executed from the service it should inherit the service's SACL's, tokens, ect giving your app the same access to the system as the service).

The long way around is to make a backup service that receives commands from the client GUI.
Your backup app now becomes the service (minus the GUI) and simply receives it's information from a client GUI (via NamedPipes).

You can communicate with a NamedPipe from a limited account that was created by a service running under an Administrator account!
>> 2. Create a ghost app...
What would that mean ?

Avatar of sYk0

Link to home
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
Good Idea !