Solved

How to restart a specific service, when non-administrator ; windows seven

Posted on 2011-03-24
11
973 Views
Last Modified: 2012-05-11
Hi,
On a windows 7 business, used at home (no domain),
I'm trying to make my family (non-admin users) able to restart a specific service with a simple double-clic on an icon (some application that goes wrong sometimes)
Every method leads to a blocking situation. Something's always missing. Can you help?

1) I tried a simple .bat with "net stop/start myservice".
I tried a 3rd-party tool to elevate privileges automatically (http://www.winability.com/elevate/) to avoid these boring UAC confirmation windows. I don't want to disable UAC.
But, as it's a .bat, I can't modify its properties to "run as administrator" for everyone.

2) OK, then I compiled it as a .exe with some "bat to exe" tool.
Now I can modify its compatibility settings to make it run as administrator. Works for me, let say user "MYHOST\me".
BUT, the .exe is not signed, so "MYHOST\me" can confirm this other UAC window ("allow unknown publisher blah blah") it with a simple click, but "MYHOST\mywifeorchild" has to authenticate as the only admin user - MYHOST\me - for which they don't have the password.

3) Then I tried to create a scheduled task and a shortcut to it (http://www.sevenforums.com/tutorials/11949-elevated-program-shortcut-without-uac-prompt-create.html).
(By the way, I got rid of "elevate" program this way. My .bat is just "net stop / net start")
That's OK, I created my shortcut to "schtasks.exe /run /tn MyTask". Runs for MYHOST\me.
But MYHOST\mywife can't launch it "access denied". Furthermore, the task doesn't appear in the list, when she's logged in. Like the task is for one user only (I didn't know that). I tried different setting with the running user (me, her) and the "logged on or not" option. Still not working.

I thought there could be an answer here http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_7/Q_26571977.html but I don't understand.

How can I finally make it possible? by either
- allowing one specific .exe as an exception for signed application check in UAC? some place in regedit?
- making this bat/exe/scheduled task/whatever runnable as admin for anyone?
- Add some specific permission to my non-admin users (something like LogonAsBatch?) luckily, a windows business might allow it (VS home edition)
- the script might be a powershell stuff as well, provided a non-admin can start it without authenticating.

Of course, I don't want them to get the full admin right.

Thank you,
0
Comment
Question by:mchkorg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 5

Expert Comment

by:zazagor
ID: 35207297
0
 
LVL 7

Author Comment

by:mchkorg
ID: 35207561
OK, that's what I said : If I create my .exe from my .bat, I can set the permission you're talking about, BUT : UAC stills asks admin rights to confirm this unsigned binary is trustworthy.
And admin right means :
- a single click for me
- my password for the non-admin users
0
 

Assisted Solution

by:Noghri
Noghri earned 50 total points
ID: 35260568
The bit about the exe running and still asking for permission is because it is not signed with a trusted certificate. You could generate a signing authority, add the Signing Authority certificate to the trusted certificates, and then sign your application with a code signing certificate signed by your 'trusted' certificate.

Its an awkward way round, and you will have to keep those certificates pretty safe as they would allow people to sign any program and have it run 'trusted'. Ive not played with Root CA's on windows - I used the php-ca from sourceforge on a Linux box. Installing the MS RootCA on a windows machine has some far reaching implications if done on a domain!

I have had to do a simliar thing with macros as I didn't want the nag screens every time.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 27

Accepted Solution

by:
davorin earned 450 total points
ID: 35261443
You can try to use tool like SetACL or SubInACL to set permissions on services:
http://helgeklein.com/
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

I have not tried it on Windows 7, but maybe it will work.
0
 
LVL 7

Author Comment

by:mchkorg
ID: 35276546
I'll check this quickly, thank you
0
 
LVL 7

Author Comment

by:mchkorg
ID: 35308726
davorin, I tried setACL
I ran this as admin :
setacl -on "My service" -ot srv -ace "n:A-Non-Admin-User;p:start_stop,read" -actn ace

Open in new window


But it told me:
WARNING: Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted.
WARNING: Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted.
INFO: Processing ACL of: <My service>
ERROR: Writing SD to <My service> failed with: Access denied.

Open in new window


Strange thing: Windows didn't ask for elevated privileges when I started this command.
I tried to use "elevate setacl...", it all sys it's OK but when I list:
setacl -on "My service" -ot srv -actn list

Open in new window

I can't see any new permission.

Any idea?
0
 
LVL 7

Author Comment

by:mchkorg
ID: 35308745
OK, I tried with "subinacl"
It worked, the trick was to start the "cmd" as administrator.
Maybe it was the same for setacl.
The command was:

C:\Program Files\Windows Resource Kits\Tools>subinacl /service "My Service" /GRANT=MYHOST\My-user=TO

Open in new window



Results:
My Service : delete Perm. ACE 4 myhost\my-user
My Service : new ace for myhost\my-user
My Service : 2 change(s)


Elapsed Time: 00 00:00:00
Done:        1, Modified        1, Failed        0, Syntax errors        0
Last Done  : My Service

Open in new window


I used:
http://www.eventlogblog.com/blog/2007/11/setting-service-permissions-wi.html
and http://blogs.msdn.com/b/astebner/archive/2006/09/04/739820.aspx
0
 
LVL 7

Author Closing Comment

by:mchkorg
ID: 35308748
Thank you for pointing me to these tools.
0
 
LVL 27

Expert Comment

by:davorin
ID: 35308774
Temporary enabling built-in administrator account and starting a new command prompt with "runas /user:administrator cmd" should help with that problem.
0
 
LVL 27

Expert Comment

by:davorin
ID: 35308778
I type too slow ;)
I'm glad you have solved your problem and thx for points.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can't get the Sandisk Secure vault to load 4 42
802.1x and RDP Issues 6 80
VMware-ClientIntegrationPlugins 6 82
laserjet printer error 10 44
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question