We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

How do you copy/create files in C:\ root directory

Medium Priority
1,146 Views
Last Modified: 2013-12-04
I have a third-party command line application that we run via a batch file.  It converts stock trading data from one application for use in another.  The batch file is very simple and works just fine if you have administrative privileges on the PC.

I believe this application fails because a lack of priveleges causes the creation of a log file to fail.  The user that needs to run this is simply a standard user and cannot run the application because one of the first things that it does is create a log file in the C:\ directory.  This user cannot create files in C:\ without getting prompted to supply Administrator credentials.

This user is the reckless type where things stop suddenly working and claims nothing was changed/installed/modified, etc.  There is no way I can trust this person with administrative privileges.

Is there a way to grant file create/write to the C:\ without disabling UAC or changing the user's privileges?
Comment
Watch Question

Commented:
Any chance you can have the application run as a different user?
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
You can use task scheduler to run the bat at logon using admin credentials, or change the directory it writes to to a place the user has permissions.

Commented:
Just change the directory to temp directory or has that been restricted to the user also? %TMP% and %TEMP% are the window's temp directory variables.

Author

Commented:
@mattvmotas - No unfortunately that is not an option.

@xuserx2000 - I am already pursuing where the log writes with the third party vendor.

@namol:  Until I hear otherwise from the vendor, there is no apparent way to redirect where there log is created.  Both of the environment vars that you mention point to C:\Users\<username>\AppData\Local\Temp so I don't believe that's the issue.

Commented:
Is it always the same filename?  Could you create a zero length file and give the user rights to just that file?

Author

Commented:
Yes the file name is always the same but the log is transient in that it only exists while the program runs and gets deleted if there are no errors logged.
CERTIFIED EXPERT

Commented:
Does it have to run on C?
Change it to another drive letter, create a folder, share it, map it as the drive letter, and give him permissions.
CERTIFIED EXPERT

Commented:
Rats; and see if it works when you copy the program to the mapped drive and run it there.
What about the Virtual Store?

File virtualization addresses the situation where an application relies on the ability to store a file, such as a configuration file, in a system location typically writeable only by administrators. Running programs as a standard user in this situation might result in program failures due to insufficient levels of access.

When an application writes to a system location only writeable by administrators, Windows then writes all subsequent file operations to a user-specific path under the Virtual Store directory, which is located at %LOCALAPPDATA%\VirtualStore. Later, when the application reads back this file, the computer will provide the one in the Virtual Store. Because the Windows security infrastructure processes the virtualization without the application’s assistance, the application believes it was able to successfully read and write directly to the protected area. The transparency of file virtualization enables applications to perceive that they are writing and reading from the protected resource, when in fact they are accessing the virtualized version.

Author

Commented:
@DavisMcCarn:  the program already runs from a mapped drive.  It appears that the application assumes that there will always be a C:\ drive and creates the log there.

@Melannk24: I see what you are getting at but the app does not appear to behave the way you describe. It is my understanding that under WIndows 7 (and Vista) even users with administrative privileges run apps as standard users and if more juice is needed UAC prompts for administrative privileges.  This application never tries to execute at a level requiring more privilege.  It just tries to run and fails around the time that the log file creation attempot on C:\ fails.   I am not sure what else to do with the information you provided. If you can elaborate I'd appreciate it.
You are correct that in Vista and 7 even Admin users run apps as standard users, but the behavior of the virtual store depends on the application attributes.  Have you tried changing the properties of the application itself to "Run as Administrator", supply the credentials and run in XP service pack 2 mode?  This could force the behavior I was stating before in which the application may not fail and think it's writing to the protected area when it's being redirected to the virtual store of the user's profile.  The only thing is you would probably have to use a  vb script to supply the credentials because it will prompt the user.  Using a vb script can allow you to launch the batch file with the credentials you supply and it would only apply to that file allowing you to keep the user as "standard".  If you are interested in a sample script, I can throw one your way to test with and you can see what results you get.

Do you know if the application is marked with a run level in its manifest?  Because if it does, Windows will disable data redirection by default.  

Author

Commented:
So I tried installed the executable on the C: drive so that I could apply "Run As Administrator" and XP compatibility mode to the executable but no joy.  The application failed in the same place.

I am beginning to think there is no solution to this problem short of granting this user Administrative privileges...

Author

Commented:
After the user left, I granted him Administrative privileges and successfully ran the application.  So there is no doubt in my mind about this being a permissions issue.
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
If you create a scheduled task, ...with no schedule... pointing to the executable, and supplying admin credentials to the task...  a regular user could be give permission to RUN the task, which launches the program in admin credentials.  You can even put a shortcut on the desktop to run the scheduled task.

This would allow them to run as an admin, but not see what credentials they are running under.
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
LeeTutorretired
CERTIFIED EXPERT
Top Expert 2009

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.