Solved

Windows Server 2008 - can not run .exe file

Posted on 2012-04-03
32
3,354 Views
Last Modified: 2012-05-31
Hello,

I am using remote desktop to connect to windows server. With guest account I can not run .exe files -> but I need just this. Other restrictions on guest account are OK with me, but I need to run one particular exe file. When I click on it (logged as guest), nothing happens. I don't see nothing in logs, too. I've set full control (right click -> security) for this .exe file and particular user name, but still can not run it.

Any idea?

Greetings, Frenky
0
Comment
Question by:AntonioRodrigo
  • 14
  • 6
  • 5
  • +3
32 Comments
 
LVL 11

Expert Comment

by:M3rc74
Comment Utility
shift & mouse right clik, run as ?
0
 
LVL 8

Accepted Solution

by:
Chetan Khurana earned 500 total points
Comment Utility
0
 

Author Comment

by:AntonioRodrigo
Comment Utility
@M3rc74 I can't do this because I'm logged in as guest - If I choose run as administrator, then I'll have to provide user name / password.
0
 
LVL 11

Expert Comment

by:M3rc74
Comment Utility
can you add *.exe in remote desktop client, Start the following program on connection ??
0
 
LVL 31

Expert Comment

by:DrUltima
Comment Utility
AntonioRodrigo,

Your desire is mutually exclusive.  Guest accounts on servers are intentionally highly restricted.  You should not connect to a server with RDP as Guest, ever.  Why are you needing to do this?  A better scenario would be this:

1) In a domain scenario, have the users log in with proper AD credentials

or

2) In a stand alone scenario, create a local account on the server, give it RDP Rights, and lock it down to run only your one APP but nothing else.

Either way, using the Guest account in this way is just bad juju.

DrUltima
0
 

Author Comment

by:AntonioRodrigo
Comment Utility
DrUltima,

thanks a lot for your answer. It seems very logical to me. I've just done what I know about Windows Server and this ain't much )) Can you please help me a little bit more? How to create a new user and give him a permission to only open one particular .exe file? At least if you can show me how would you start solving a problem like this?
0
 
LVL 31

Expert Comment

by:DrUltima
Comment Utility
A little more info, please.  Is your server a stand alone or is it a member server in a domain?  I ask because it can (though not necessarily must) affect how you proceed with local accounts (depending on GPO).
0
 

Author Comment

by:AntonioRodrigo
Comment Utility
It's a stand alone server. Basically it's like that: there is a server and inside that server we bought 100GB space. Inside that I've installed Windows Server through VMWare client. So my server runs inside virtual machine. But now (it's easier) I am accessing server through remote desktop. And inside that virtual machine / my installation of windows server I've created a domain. So every user I create is inside that domain.
0
 
LVL 47

Expert Comment

by:dlethe
Comment Utility
A few outside-the-box possibilities, it would help if you said exactly what this executable is, and what the O/S returns.  Clearly the program has logic in there that behaves differently depending on user privileges.  Don't discount the possibility that the developer just screwed up and didn't design it properly so it will never run this way.   Probably no reason to go through all the Win API calls that deal with inherited, runAs, GPO, and even hardware permissions .. suffice to say, I'd step back and research if the program is known to even work the way you want it to.
0
 
LVL 29

Expert Comment

by:matrixnz
Comment Utility
Is the file saved to a trusted location? example: C:\Program Files\Product Folder\Filename.exe
Does the file require privileged rights to run?
nb: some executables can have a RunAsAdmin embedded meaning the program requires elevation to be run.  This can also happen if it attempts to open or call Group Policy blocked programs RegEdit, CMD etc..
What happens if you select "Run as Administrator" does it work as intended?
0
 
LVL 31

Expert Comment

by:DrUltima
Comment Utility
How many concurrent uses of this application might exist?  Do you need it to be able to run multiple times simultaneously, or is it a "one user at a time" type scenario?

DrUltima
0
 

Author Comment

by:AntonioRodrigo
Comment Utility
@matrixnz:
- program is saved in C:\myfolder location.
- if I run the program with 'run as administrator' it runs. But - I wasn't setting anything on that matter. Where is the setting for privileged rights for running the program?


@DrUltima:
- This program will be run by only one user at a time. Each user will have it's own copy of the program.
0
 

Author Comment

by:AntonioRodrigo
Comment Utility
Basically it will be like this: every user will have it's own instance of the .exe file and only one (his own) folder on which he will have read/write rights. Otherwise users will not have rights to run programs or to view / write on the file system.
0
 

Author Comment

by:AntonioRodrigo
Comment Utility
This is really strange: if I check the properties of my .exe file, the user test1 has full control checked and allowed. But, still it can not run that .exe file.

I can only run that .exe in 'run as administrator' mode. But, my users will not have administrator rights, because they are not allowed to see system files and other stuff.
0
 

Author Comment

by:AntonioRodrigo
Comment Utility
I've created a rule in the AppLocker, but with no result - I still can not run .exe if I am logged in as normal user, other than administrator.

I was using:

http://technet.microsoft.com/en-us/library/ee791814(v=ws.10).aspx

and for rule enforcements (strangelly, AppLocker's logs are empty):

http://technet.microsoft.com/en-us/library/ee791885(v=ws.10).aspx
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 
LVL 29

Expert Comment

by:matrixnz
Comment Utility
1. Try saving it to C:\Program Files\ or into %UserProfile%\MyFolder The C:\MyFolder isn't a trusted folder
2. If each user is having there own executable than you should be placing it inside the profile folder.
3. With regards to the privleged rights, these are usually embedded into the executable code.
0
 
LVL 47

Expert Comment

by:dlethe
Comment Utility
I don't see any problem at all.  The program runs under administrative rights, as stated by the author.   Some programs require such rights because they access system resources which can cause security issues.  Seems to me you are complaining that the O/S protects you from programs that can do bad things when run as a guest.
0
 

Author Comment

by:AntonioRodrigo
Comment Utility
@matrixnz: I've place my executable in Program Files, Program Files (x86) and inside %UserProfile%. And I've created a rule in AppLocker for each of the folder mentioned. Same result, I can not run exe file.

'With regards to the privleged rights, these are usually embedded into the executable code.'

Is there a way to see who has rights to run executable?

@dlethe: I don't run as a guest. I'm logged in as a normal user. Yes, program runs under 'run as administrator'. Is there a way to remove this?
0
 
LVL 47

Expert Comment

by:dlethe
Comment Utility
No, there is no way to remove "run as administrator" constraints.  All the techniques revolve around giving administrative privileges.    It is like asking how can you allow a guest user to delete every file on the computer or any other computer regardless of permissions.  Some low-level system functions require extended privileges.  This is for your protection, and the protection of other users and the data.  If you don't like that, then just give everybody admin privs, and while you are at it, make passwords optional.
0
 

Author Comment

by:AntonioRodrigo
Comment Utility
Yes, but AppLocker gives possiblity to create some rules. I've added a rule through local policy and set path for the executable files - so, files in these folder can be run by the user on which rule is applied -> the only problem is that it doesn't work. In theory everything is cool.
0
 
LVL 29

Expert Comment

by:matrixnz
Comment Utility
Usually it's just set to Require Administrator, this is usually set to get elevated privileges or the UAC Prompt, without knowing what the executable is, all I can suggest is that it requires elevated privileges to run, this can be because the executable requires write access to System Registry or File/Folders for example: HKEY_LOCAL_MACHINE, C:\, C:\Windows\ etc....
0
 
LVL 31

Expert Comment

by:DrUltima
Comment Utility
If the application is requiring administrative rights, then it is touching a secure area of the server, as the other Experts have pointed out.  Also, as has been pointed out, you will have to reduce restrictions to allow this to run, which is a bad idea. One rather tedious alternative is to contact the vendor of the application to see what restricted files/keys are being access and then changing the permissions on just those files/keys.  Remember, to run an application on a Terminal Server, it needs to be designed to do so.  It doesn't sound like your application is.  It would be helpful to know the name of the application you are trying to run.

DrUltima
0
 

Author Comment

by:AntonioRodrigo
Comment Utility
The company I work in (and me as a developer) are authors of the application. Should we modify application to run on terminal services? It is made to be desktop application.
0
 
LVL 29

Expert Comment

by:matrixnz
Comment Utility
So what language are you writing the application in?  Does the application require access to System Resources? i.e. HKLM, HKCR or C:\Program Files\ etc... Is it calling an application that requires elevated privileges?  I'm not sure why you would have separate executables for each user, generally you'd use one executable and the executable would determine where the data is saved.  Can you explain what the application does?
0
 

Author Comment

by:AntonioRodrigo
Comment Utility
The application connects with sql server database -> it reads and writes data to sql server. Also, app is opening some word documents and fills them with data (word templates with bookmarks). Basically, it is one exe and one dll file - exe for running needs this dll, because in it are custom made controls. The applications simplifies public ordering.
0
 
LVL 31

Expert Comment

by:DrUltima
Comment Utility
Does the local policy on the server restrict any activity for authorized TS connections?
0
 

Author Comment

by:AntonioRodrigo
Comment Utility
Not to my knowledge.... this is so strange to me: I can run this exe as administrator, but I can not run it as normal user. Permissions on the folder are for that user (full control) and even for 'everybody'.
0
 
LVL 31

Expert Comment

by:DrUltima
Comment Utility
Folder permissions are only part of the mix.  As has been mentioned above, your user will also need access to any system level files and folders used and registry keys used.  It could be as simple as the C:\Windows\Temp folder (instead of the app using %TEMP%).  Logged in as that user (non-admin), can you run an RSOP and let us know the outcome?
0
 

Author Comment

by:AntonioRodrigo
Comment Utility
I've tried: run - cmd - and the type rsop.msc - it wants administrative password to run this program.
0
 
LVL 29

Expert Comment

by:matrixnz
Comment Utility
The problem is probably the .dll file try this register the .dll as admin and then try run the .exe by default you need elevated privileges to register a .dll.  I had similar issue recently on Windows 2008 R2 writing an rtf using a third party .dll file, standard users weren't able to load the .dll so the rtf creation failed, everything else in the file worked without issue, it was only when I called the .dll that it failed.  On Windows XP it worked fine.
0
 

Author Closing Comment

by:AntonioRodrigo
Comment Utility
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now