Solved

Regular user needs to run app with admin rights

Posted on 2014-03-11
8
349 Views
Last Modified: 2014-04-07
I have an app that needs to modify the value of a system registry key.
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR"

This is to enable/disable the use of USB storage devices based on an authorization process (i.e., database query).

If the logged-in user has admin rights, the app is able to modify the registry key, but when logged-in as a regular user then the app doesn't have sufficient rights to preform the edit.  The obvious solution is to use the runas command when executing the app, but then we would need to require that the user not be prompted to enter the admin password.

I have found a number of examples on how to create a shortcut that can use runas without a password, but the GUI steps needed to set that up aren't feasible in my case.  I need to remotely deploy the setup to 5,000+ workstations across our WAN.

Currently we use WPKG for deployments, but I don't know what registry changes I need to push out to enable normal users to run an app with elevated privileges.

Does anyone know what those registry changes might be or can suggest another option?
0
Comment
Question by:FishMonger
  • 5
  • 3
8 Comments
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39921241
Use Process Monitor on the account running as local admin.

By default this shows all the actions on the machine but if you click the Filter menu and then set the filter to select under "Operation" "Begins with," and "Reg" you'll see a list of all the registry actions taking place.

Bear in mind that the OS is accessing the registry on a regular basis so there's going to be a lot of (mainly useless) information.  Launch the app and then take a snapshot to see if you can identify the likely registry locations being accessed (you'll probably need to expand the ProcMon window full width to see the full path to the keys being accessed).

Alternatively you can do the same thing with the user without admin privs - then, with the same process,  you should see attempts to edit the registry being flagged in ProcExp as "denied" at the same time as you get errors from the app.
0
 
LVL 28

Author Comment

by:FishMonger
ID: 39921806
Hmm, that's sounds like a possibility, but will take some time to filter through and compare the data.

It's unclear and in my mind doubtful that it will indicate which keys need to be updated and what their values need to be to allow the normal user to run the app with admin rights.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39921845
All you should need to do is identify the Keys the app needs to access/change then give the user local admin rights to just those keys (in the registry you can use right-click Permissions).
You won't need to worry about the values if the user has the correct permissions.

If it's just a registry access issue that's preventing it running that should be job done.  If the app is trying to write data to a reserved location there is still some more work to be done but again Process Monitor will point you at what the User account is being blocked from doing.
0
 
LVL 28

Author Comment

by:FishMonger
ID: 39921923
I can't use any solution that requires "right-click" operation in the registry editor because this must be accomplished without user interaction i.e., it (setting user rights) will be pushed out via WPKG.

You won't need to worry about the values if the user has the correct permissions.
That's the problem; the user doesn't have proper permissions.

Accessing (reading) the required registry key is not the problem.  The app needs to write to system portion of the registry, which requires administrator rights.
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 28

Author Comment

by:FishMonger
ID: 39921941
If it wasn't clear in my posts, I don't want to give the user write access to the registry key.  I need the application to have write access.  In order to accomplish that, the user needs to be able to run the application as the administrator so that the application (not the user) can make the registry change.

If done the other way around where the user has direct write access to the key, then that opens up a security hole where they can enable USB storage devices without having authorization.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39922105
OK, understood.

If the app doesn't have a UAC compatible version you can use instead, the only way I think you are going to progress this (that isn't going to open up a security hole) will be to try running it through M$'s Application  Compatibility Toolkit.  Not sure that even if ACT is able to tweak permissions for the app rather than user that this will be in a way that the settings can be pushed the way you want.
0
 
LVL 28

Accepted Solution

by:
FishMonger earned 0 total points
ID: 39957017
Sorry for the delay in responding.  I had to put this on the "back burner" for a bit to work on another project.

I've looked over each of your suggestions and unless I've missed something none of them will accomplish what I need.

For now, I'll probably need to use WPKG to push out the USBSTOR registry change during boot up rather than doing it via my login application.
0
 
LVL 28

Author Closing Comment

by:FishMonger
ID: 39982561
None of the other proposed solutions would do what I needed.
0

Featured Post

Why won’t your email signature format correctly?

Struggling to get your corporate email signatures to format correctly? Does the logo keep resizing? Is the text appearing too big? What can you do to prevent this? Find out how you can save your signatures today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Converting TV to Network (Muli-User) Web front. 8 42
login windows 10 4 42
PDFMate free PDF Merger. Security concern 8 87
Group Policies not being applied 12 31
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now