Link to home
Start Free TrialLog in
Avatar of FishMonger
FishMongerFlag for United States of America

asked on

Regular user needs to run app with admin rights

I have an app that needs to modify the value of a system registry key.
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR"

This is to enable/disable the use of USB storage devices based on an authorization process (i.e., database query).

If the logged-in user has admin rights, the app is able to modify the registry key, but when logged-in as a regular user then the app doesn't have sufficient rights to preform the edit.  The obvious solution is to use the runas command when executing the app, but then we would need to require that the user not be prompted to enter the admin password.

I have found a number of examples on how to create a shortcut that can use runas without a password, but the GUI steps needed to set that up aren't feasible in my case.  I need to remotely deploy the setup to 5,000+ workstations across our WAN.

Currently we use WPKG for deployments, but I don't know what registry changes I need to push out to enable normal users to run an app with elevated privileges.

Does anyone know what those registry changes might be or can suggest another option?
Avatar of ☠ MASQ ☠
☠ MASQ ☠

Use Process Monitor on the account running as local admin.

By default this shows all the actions on the machine but if you click the Filter menu and then set the filter to select under "Operation" "Begins with," and "Reg" you'll see a list of all the registry actions taking place.

Bear in mind that the OS is accessing the registry on a regular basis so there's going to be a lot of (mainly useless) information.  Launch the app and then take a snapshot to see if you can identify the likely registry locations being accessed (you'll probably need to expand the ProcMon window full width to see the full path to the keys being accessed).

Alternatively you can do the same thing with the user without admin privs - then, with the same process,  you should see attempts to edit the registry being flagged in ProcExp as "denied" at the same time as you get errors from the app.
Avatar of FishMonger

ASKER

Hmm, that's sounds like a possibility, but will take some time to filter through and compare the data.

It's unclear and in my mind doubtful that it will indicate which keys need to be updated and what their values need to be to allow the normal user to run the app with admin rights.
All you should need to do is identify the Keys the app needs to access/change then give the user local admin rights to just those keys (in the registry you can use right-click Permissions).
You won't need to worry about the values if the user has the correct permissions.

If it's just a registry access issue that's preventing it running that should be job done.  If the app is trying to write data to a reserved location there is still some more work to be done but again Process Monitor will point you at what the User account is being blocked from doing.
I can't use any solution that requires "right-click" operation in the registry editor because this must be accomplished without user interaction i.e., it (setting user rights) will be pushed out via WPKG.

You won't need to worry about the values if the user has the correct permissions.
That's the problem; the user doesn't have proper permissions.

Accessing (reading) the required registry key is not the problem.  The app needs to write to system portion of the registry, which requires administrator rights.
If it wasn't clear in my posts, I don't want to give the user write access to the registry key.  I need the application to have write access.  In order to accomplish that, the user needs to be able to run the application as the administrator so that the application (not the user) can make the registry change.

If done the other way around where the user has direct write access to the key, then that opens up a security hole where they can enable USB storage devices without having authorization.
OK, understood.

If the app doesn't have a UAC compatible version you can use instead, the only way I think you are going to progress this (that isn't going to open up a security hole) will be to try running it through M$'s Application  Compatibility Toolkit.  Not sure that even if ACT is able to tweak permissions for the app rather than user that this will be in a way that the settings can be pushed the way you want.
ASKER CERTIFIED SOLUTION
Avatar of FishMonger
FishMonger
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
None of the other proposed solutions would do what I needed.