• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 356
  • Last Modified:

Regular user needs to run app with admin rights

I have an app that needs to modify the value of a system registry key.
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR"

This is to enable/disable the use of USB storage devices based on an authorization process (i.e., database query).

If the logged-in user has admin rights, the app is able to modify the registry key, but when logged-in as a regular user then the app doesn't have sufficient rights to preform the edit.  The obvious solution is to use the runas command when executing the app, but then we would need to require that the user not be prompted to enter the admin password.

I have found a number of examples on how to create a shortcut that can use runas without a password, but the GUI steps needed to set that up aren't feasible in my case.  I need to remotely deploy the setup to 5,000+ workstations across our WAN.

Currently we use WPKG for deployments, but I don't know what registry changes I need to push out to enable normal users to run an app with elevated privileges.

Does anyone know what those registry changes might be or can suggest another option?
0
FishMonger
Asked:
FishMonger
  • 5
  • 3
1 Solution
 
☠ MASQ ☠Commented:
Use Process Monitor on the account running as local admin.

By default this shows all the actions on the machine but if you click the Filter menu and then set the filter to select under "Operation" "Begins with," and "Reg" you'll see a list of all the registry actions taking place.

Bear in mind that the OS is accessing the registry on a regular basis so there's going to be a lot of (mainly useless) information.  Launch the app and then take a snapshot to see if you can identify the likely registry locations being accessed (you'll probably need to expand the ProcMon window full width to see the full path to the keys being accessed).

Alternatively you can do the same thing with the user without admin privs - then, with the same process,  you should see attempts to edit the registry being flagged in ProcExp as "denied" at the same time as you get errors from the app.
0
 
FishMongerAuthor Commented:
Hmm, that's sounds like a possibility, but will take some time to filter through and compare the data.

It's unclear and in my mind doubtful that it will indicate which keys need to be updated and what their values need to be to allow the normal user to run the app with admin rights.
0
 
☠ MASQ ☠Commented:
All you should need to do is identify the Keys the app needs to access/change then give the user local admin rights to just those keys (in the registry you can use right-click Permissions).
You won't need to worry about the values if the user has the correct permissions.

If it's just a registry access issue that's preventing it running that should be job done.  If the app is trying to write data to a reserved location there is still some more work to be done but again Process Monitor will point you at what the User account is being blocked from doing.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
FishMongerAuthor Commented:
I can't use any solution that requires "right-click" operation in the registry editor because this must be accomplished without user interaction i.e., it (setting user rights) will be pushed out via WPKG.

You won't need to worry about the values if the user has the correct permissions.
That's the problem; the user doesn't have proper permissions.

Accessing (reading) the required registry key is not the problem.  The app needs to write to system portion of the registry, which requires administrator rights.
0
 
FishMongerAuthor Commented:
If it wasn't clear in my posts, I don't want to give the user write access to the registry key.  I need the application to have write access.  In order to accomplish that, the user needs to be able to run the application as the administrator so that the application (not the user) can make the registry change.

If done the other way around where the user has direct write access to the key, then that opens up a security hole where they can enable USB storage devices without having authorization.
0
 
☠ MASQ ☠Commented:
OK, understood.

If the app doesn't have a UAC compatible version you can use instead, the only way I think you are going to progress this (that isn't going to open up a security hole) will be to try running it through M$'s Application  Compatibility Toolkit.  Not sure that even if ACT is able to tweak permissions for the app rather than user that this will be in a way that the settings can be pushed the way you want.
0
 
FishMongerAuthor Commented:
Sorry for the delay in responding.  I had to put this on the "back burner" for a bit to work on another project.

I've looked over each of your suggestions and unless I've missed something none of them will accomplish what I need.

For now, I'll probably need to use WPKG to push out the USBSTOR registry change during boot up rather than doing it via my login application.
0
 
FishMongerAuthor Commented:
None of the other proposed solutions would do what I needed.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now