?
Solved

Regular user needs to run app with admin rights

Posted on 2014-03-11
8
Medium Priority
?
354 Views
Last Modified: 2014-04-07
I have an app that needs to modify the value of a system registry key.
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR"

This is to enable/disable the use of USB storage devices based on an authorization process (i.e., database query).

If the logged-in user has admin rights, the app is able to modify the registry key, but when logged-in as a regular user then the app doesn't have sufficient rights to preform the edit.  The obvious solution is to use the runas command when executing the app, but then we would need to require that the user not be prompted to enter the admin password.

I have found a number of examples on how to create a shortcut that can use runas without a password, but the GUI steps needed to set that up aren't feasible in my case.  I need to remotely deploy the setup to 5,000+ workstations across our WAN.

Currently we use WPKG for deployments, but I don't know what registry changes I need to push out to enable normal users to run an app with elevated privileges.

Does anyone know what those registry changes might be or can suggest another option?
0
Comment
Question by:FishMonger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 39921241
Use Process Monitor on the account running as local admin.

By default this shows all the actions on the machine but if you click the Filter menu and then set the filter to select under "Operation" "Begins with," and "Reg" you'll see a list of all the registry actions taking place.

Bear in mind that the OS is accessing the registry on a regular basis so there's going to be a lot of (mainly useless) information.  Launch the app and then take a snapshot to see if you can identify the likely registry locations being accessed (you'll probably need to expand the ProcMon window full width to see the full path to the keys being accessed).

Alternatively you can do the same thing with the user without admin privs - then, with the same process,  you should see attempts to edit the registry being flagged in ProcExp as "denied" at the same time as you get errors from the app.
0
 
LVL 28

Author Comment

by:FishMonger
ID: 39921806
Hmm, that's sounds like a possibility, but will take some time to filter through and compare the data.

It's unclear and in my mind doubtful that it will indicate which keys need to be updated and what their values need to be to allow the normal user to run the app with admin rights.
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 39921845
All you should need to do is identify the Keys the app needs to access/change then give the user local admin rights to just those keys (in the registry you can use right-click Permissions).
You won't need to worry about the values if the user has the correct permissions.

If it's just a registry access issue that's preventing it running that should be job done.  If the app is trying to write data to a reserved location there is still some more work to be done but again Process Monitor will point you at what the User account is being blocked from doing.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 28

Author Comment

by:FishMonger
ID: 39921923
I can't use any solution that requires "right-click" operation in the registry editor because this must be accomplished without user interaction i.e., it (setting user rights) will be pushed out via WPKG.

You won't need to worry about the values if the user has the correct permissions.
That's the problem; the user doesn't have proper permissions.

Accessing (reading) the required registry key is not the problem.  The app needs to write to system portion of the registry, which requires administrator rights.
0
 
LVL 28

Author Comment

by:FishMonger
ID: 39921941
If it wasn't clear in my posts, I don't want to give the user write access to the registry key.  I need the application to have write access.  In order to accomplish that, the user needs to be able to run the application as the administrator so that the application (not the user) can make the registry change.

If done the other way around where the user has direct write access to the key, then that opens up a security hole where they can enable USB storage devices without having authorization.
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 39922105
OK, understood.

If the app doesn't have a UAC compatible version you can use instead, the only way I think you are going to progress this (that isn't going to open up a security hole) will be to try running it through M$'s Application  Compatibility Toolkit.  Not sure that even if ACT is able to tweak permissions for the app rather than user that this will be in a way that the settings can be pushed the way you want.
0
 
LVL 28

Accepted Solution

by:
FishMonger earned 0 total points
ID: 39957017
Sorry for the delay in responding.  I had to put this on the "back burner" for a bit to work on another project.

I've looked over each of your suggestions and unless I've missed something none of them will accomplish what I need.

For now, I'll probably need to use WPKG to push out the USBSTOR registry change during boot up rather than doing it via my login application.
0
 
LVL 28

Author Closing Comment

by:FishMonger
ID: 39982561
None of the other proposed solutions would do what I needed.
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring Remote Assistance for use with SCCM
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question