Solved

Regular user needs to run app with admin rights

Posted on 2014-03-11
8
346 Views
Last Modified: 2014-04-07
I have an app that needs to modify the value of a system registry key.
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR"

This is to enable/disable the use of USB storage devices based on an authorization process (i.e., database query).

If the logged-in user has admin rights, the app is able to modify the registry key, but when logged-in as a regular user then the app doesn't have sufficient rights to preform the edit.  The obvious solution is to use the runas command when executing the app, but then we would need to require that the user not be prompted to enter the admin password.

I have found a number of examples on how to create a shortcut that can use runas without a password, but the GUI steps needed to set that up aren't feasible in my case.  I need to remotely deploy the setup to 5,000+ workstations across our WAN.

Currently we use WPKG for deployments, but I don't know what registry changes I need to push out to enable normal users to run an app with elevated privileges.

Does anyone know what those registry changes might be or can suggest another option?
0
Comment
Question by:FishMonger
  • 5
  • 3
8 Comments
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
Use Process Monitor on the account running as local admin.

By default this shows all the actions on the machine but if you click the Filter menu and then set the filter to select under "Operation" "Begins with," and "Reg" you'll see a list of all the registry actions taking place.

Bear in mind that the OS is accessing the registry on a regular basis so there's going to be a lot of (mainly useless) information.  Launch the app and then take a snapshot to see if you can identify the likely registry locations being accessed (you'll probably need to expand the ProcMon window full width to see the full path to the keys being accessed).

Alternatively you can do the same thing with the user without admin privs - then, with the same process,  you should see attempts to edit the registry being flagged in ProcExp as "denied" at the same time as you get errors from the app.
0
 
LVL 28

Author Comment

by:FishMonger
Comment Utility
Hmm, that's sounds like a possibility, but will take some time to filter through and compare the data.

It's unclear and in my mind doubtful that it will indicate which keys need to be updated and what their values need to be to allow the normal user to run the app with admin rights.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
All you should need to do is identify the Keys the app needs to access/change then give the user local admin rights to just those keys (in the registry you can use right-click Permissions).
You won't need to worry about the values if the user has the correct permissions.

If it's just a registry access issue that's preventing it running that should be job done.  If the app is trying to write data to a reserved location there is still some more work to be done but again Process Monitor will point you at what the User account is being blocked from doing.
0
 
LVL 28

Author Comment

by:FishMonger
Comment Utility
I can't use any solution that requires "right-click" operation in the registry editor because this must be accomplished without user interaction i.e., it (setting user rights) will be pushed out via WPKG.

You won't need to worry about the values if the user has the correct permissions.
That's the problem; the user doesn't have proper permissions.

Accessing (reading) the required registry key is not the problem.  The app needs to write to system portion of the registry, which requires administrator rights.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 28

Author Comment

by:FishMonger
Comment Utility
If it wasn't clear in my posts, I don't want to give the user write access to the registry key.  I need the application to have write access.  In order to accomplish that, the user needs to be able to run the application as the administrator so that the application (not the user) can make the registry change.

If done the other way around where the user has direct write access to the key, then that opens up a security hole where they can enable USB storage devices without having authorization.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
OK, understood.

If the app doesn't have a UAC compatible version you can use instead, the only way I think you are going to progress this (that isn't going to open up a security hole) will be to try running it through M$'s Application  Compatibility Toolkit.  Not sure that even if ACT is able to tweak permissions for the app rather than user that this will be in a way that the settings can be pushed the way you want.
0
 
LVL 28

Accepted Solution

by:
FishMonger earned 0 total points
Comment Utility
Sorry for the delay in responding.  I had to put this on the "back burner" for a bit to work on another project.

I've looked over each of your suggestions and unless I've missed something none of them will accomplish what I need.

For now, I'll probably need to use WPKG to push out the USBSTOR registry change during boot up rather than doing it via my login application.
0
 
LVL 28

Author Closing Comment

by:FishMonger
Comment Utility
None of the other proposed solutions would do what I needed.
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now