Announcement

Collapse
No announcement yet.

Windows Vista and elevated privileges

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows Vista and elevated privileges

    Hi,
    I have Hyena installed on Vista. I start Hyena with Runas command as domain administrator.
    When I try to either run a external tool like mmc.exe (through Tools in hyena) or try to start event viewer (right click a computer under Computers, select Events and Event viewer) I get the "Unable to execute program the requested operation requires elevation" messages.
    This was not a problem in XP and I could run all my tools like mmc, Exchange manager and so on out of Hyena with the domain administrator privledges.
    Is there a workaround ?
    Regards,

  • #2
    Re: Windows Vista and elevated privileges

    I could not find any infomration on that error, so make sure you are posting the exact wording in the error message.

    Also, see if you get the same error if you click Start->Run and type in the same command.

    Are you right clicking on the hyena shortcut and selecting Run As Administrator in Vista ?
    Kevin Stanush
    SystemTools Software Inc.

    Comment


    • #3
      Re: Windows Vista and elevated privileges

      <div class="ubbcode-block"><div class="ubbcode-header">Quote:</div><div class="ubbcode-body">Originally posted by kstanush:
      <span style="font-weight: bold">I could not find any infomration on that error, so make sure you are posting the exact wording in the error message.

      Also, see if you get the same error if you click Start->Run and type in the same command.

      Are you right clicking on the hyena shortcut and selecting Run As Administrator in Vista ?</span></div></div>

      I used to run Hyena on my XP with a shortcut like this : C:\WINDOWS\system32\runas.exe /user:domain\domainadmin "C:\Program Files\Hyena\HYENA.exe" but after I use RunAs Administrator in Vista the problem disappeared. Thank's

      Comment


      • #4
        Re: Windows Vista and elevated privileges

        <div class="ubbcode-block"><div class="ubbcode-header">Quote:</div><div class="ubbcode-body">Originally posted by Valdi:
        <span style="font-weight: bold"> I used to run Hyena on my XP with a shortcut like this : C:\WINDOWS\system32\runas.exe /user:domain\domainadmin "C:\Program Files\Hyena\HYENA.exe" but after I use RunAs Administrator in Vista the problem disappeared. Thank's</span></div></div>

        If the Hyena is started with RunAs Administrator then you can't get information like Disk Space for Computers, propably because you are not running the Hyena as a Domain Admin user. Any way to get this working at the same time as Event viewer works ?

        Comment


        • #5
          Re: Windows Vista and elevated privileges

          There isn't any reason that I can think of on why the disk space function would not work, but make sure that you have an admin share on the remote computer, and if you open a command prompt with the same method (ie run as administrator) and issue a command like:

          dir \\computer\c$, see if you get an error.

          Hyena can use alternate drive space masks, but these would have to be setup, and it would be easier to use the admin shares, assuming they exist, etc. on the remote computer.
          Kevin Stanush
          SystemTools Software Inc.

          Comment


          • #6
            Re: Windows Vista and elevated privileges

            <div class="ubbcode-block"><div class="ubbcode-header">Quote:</div><div class="ubbcode-body">Originally posted by kstanush:
            <span style="font-weight: bold">There isn't any reason that I can think of on why the disk space function would not work, but make sure that you have an admin share on the remote computer, and if you open a command prompt with the same method (ie run as administrator) and issue a command like:

            dir \\computer\c$, see if you get an error.

            Hyena can use alternate drive space masks, but these would have to be setup, and it would be easier to use the admin shares, assuming they exist, etc. on the remote computer.</span></div></div>

            If I open a command prompt with Run as Administrator and issue \\remotecomputer\c$ I get "Access denied". The remote computer does have the the admin share enabled, and if I open command prompt with "runas /user:domain\domainadmin cmd" and do the same dir command as before it works fine because then I have domain admin access to the remote computer..

            Comment


            • #7
              Re: Windows Vista and elevated privileges

              You would have to run Hyena under whatever security context has local administrator rights on the remote computer. Domain Admins is probably a member of the remote computer's local Administrators group. Run As Administrator probably is giving only local administrator rights.

              The only other solution is to create a separate share on each drive on each of the remote computers, or use one that you already have, ie:

              dir \\computer\some_share

              It does not have to be an admin or hidden share or anything, just a point on the drive.

              Why again does the "RunAs" you were originally using not work for you anymore ?
              Kevin Stanush
              SystemTools Software Inc.

              Comment


              • #8
                Re: Windows Vista and elevated privileges

                <div class="ubbcode-block"><div class="ubbcode-header">Quote:</div><div class="ubbcode-body">Originally posted by kstanush:
                <span style="font-weight: bold">You would have to run Hyena under whatever security context has local administrator rights on the remote computer. Domain Admins is probably a member of the remote computer's local Administrators group. Run As Administrator probably is giving only local administrator rights.

                The only other solution is to create a separate share on each drive on each of the remote computers, or use one that you already have, ie:

                dir \\computer\some_share

                It does not have to be an admin or hidden share or anything, just a point on the drive.

                Why again does the "RunAs" you were originally using not work for you anymore ?</span></div></div>

                The original reason I prefered to start Hyena up with the "RunAs" as domain admin account on XP was that every application I start out of Hyena (I use the Tools option to start apps like Domain Users and Computers) have domain admin privliges, also the event viewer and disk space function. On Vista this dosen't seem to work when I try it says the requested operation requires elevation.

                Comment


                • #9
                  Re: Windows Vista and elevated privileges

                  I will investigate this issue and get back on Monday or Tuesday.
                  Kevin Stanush
                  SystemTools Software Inc.

                  Comment


                  • #10
                    Re: Windows Vista and elevated privileges

                    I was able to reproduce this problem and found some additional information on why this is happening, although its unclear why Windows is behaving this way.

                    Previously, Windows XP/200x could run applications by specifying an alternate credential set. With Vista, this feature appears to be gone. So the only way to specify an alternate set of credentials is to use RunAs. This will make any functions carried out in Hyena work, as you will have the right permissions.

                    The problem comes in when you run external applications which also might require elevated credentials. Previously, if an application was running as a domain admin, any external applications it created also ran as a domain admin. Vista has apparently broken this rule.

                    The only solution that MIcrosoft has given developers is to use a different API function for creating processes, which generally was never used in the past due to its lack of features. Hyena cannot in most cases use this API. For some cases, we could, be we would have to separate the command from the parameters. Running the Event Viewer, for example, uses the command:

                    eventvwr \\computer

                    But this command fails as the application (eventvwr.exe) needs to be separate from the paramter (\\computer). While we could redesign some portions of the software when we are making the command, other parts of the software can't make this change, for instance with user-defined tool commands. Most tool commands have a single command line which combines the .exe with the parameters all on one line. There isn't any realistic way for Hyena to figure out which part is the application and which part are the parameters.

                    The other thing I tried was a modified manifest file, but this did not work as expected, although I was unclear if it was supposed to work.

                    Another thing I tried was using RunAs on a tool command where I would get this error. I could not get that to work, but if you do, please post the syntax you used.

                    I will open a support case with Microsoft on this and keep you posted on their response. This has to be a way to execute external applications, even under Vista.
                    Kevin Stanush
                    SystemTools Software Inc.

                    Comment


                    • #11
                      Re: Windows Vista and elevated privileges

                      <div class="ubbcode-block"><div class="ubbcode-header">Quote:</div><div class="ubbcode-body">Originally posted by kstanush:
                      <span style="font-weight: bold">I was able to reproduce this problem and found some additional information on why this is happening, although its unclear why Windows is behaving this way.

                      Previously, Windows XP/200x could run applications by specifying an alternate credential set. With Vista, this feature appears to be gone. So the only way to specify an alternate set of credentials is to use RunAs. This will make any functions carried out in Hyena work, as you will have the right permissions.

                      The problem comes in when you run external applications which also might require elevated credentials. Previously, if an application was running as a domain admin, any external applications it created also ran as a domain admin. Vista has apparently broken this rule.

                      The only solution that MIcrosoft has given developers is to use a different API function for creating processes, which generally was never used in the past due to its lack of features. Hyena cannot in most cases use this API. For some cases, we could, be we would have to separate the command from the parameters. Running the Event Viewer, for example, uses the command:

                      eventvwr \\computer

                      But this command fails as the application (eventvwr.exe) needs to be separate from the paramter (\\computer). While we could redesign some portions of the software when we are making the command, other parts of the software can't make this change, for instance with user-defined tool commands. Most tool commands have a single command line which combines the .exe with the parameters all on one line. There isn't any realistic way for Hyena to figure out which part is the application and which part are the parameters.

                      The other thing I tried was a modified manifest file, but this did not work as expected, although I was unclear if it was supposed to work.

                      Another thing I tried was using RunAs on a tool command where I would get this error. I could not get that to work, but if you do, please post the syntax you used.

                      I will open a support case with Microsoft on this and keep you posted on their response. This has to be a way to execute external applications, even under Vista.</span></div></div>

                      I couldn't get RunAs on a tool command to work either, but if I start up a command prompt with Run as Administrator and use RunAs /user:domain\domainadmin "c:\program files\hyena\hyena.exe" everthing started out of Hyena requires elevation, tool commands and eventviewer.
                      There is a good article on this named "Windows Vista Application Development Requirements for User Account Control Compatibility" on http://msdn2.microsoft.com/en-us/library/bb530410.aspx

                      Comment


                      • #12
                        Re: Windows Vista and elevated privileges

                        I wasn't able to duplicate this behavior. Are you saying that if you run Hyena from a command prompt that was started with a 'run as administrator', and then used a runas command from the command prompt with domain admin rights, that you could run eventvwr and other external commands from within Hyena and not get the 'this command requires elevation' error ? Getting prompted by Vista to perform an action is almost to be expected, but when I tried this same thing, I still got the usual error.

                        The article you pointed to does not really help anything, as it does not apply much to applications like Hyena that perform network tasks that require rights that are not known to the application. So, we expect users to run the application with whatever rights they need to get the job done and not get 'access denied' errors. The problem is when running external applications (which Hyena does not rely on and provides access to as a convenience) such as running event viewer or tool commands. I would expect that if you were running as an admin, you could run an external command, but maybe Microsoft thinks otherwise.

                        I can probably work around the event viewer problem, but the other tool commands created by end-users are another matter entirely.
                        Kevin Stanush
                        SystemTools Software Inc.

                        Comment


                        • #13
                          Re: Windows Vista and elevated privileges

                          I ran across something that might work, or it at least appeared to in my testing.

                          Run GpEdit.msc as an administrator. What I did was just create a shortcut to gpedit.msc and then right clicked and selected run as administrator.

                          Browse to the Security Options under Local Policies for the Computer.

                          Scroll down to the User Account Control settings and find the one labeled "Behavior of the elevation prompt for administrators in Admin approval Mode" and double-click it.

                          Change it to "Prompt for Credentials"

                          Now, create a standard shortcut for Hyena where it just runs hyena.exe (no run as). Right click, select Run As Administrator, and you should be prompted for what account to run Hyena under. Select the domain admin account you want, and see if you can both view disk space (you should), but also run Event Viewer or MMC or someother external tool.

                          Let me know what happens.
                          Kevin Stanush
                          SystemTools Software Inc.

                          Comment


                          • #14
                            Re: Windows Vista and elevated privileges

                            <div class="ubbcode-block"><div class="ubbcode-header">Quote:</div><div class="ubbcode-body">Originally posted by kstanush:
                            <span style="font-weight: bold">I ran across something that might work, or it at least appeared to in my testing.

                            Run GpEdit.msc as an administrator. What I did was just create a shortcut to gpedit.msc and then right clicked and selected run as administrator.

                            Browse to the Security Options under Local Policies for the Computer.

                            Scroll down to the User Account Control settings and find the one labeled "Behavior of the elevation prompt for administrators in Admin approval Mode" and double-click it.

                            Change it to "Prompt for Credentials"

                            Now, create a standard shortcut for Hyena where it just runs hyena.exe (no run as). Right click, select Run As Administrator, and you should be prompted for what account to run Hyena under. Select the domain admin account you want, and see if you can both view disk space (you should), but also run Event Viewer or MMC or someother external tool.

                            Let me know what happens.</span></div></div>

                            I tried this and it looks like this works fine like it did in XP with the RunAs command.
                            I actually used the "Local Security Policy" under Administrative Tools instead of GpEdit.msc. And like you described after I change the setting and run Hyena with Run as Administrator I'm prompted for credentials where I can use my domain admin credentials which again enables elevations inside Hyena. Thanks’ for the help

                            Comment


                            • #15
                              Re: Windows Vista and elevated privileges

                              Glad to know that this works, but as a 'solution' its not great for us for a number of reasons.

                              Most users probably won't know about this option, so regardless of where we document this, etc. we will forever get inquiries about the errors you originally reported.

                              There isn't any reason why Microsoft could not just have an option under the Properties of the shortcut, like they did before, where you could control whether you wanted a plain "run as LOCAL administrator" or "run as...(provide credentials)" option.

                              This change also affects every program you run with 'run as administrator', so it would be great if you could select this on a program-by-program basis.

                              The other thing that is a bit annoying is that when you runas an application as a domain or enterprise admin, any process created by the application (in Vista) is not run under the same security context you ran the parent under. This does not make any sense. The only way to get sub-programs to run as the same security context as the parent is to have Vista elevate the process rights through the menu option 'run as administrator'.

                              I assume that the last account you ran the application under is saved for you, so at most all you have to do is supply the password, right ?

                              Thanks for testing this out.
                              Kevin Stanush
                              SystemTools Software Inc.

                              Comment

                              Working...
                              X