Is there way to configure the process "runas" admin in AutoStart 5.3 SP4 on Windows Server 2008?

Hi,

What process are you describing?

Did you make Process in a Processes tree?

It is sure to be executed by the account of Login Info if it made it with the Processes tree.

You should explain more in detail.

Yes, my application is added into AutoStart process tree. And the account to run this process is administrator too.

As you know since UAC is introduced in Windows Vista/20088, admin need additional privileges to access protected resource including files and registry:

"When an administrator logs on to a computer things are a little different and this is where Windows Vista differs dramatically from previous versions. Although the system creates a new logon session, it creates not one but two different tokens representing the same logon session. The first token grants all the permissions and privileges afforded to the administrator while the second token is a restricted token, sometimes called a filtered token, offering far fewer permissions and privileges. This restricted token offers practically the same capabilities and constraints as would be granted to a standard user. The system then creates the shell application using the restricted token. This means that although the user is logged on as an administrator, applications are by default run with limited permissions and privileges.

When the administrator needs to perform some task that requires additional permissions or privileges not granted to the restricted token, he or she can elect to run an application using the full security context provided by the unrestricted token. What protects the administrator from malicious code is that this elevation to the unrestricted token is only allowed after the administrator has confirmed the desire to use the unrestricted token by means of a secure prompt provided by the system. Malicious code cannot suppress this prompt and thereby gain complete control over the computer without the user’s knowledge."

More information you can refer to http://weblogs.asp.net/kennykerr/archive/2006/09/29/Windows-Vista-for-Developers-_1320_-Part-4-_1320_-User-Account-Control.aspx

My question is that is there any way to let the process run with elevated privileges by AutoStart-- The same thing to run as admin.

Hi,

I do not yet understand your process setting.

Do you set "Allow Access to the Windows Desktop?"

You must apply an AT_1039 patch if you use 5.3SP4.

You have to get an cumulative patch of AT_1039 from support.

Or you should upgrade to 5.4.

Reference

https://community.emc.com/thread/112844

https://community.emc.com/thread/96172

Hi,

Thanks for your quick response.

Yes, "Allow Access to the Windows Desktop" is set on 5.3 SP4. I am reading your references. Thanks again.

Hi,

If the AT_1039 patch is installed, the Agent build becomes 286.

I think that the process operates correctly if it is this build.

Hi,

AutoStart 5.4 build 173 is installed -- it should contain all the SP4 and SP5 hotfix. And AutoStart is run as admin.

But the files still are wrote to Compatibility Files and the change to registry are redirect to virtual registries too.

Until now I do not know how to elevate the process privilege by AutoStart.

Thanks

Hi,

Is the process that you are using special?

I do not know a virtual registry.

Can you execute it by registering notepad.exe with Process?

Of course, "Allow Access to the Windows Desktop" is set.

Hi,

Do you want to execute the process in the compatibility mode?

Hi,

Administrator can execute a process in my environment.

Is the error displayed?

Please show the task manager when you execute a process in AutoStart.

It is in common use.

Add my execrable application as process and then add it as part of resource group.

explorer is tested as process in AutoStart with "Allow Access to the Windows Desktop" on and it works well.

Thanks

It is already in compatibility mode -- with file and registry virtualization

But I want to let my application run with elevated privilege by AutoStart. -- The same to Run as Admin with right click the application executable file.

Any way to implement this with AutoStart?

Sure, admin can execute a process on my Windows Server 2008 and I can find this process from task manager.

If you try a process writing files to "%ProgramFiles%" or registry HKEY_LOCAL_MACHINE\SOFTWARE, what's the result?

I think maybe all of them are redirect to virtual files. But if this process is not run via AutoStart and run as admin by right mouse click exe, all the changes to "%ProgramFiles%" and registry can be operated the right target places.

My question is that How to configure the process in AutoStart.to let it run as admin.

Thanks

Env, can't you use runas with appropriate arguments as the startup command to start the process? Have you tried it? I found some useful tips here:

http://social.msdn.microsoft.com/Forums/en/windowsgeneraldevelopmentissues/thread/e4f3d468-36a5-4719-8142-16b4284d57aa

Basically, once you find the command line method that works, try implementing it as the startup script for the process.

Hi,

The process that I tested is in the directory of Program Files, and it is value of HKEY_LOCAL_MACHINESOFTWARE.

Sorry.

I do not understand your problem.

Let's wait for other people's advice.

Here comes the new problems:

One UAC manifest is embedded into my application/process. Direct clicking this application exe can start this application successfully with privilege elevated. -- BTW, my application is UI based, so it can not be started as Windows Service to work around the session 0 problem. With this manifest it is no longer taged as "Virtualized".

But this process can not be started by AutoStart with the error "Could not OpenProcess". I am supposing that whether AutoStart has the ability to support privilege elevation on Windows Server 2008? Or can AutoStart handle the UAC dialog that prompt for confirmation before privilege elevation?

Thanks