Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Standard user needs regedit UAC prompt

microsoft.public.windows.vista.security






Speedup My PC
Reply
  #1 (permalink)  
Old 06-28-2007
Kevin Hicks
 

Posts: n/a
Standard user needs regedit UAC prompt
Hello.

The term 'Admin' is the main administrator on the computer (run by a person,
not the actual 'Administrator' hidden account).

Here's what's happening:
I am NOT an administrator on my family's computer. The Admin, however, is a
control freak. I am not supposed to know my own password to my account, but I
do anyway and the Admin doesn't know that. I have opened backdoors to give
myself administrative priviledges if need be. I have created a hidden user
(my Admin is an idiot with computers) that has administrative priviledges
that is covered up by a value in the registry. I have set myself special
priviledges on the key to edit values in it without havin 'elevated'
priviledges. But now the entire application wants me to enter my own password
to do anything to it (and it doesn't give me administrative priviledges, it
just opens the thing). Normally, standard users don't need to type their
password with UAC to open it, but I do (and i used to not to need it), and
another standard user doesn't and can open it without a problem. If the Admin
changes the password on the computer, I am SCREWED. Is there any way to stop
UAC for asking me my password with regedit? I do know the Admin password for
now, so that's not a problem. I really need a smart feller to help me here.
Not most people know how to fix this. Any input would be greatly appreciated.
Thank you for your time.
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 06-28-2007
Jimmy Brush
 

Posts: n/a
Re: Standard user needs regedit UAC prompt
Kevin Hicks wrote:
> Hello.
>
> The term 'Admin' is the main administrator on the computer (run by a person,
> not the actual 'Administrator' hidden account).
>
> Here's what's happening:
> I am NOT an administrator on my family's computer. The Admin, however, is a
> control freak. I am not supposed to know my own password to my account, but I
> do anyway and the Admin doesn't know that. I have opened backdoors to give
> myself administrative priviledges if need be. I have created a hidden user
> (my Admin is an idiot with computers) that has administrative priviledges
> that is covered up by a value in the registry. I have set myself special
> priviledges on the key to edit values in it without havin 'elevated'
> priviledges. But now the entire application wants me to enter my own password
> to do anything to it (and it doesn't give me administrative priviledges, it
> just opens the thing). Normally, standard users don't need to type their
> password with UAC to open it, but I do (and i used to not to need it), and
> another standard user doesn't and can open it without a problem. If the Admin
> changes the password on the computer, I am SCREWED. Is there any way to stop
> UAC for asking me my password with regedit? I do know the Admin password for
> now, so that's not a problem. I really need a smart feller to help me here.
> Not most people know how to fix this. Any input would be greatly appreciated.
> Thank you for your time.


Hello,

Regedit should not be prompting if you are a standard user.

In any case, this should help you out:

Using regedit, browse to:

HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Layers

Create 2 string values in this folder, named:

c:\windows\regedit.exe

and

c:\windows\system32\regedt32.exe

double-click on each of these items, and set their value to:

RUNASINVOKER


--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/
Reply With Quote
  #3 (permalink)  
Old 06-29-2007
Rock
 

Posts: n/a
Re: Standard user needs regedit UAC prompt
"Jimmy Brush" <jb@mvps.org> wrote in message
news:us9C8xcuHHA.4512@TK2MSFTNGP04.phx.gbl...
> Kevin Hicks wrote:
>> Hello.
>>
>> The term 'Admin' is the main administrator on the computer (run by a
>> person, not the actual 'Administrator' hidden account).
>>
>> Here's what's happening:
>> I am NOT an administrator on my family's computer. The Admin, however, is
>> a control freak. I am not supposed to know my own password to my account,
>> but I do anyway and the Admin doesn't know that. I have opened backdoors
>> to give myself administrative priviledges if need be. I have created a
>> hidden user (my Admin is an idiot with computers) that has administrative
>> priviledges that is covered up by a value in the registry. I have set
>> myself special priviledges on the key to edit values in it without havin
>> 'elevated' priviledges. But now the entire application wants me to enter
>> my own password to do anything to it (and it doesn't give me
>> administrative priviledges, it just opens the thing). Normally, standard
>> users don't need to type their password with UAC to open it, but I do
>> (and i used to not to need it), and another standard user doesn't and can
>> open it without a problem. If the Admin changes the password on the
>> computer, I am SCREWED. Is there any way to stop UAC for asking me my
>> password with regedit? I do know the Admin password for now, so that's
>> not a problem. I really need a smart feller to help me here. Not most
>> people know how to fix this. Any input would be greatly appreciated.
>> Thank you for your time.

>
> Hello,
>
> Regedit should not be prompting if you are a standard user.
>
> In any case, this should help you out:
>
> Using regedit, browse to:
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows
> NT\CurrentVersion\AppCompatFlags\Layers
>
> Create 2 string values in this folder, named:
>
> c:\windows\regedit.exe
>
> and
>
> c:\windows\system32\regedt32.exe
>
> double-click on each of these items, and set their value to:
>
> RUNASINVOKER



I sure was wrong on that. I was going from memory. Went back into the
standard user account and sure enough regedit ran without requesting
elevation. Sorry to the OP.

--
Rock [MS-MVP User/Shell]

Reply With Quote
  #4 (permalink)  
Old 06-29-2007
Kevin Hicks
 

Posts: n/a
Re: Standard user needs regedit UAC prompt
Wow. Thank you so much for this. This fixed my problem.

"Jimmy Brush" wrote:

> Kevin Hicks wrote:
> > Hello.
> >
> > The term 'Admin' is the main administrator on the computer (run by a person,
> > not the actual 'Administrator' hidden account).
> >
> > Here's what's happening:
> > I am NOT an administrator on my family's computer. The Admin, however, is a
> > control freak. I am not supposed to know my own password to my account, but I
> > do anyway and the Admin doesn't know that. I have opened backdoors to give
> > myself administrative priviledges if need be. I have created a hidden user
> > (my Admin is an idiot with computers) that has administrative priviledges
> > that is covered up by a value in the registry. I have set myself special
> > priviledges on the key to edit values in it without havin 'elevated'
> > priviledges. But now the entire application wants me to enter my own password
> > to do anything to it (and it doesn't give me administrative priviledges, it
> > just opens the thing). Normally, standard users don't need to type their
> > password with UAC to open it, but I do (and i used to not to need it), and
> > another standard user doesn't and can open it without a problem. If the Admin
> > changes the password on the computer, I am SCREWED. Is there any way to stop
> > UAC for asking me my password with regedit? I do know the Admin password for
> > now, so that's not a problem. I really need a smart feller to help me here.
> > Not most people know how to fix this. Any input would be greatly appreciated.
> > Thank you for your time.

>
> Hello,
>
> Regedit should not be prompting if you are a standard user.
>
> In any case, this should help you out:
>
> Using regedit, browse to:
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows
> NT\CurrentVersion\AppCompatFlags\Layers
>
> Create 2 string values in this folder, named:
>
> c:\windows\regedit.exe
>
> and
>
> c:\windows\system32\regedt32.exe
>
> double-click on each of these items, and set their value to:
>
> RUNASINVOKER
>
>
> --
> -JB
> Microsoft MVP - Windows Shell/User
> Windows Vista Support FAQ - http://www.jimmah.com/vista/
>

Reply With Quote
  #5 (permalink)  
Old 06-30-2007
Jimmy Brush
 

Posts: n/a
Re: Standard user needs regedit UAC prompt
> I sure was wrong on that. I was going from memory. Went back into the
> standard user account and sure enough regedit ran without requesting
> elevation. Sorry to the OP.
>


You wouldn't think whether the system shows a prompt or not would be so
difficult, but the rules are actually fairly complex.

--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/
Reply With Quote
  #6 (permalink)  
Old 06-30-2007
Rock
 

Posts: n/a
Re: Standard user needs regedit UAC prompt
"Jimmy Brush" <jb@mvps.org> wrote
>> I sure was wrong on that. I was going from memory. Went back into the
>> standard user account and sure enough regedit ran without requesting
>> elevation. Sorry to the OP.
>>

>
> You wouldn't think whether the system shows a prompt or not would be so
> difficult, but the rules are actually fairly complex.


Yep, still haven't figured out all aspects of this. I'm guessing regedit is
allowed in a standard user account but one can only edit user settings.
When invoking regedit from an admin account it is assumed you would want
access to all settings hence the need for elevation?

--
Rock [MS-MVP User/Shell]

Reply With Quote
  #7 (permalink)  
Old 07-01-2007
Jimmy Brush
 

Posts: n/a
Re: Standard user needs regedit UAC prompt
Rock wrote:
> "Jimmy Brush" <jb@mvps.org> wrote
>>> I sure was wrong on that. I was going from memory. Went back into
>>> the standard user account and sure enough regedit ran without
>>> requesting elevation. Sorry to the OP.
>>>

>>
>> You wouldn't think whether the system shows a prompt or not would be
>> so difficult, but the rules are actually fairly complex.

>
> Yep, still haven't figured out all aspects of this. I'm guessing
> regedit is allowed in a standard user account but one can only edit user
> settings. When invoking regedit from an admin account it is assumed you
> would want access to all settings hence the need for elevation?
>


Correct.

No matter what, programs running in an account can only use at most
whatever privileges the user is assigned, unless the program is started
inside of another user account (i.e. elevating from a standard user
account requires username and password from an admin).

An application can specify that it will not run unless it's started by
an administrator (requireAdministrator). This will cause the application
to prompt for consent when run by an admin, and prompt for credentials
when not run by an admin. In either case, it must be ran by an
administrator; it simply cannot be ran by a standard user, and if it
somehow did run, it would fail to function properly, because the user
doesn't have the rights.

If the app doesn't require an administrator to run it, then it can say
that it wants to use however much privilege the user has
(highestAvailable). If the user is admin, then the program prompts for
consent (since it will be assigned admin power in this case). However,
if the user is not an admin, then no prompt is issued, but the
application is given whatever privileges the user is assigned (it ALWAYS
runs with the actual user's token). This is the mode that regedit runs in.

Finally, the app can say that it never needs any extra privileges,
regardless of what privileges the user is assigned (asInvoker). In this
case, the app always runs as if a standard user started it (it ALWAYS
runs with a filtered token), and never prompts. This is the mode
explorer runs it.

Note that it is almost always the application itself that determines at
what privilege level it runs at, and thus its own prompting behavior.

However, this is made more complex by the "installer detection" and app
compat features of Vista, where MS may have pre-detected what privilege
level a legacy app needs, and it is not immediately obvious to the user
how to control this behavior.

These 3 different privilege states make a lot of sense when considering
plain-ol' admin and standard user accounts, but things get really
interesting when you are using an account that is not an admin account,
but has extra privileges (like the old power users group).

In that case, you will not be able to run programs that require
administrator (unless u enter an admin password). And, the only programs
that will be able to actually use your extra power will be ones that ask
for highestAvailable (like regedit). A program that specifies that it
never needs any extra privilege (like explorer) will not be able to use
the extra privilege.

This can lead to some interesting problems, but in general it works out
correctly.

--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/
Reply With Quote
  #8 (permalink)  
Old 07-02-2007
Rock
 

Posts: n/a
Re: Standard user needs regedit UAC prompt
Thanks for all the info, Jimmy.

--
Rock [MS-MVP User/Shell]

"Jimmy Brush" <jb@mvps.org> wrote

> Rock wrote:
>> "Jimmy Brush" <jb@mvps.org> wrote
>>>> I sure was wrong on that. I was going from memory. Went back into the
>>>> standard user account and sure enough regedit ran without requesting
>>>> elevation. Sorry to the OP.
>>>>
>>>
>>> You wouldn't think whether the system shows a prompt or not would be so
>>> difficult, but the rules are actually fairly complex.

>>
>> Yep, still haven't figured out all aspects of this. I'm guessing regedit
>> is allowed in a standard user account but one can only edit user
>> settings. When invoking regedit from an admin account it is assumed you
>> would want access to all settings hence the need for elevation?
>>

>
> Correct.
>
> No matter what, programs running in an account can only use at most
> whatever privileges the user is assigned, unless the program is started
> inside of another user account (i.e. elevating from a standard user
> account requires username and password from an admin).
>
> An application can specify that it will not run unless it's started by an
> administrator (requireAdministrator). This will cause the application to
> prompt for consent when run by an admin, and prompt for credentials when
> not run by an admin. In either case, it must be ran by an administrator;
> it simply cannot be ran by a standard user, and if it somehow did run, it
> would fail to function properly, because the user doesn't have the rights.
>
> If the app doesn't require an administrator to run it, then it can say
> that it wants to use however much privilege the user has
> (highestAvailable). If the user is admin, then the program prompts for
> consent (since it will be assigned admin power in this case). However, if
> the user is not an admin, then no prompt is issued, but the application is
> given whatever privileges the user is assigned (it ALWAYS runs with the
> actual user's token). This is the mode that regedit runs in.
>
> Finally, the app can say that it never needs any extra privileges,
> regardless of what privileges the user is assigned (asInvoker). In this
> case, the app always runs as if a standard user started it (it ALWAYS runs
> with a filtered token), and never prompts. This is the mode explorer runs
> it.
>
> Note that it is almost always the application itself that determines at
> what privilege level it runs at, and thus its own prompting behavior.
>
> However, this is made more complex by the "installer detection" and app
> compat features of Vista, where MS may have pre-detected what privilege
> level a legacy app needs, and it is not immediately obvious to the user
> how to control this behavior.
>
> These 3 different privilege states make a lot of sense when considering
> plain-ol' admin and standard user accounts, but things get really
> interesting when you are using an account that is not an admin account,
> but has extra privileges (like the old power users group).
>
> In that case, you will not be able to run programs that require
> administrator (unless u enter an admin password). And, the only programs
> that will be able to actually use your extra power will be ones that ask
> for highestAvailable (like regedit). A program that specifies that it
> never needs any extra privilege (like explorer) will not be able to use
> the extra privilege.
>
> This can lead to some interesting problems, but in general it works out
> correctly.


Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
vbscript and UAC prompt =?Utf-8?B?ZGFr?= microsoft.public.windows.vista.general 4 10-04-2008 23:28
Standard user needs regedit UAC prompt Kevin Hicks microsoft.public.windows.vista.security 5 06-29-2007 02:55
Changing the Icon of the UAC prompt leeaids@gmail.com microsoft.public.windows.vista.general 2 06-09-2007 04:11
Run as Administrator under a Standard User with UAC disabled. ericfournier4@gmail.com microsoft.public.windows.vista.general 4 05-15-2007 20:08
different between uac admin and standard user Marc Winston microsoft.public.windows.vista.administration accounts passwords 2 03-04-2007 15:16




All times are GMT +1. The time now is 05:15.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120