Standard user needs regedit UAC prompt

Hello.

The term 'Admin' is the main administrator on the computer (run by a person,
not the actual 'Administrator' hidden account).

Here's what's happening:
I am NOT an administrator on my family's computer. The Admin, however, is a
control freak. I am not supposed to know my own password to my account, but I
do anyway and the Admin doesn't know that. I have opened backdoors to give
myself administrative priviledges if need be. I have created a hidden user
(my Admin is an idiot with computers) that has administrative priviledges
that is covered up by a value in the registry. I have set myself special
priviledges on the key to edit values in it without havin 'elevated'
priviledges. But now the entire application wants me to enter my own password
to do anything to it (and it doesn't give me administrative priviledges, it
just opens the thing). Normally, standard users don't need to type their
password with UAC to open it, but I do (and i used to not to need it), and
another standard user doesn't and can open it without a problem. If the Admin
changes the password on the computer, I am SCREWED. Is there any way to stop
UAC for asking me my password with regedit? I do know the Admin password for
now, so that's not a problem. I really need a smart feller to help me here.
Not most people know how to fix this. Any input would be greatly appreciated.
Thank you for your time.

Kevin Hicks wrote:
> Hello.
>
> The term 'Admin' is the main administrator on the computer (run by a person,
> not the actual 'Administrator' hidden account).
>
> Here's what's happening:
> I am NOT an administrator on my family's computer. The Admin, however, is a
> control freak. I am not supposed to know my own password to my account, but I
> do anyway and the Admin doesn't know that. I have opened backdoors to give
> myself administrative priviledges if need be. I have created a hidden user
> (my Admin is an idiot with computers) that has administrative priviledges
> that is covered up by a value in the registry. I have set myself special
> priviledges on the key to edit values in it without havin 'elevated'
> priviledges. But now the entire application wants me to enter my own password
> to do anything to it (and it doesn't give me administrative priviledges, it
> just opens the thing). Normally, standard users don't need to type their
> password with UAC to open it, but I do (and i used to not to need it), and
> another standard user doesn't and can open it without a problem. If the Admin
> changes the password on the computer, I am SCREWED. Is there any way to stop
> UAC for asking me my password with regedit? I do know the Admin password for
> now, so that's not a problem. I really need a smart feller to help me here.
> Not most people know how to fix this. Any input would be greatly appreciated.
> Thank you for your time.

Hello,

Regedit should not be prompting if you are a standard user.

In any case, this should help you out:

Using regedit, browse to:

HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Layers

Create 2 string values in this folder, named:

c:\windows\regedit.exe

and

c:\windows\system32\regedt32.exe

double-click on each of these items, and set their value to:

RUNASINVOKER


--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/

"Jimmy Brush" <jb@mvps.org> wrote in message
news:us9C8xcuHHA.4512@TK2MSFTNGP04.phx.gbl...
> Kevin Hicks wrote:
>> Hello.
>>
>> The term 'Admin' is the main administrator on the computer (run by a
>> person, not the actual 'Administrator' hidden account).
>>
>> Here's what's happening:
>> I am NOT an administrator on my family's computer. The Admin, however, is
>> a control freak. I am not supposed to know my own password to my account,
>> but I do anyway and the Admin doesn't know that. I have opened backdoors
>> to give myself administrative priviledges if need be. I have created a
>> hidden user (my Admin is an idiot with computers) that has administrative
>> priviledges that is covered up by a value in the registry. I have set
>> myself special priviledges on the key to edit values in it without havin
>> 'elevated' priviledges. But now the entire application wants me to enter
>> my own password to do anything to it (and it doesn't give me
>> administrative priviledges, it just opens the thing). Normally, standard
>> users don't need to type their password with UAC to open it, but I do
>> (and i used to not to need it), and another standard user doesn't and can
>> open it without a problem. If the Admin changes the password on the
>> computer, I am SCREWED. Is there any way to stop UAC for asking me my
>> password with regedit? I do know the Admin password for now, so that's
>> not a problem. I really need a smart feller to help me here. Not most
>> people know how to fix this. Any input would be greatly appreciated.
>> Thank you for your time.
>
> Hello,
>
> Regedit should not be prompting if you are a standard user.
>
> In any case, this should help you out:
>
> Using regedit, browse to:
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows
> NT\CurrentVersion\AppCompatFlags\Layers
>
> Create 2 string values in this folder, named:
>
> c:\windows\regedit.exe
>
> and
>
> c:\windows\system32\regedt32.exe
>
> double-click on each of these items, and set their value to:
>
> RUNASINVOKER


I sure was wrong on that. I was going from memory. Went back into the
standard user account and sure enough regedit ran without requesting
elevation. Sorry to the OP.

--
Rock [MS-MVP User/Shell]

Wow. Thank you so much for this. This fixed my problem.

"Jimmy Brush" wrote:

> Kevin Hicks wrote:
> > Hello.
> >
> > The term 'Admin' is the main administrator on the computer (run by a person,
> > not the actual 'Administrator' hidden account).
> >
> > Here's what's happening:
> > I am NOT an administrator on my family's computer. The Admin, however, is a
> > control freak. I am not supposed to know my own password to my account, but I
> > do anyway and the Admin doesn't know that. I have opened backdoors to give
> > myself administrative priviledges if need be. I have created a hidden user
> > (my Admin is an idiot with computers) that has administrative priviledges
> > that is covered up by a value in the registry. I have set myself special
> > priviledges on the key to edit values in it without havin 'elevated'
> > priviledges. But now the entire application wants me to enter my own password
> > to do anything to it (and it doesn't give me administrative priviledges, it
> > just opens the thing). Normally, standard users don't need to type their
> > password with UAC to open it, but I do (and i used to not to need it), and
> > another standard user doesn't and can open it without a problem. If the Admin
> > changes the password on the computer, I am SCREWED. Is there any way to stop
> > UAC for asking me my password with regedit? I do know the Admin password for
> > now, so that's not a problem. I really need a smart feller to help me here.
> > Not most people know how to fix this. Any input would be greatly appreciated.
> > Thank you for your time.
>
> Hello,
>
> Regedit should not be prompting if you are a standard user.
>
> In any case, this should help you out:
>
> Using regedit, browse to:
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows
> NT\CurrentVersion\AppCompatFlags\Layers
>
> Create 2 string values in this folder, named:
>
> c:\windows\regedit.exe
>
> and
>
> c:\windows\system32\regedt32.exe
>
> double-click on each of these items, and set their value to:
>
> RUNASINVOKER
>
>
> --
> -JB
> Microsoft MVP - Windows Shell/User
> Windows Vista Support FAQ - http://www.jimmah.com/vista/
>

> I sure was wrong on that. I was going from memory. Went back into the
> standard user account and sure enough regedit ran without requesting
> elevation. Sorry to the OP.
>

You wouldn't think whether the system shows a prompt or not would be so
difficult, but the rules are actually fairly complex.

--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/

"Jimmy Brush" <jb@mvps.org> wrote
>> I sure was wrong on that. I was going from memory. Went back into the
>> standard user account and sure enough regedit ran without requesting
>> elevation. Sorry to the OP.
>>
>
> You wouldn't think whether the system shows a prompt or not would be so
> difficult, but the rules are actually fairly complex.

Yep, still haven't figured out all aspects of this. I'm guessing regedit is
allowed in a standard user account but one can only edit user settings.
When invoking regedit from an admin account it is assumed you would want
access to all settings hence the need for elevation?

--
Rock [MS-MVP User/Shell]

Rock wrote:
> "Jimmy Brush" <jb@mvps.org> wrote
>>> I sure was wrong on that. I was going from memory. Went back into
>>> the standard user account and sure enough regedit ran without
>>> requesting elevation. Sorry to the OP.
>>>
>>
>> You wouldn't think whether the system shows a prompt or not would be
>> so difficult, but the rules are actually fairly complex.
>
> Yep, still haven't figured out all aspects of this. I'm guessing
> regedit is allowed in a standard user account but one can only edit user
> settings. When invoking regedit from an admin account it is assumed you
> would want access to all settings hence the need for elevation?
>

Correct.

No matter what, programs running in an account can only use at most
whatever privileges the user is assigned, unless the program is started
inside of another user account (i.e. elevating from a standard user
account requires username and password from an admin).

An application can specify that it will not run unless it's started by
an administrator (requireAdministrator). This will cause the application
to prompt for consent when run by an admin, and prompt for credentials
when not run by an admin. In either case, it must be ran by an
administrator; it simply cannot be ran by a standard user, and if it
somehow did run, it would fail to function properly, because the user
doesn't have the rights.

If the app doesn't require an administrator to run it, then it can say
that it wants to use however much privilege the user has
(highestAvailable). If the user is admin, then the program prompts for
consent (since it will be assigned admin power in this case). However,
if the user is not an admin, then no prompt is issued, but the
application is given whatever privileges the user is assigned (it ALWAYS
runs with the actual user's token). This is the mode that regedit runs in.

Finally, the app can say that it never needs any extra privileges,
regardless of what privileges the user is assigned (asInvoker). In this
case, the app always runs as if a standard user started it (it ALWAYS
runs with a filtered token), and never prompts. This is the mode
explorer runs it.

Note that it is almost always the application itself that determines at
what privilege level it runs at, and thus its own prompting behavior.

However, this is made more complex by the "installer detection" and app
compat features of Vista, where MS may have pre-detected what privilege
level a legacy app needs, and it is not immediately obvious to the user
how to control this behavior.

These 3 different privilege states make a lot of sense when considering
plain-ol' admin and standard user accounts, but things get really
interesting when you are using an account that is not an admin account,
but has extra privileges (like the old power users group).

In that case, you will not be able to run programs that require
administrator (unless u enter an admin password). And, the only programs
that will be able to actually use your extra power will be ones that ask
for highestAvailable (like regedit). A program that specifies that it
never needs any extra privilege (like explorer) will not be able to use
the extra privilege.

This can lead to some interesting problems, but in general it works out
correctly.

--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/

Thanks for all the info, Jimmy.

--
Rock [MS-MVP User/Shell]

"Jimmy Brush" <jb@mvps.org> wrote

> Rock wrote:
>> "Jimmy Brush" <jb@mvps.org> wrote
>>>> I sure was wrong on that. I was going from memory. Went back into the
>>>> standard user account and sure enough regedit ran without requesting
>>>> elevation. Sorry to the OP.
>>>>
>>>
>>> You wouldn't think whether the system shows a prompt or not would be so
>>> difficult, but the rules are actually fairly complex.
>>
>> Yep, still haven't figured out all aspects of this. I'm guessing regedit
>> is allowed in a standard user account but one can only edit user
>> settings. When invoking regedit from an admin account it is assumed you
>> would want access to all settings hence the need for elevation?
>>
>
> Correct.
>
> No matter what, programs running in an account can only use at most
> whatever privileges the user is assigned, unless the program is started
> inside of another user account (i.e. elevating from a standard user
> account requires username and password from an admin).
>
> An application can specify that it will not run unless it's started by an
> administrator (requireAdministrator). This will cause the application to
> prompt for consent when run by an admin, and prompt for credentials when
> not run by an admin. In either case, it must be ran by an administrator;
> it simply cannot be ran by a standard user, and if it somehow did run, it
> would fail to function properly, because the user doesn't have the rights.
>
> If the app doesn't require an administrator to run it, then it can say
> that it wants to use however much privilege the user has
> (highestAvailable). If the user is admin, then the program prompts for
> consent (since it will be assigned admin power in this case). However, if
> the user is not an admin, then no prompt is issued, but the application is
> given whatever privileges the user is assigned (it ALWAYS runs with the
> actual user's token). This is the mode that regedit runs in.
>
> Finally, the app can say that it never needs any extra privileges,
> regardless of what privileges the user is assigned (asInvoker). In this
> case, the app always runs as if a standard user started it (it ALWAYS runs
> with a filtered token), and never prompts. This is the mode explorer runs
> it.
>
> Note that it is almost always the application itself that determines at
> what privilege level it runs at, and thus its own prompting behavior.
>
> However, this is made more complex by the "installer detection" and app
> compat features of Vista, where MS may have pre-detected what privilege
> level a legacy app needs, and it is not immediately obvious to the user
> how to control this behavior.
>
> These 3 different privilege states make a lot of sense when considering
> plain-ol' admin and standard user accounts, but things get really
> interesting when you are using an account that is not an admin account,
> but has extra privileges (like the old power users group).
>
> In that case, you will not be able to run programs that require
> administrator (unless u enter an admin password). And, the only programs
> that will be able to actually use your extra power will be ones that ask
> for highestAvailable (like regedit). A program that specifies that it
> never needs any extra privilege (like explorer) will not be able to use
> the extra privilege.
>
> This can lead to some interesting problems, but in general it works out
> correctly.