I have developed an application which will run at system startup.
And it is working fine at system startup,i could see the application in System Configuration -> Startup.
All the applications shown at Startup can be enabled / disabled.
But my question : is it possible to make an application which cannot be disabled
at Startup ?
How are Startup properties controlled in registry?
The image shows an application which cannot be disabled at startup.
On Apply it gets enabled again.
This question seriously screwed-up my machine. I'll write it up as a cautionary tale so nobody will do the same stupid thing I did.
I didn't think the OP's claim that these checkboxes could be disabled was very credible. Never heard of anything like that, surely it would be widely abused if it were possible. Only way it could work is when he's logged-in as a regular user, that's trite, or by removing the modify permission on the registry value for the Admin group. So I decided to just try it, what could possibly go wrong?
Ran Regedit.exe, picked an entry I didn't care about anyway (Intel shovel-ware). Edit + Permissions, broke the inheritance chain first so I could control the permissions on each individual value. Unticked the Full Control option so only Read access remained.
That worked. Went to restore the permissions. And discovered something I didn't know before. These permissions do not apply to the values, they apply to the key. Obvious only in hind-sight, Regedit however does nothing to make this obvious. And I didn't just remove the modify right, I also removed the right to change the permissions again. On all the values.
Oh, horror. I have to fix this damage, somehow, it is going to bomb installers in the future. The only account that still has modify permission is the System account. I'll have to do something frightful at boot time, maybe write a service.
This is a bad, bad idea. If you have any idea how I can easily repair this then please post a comment.
EDIT: I got it back, of sorts, managed to regain control by changing the owner of the key from System to Administrators.
The Simple answer. You cannot.
However, you can hide your startup program from the user (MSConfig) and make it more difficult to disable. Take a look at activex startup method for more info
You can create/delete/list startup programs with wmic on the command line. For example if you wanted to get a list of all startup programs in html format you could run wmic startup list /format:htable > startup.html at the command prompt and then open the resulting file in a web browser. You can also get the table in CSV (wmic startup list /format:csv > startup.csv) or a variety of other formats. There are also the Create and Delete options for use. I'm sure you can use System.Diagnostics.Process.Start in VB.NET or C# with the appropriate arguments to accomplish your goal. Good Luck!
Related
I need to develop an application that will run on clients. The main focus is to let the application update another -specific- application and be able to monitor own defined states for clients. I'm considering something like a console application with TopShelf because it makes debug a lot easier. However... to install or update this specific application I must use a MSI. But if for example I create a process that executes msiexec the client/end user will be prompt with UAC. This is a big issue because clients should be updated unattended. And UAC must stay the way it is : highest level.
I've read a lot of questions/answer concerning UAC prompt... and to be honest I'm starting to doubt my own approach. I was not able to find any question that I could relate to.. so I would appreciate it if someone could give me some good advise, tips, references etc on a possible way to approach this issue.
Thanks in advance
Create a Task Scheduler job with the "Run with highest privileges" option checked.
You can easily create this job programatically, even using a XML configuration file.
This way the user is prompted to allow UAC only once (when first clicking an exe for example).
I've written a shell extension using EZShellExtensions.net. It works great in my development environment when I'm logged in as me, as well as any other system when logged in as me. For all other users, the copy-hook I've created never appears. I've used NirSoft's RegDLLView to verify that the DLL is registered, but no luck.
What can I check to see why this is occurring?
FYI
I'm happy to send a copy of my code to whomever wants to help out with this. EZShellExtensions.NET has an evaluation period of 30 days.
UPDATE
ProcMon Output when using the vendor's registration tool now available as a CSV/PML file if anyone's interested.
RESOLVE
I wound up adding console output to the dll for debugging. turns out that a timer wasn't kicking off when running as any user but me (no idea why). This has since been fixed.
That indicates that the shell extension got registered in the HKCU\Software hive instead of HKLM\Software. Only the latter hive makes extensions available to all users. This commonly happens because UAC prevents writing to HKLM\Software unless the program that does the writing is elevated.
If this library comes with a dedicated registration program, they usually do, then be sure to run it from an elevated command prompt. Start + All Programs, Accessories folder, right-click the Command Prompt link and click "Run as administrator". Rerun the registration tool.
If you still have trouble then SysInternal's ProcMon tool can show you exactly where stuff gets written. And don't hesitate to use the vendor's support channels.
i've created an setup project for a .net-application which works fine. The problem is, that the application begins to write log-files after startup and this requires administrative rights on windows vista and windows 7. I know there are some folders which i could use to write into without administrative rights. When i start the application as administrator, everything works fine.
I asked myself, if it's possible to change the setup project in visual studio in a way that the installed application automatically owns administrative rights on the target system?
Thanks for every help in advance!
Alex
You don't want to do this. If it needs rights to a particular directory, then create an account that has them (or modify the subdirectory's rights so that anyone can access it). But don't run as admin just for one feature. Also, look into whether there's another directory you could be writing to, which you already have rights to.
To answer your direct question, yes you can setup a launch condition for the setup project to require administrator, I believe this will take care of the proper escalation for you.
here is a thread with detailed instructions.
Now, to expand, I agree with Steven that you SHOULDN'T do this, at least not just to be able to write a log file.....
You could technically do this with a bad hack: The idea is to have the Setup program which runs elevated create a scheduled task that runs the program as admin.
Instead of directly creating a shortcut to your application, the setup creates an shortcut to execute this scheduled task.
See this as reference on how to do that manually: http://www.howtogeek.com/howto/windows-vista/create-administrator-mode-shortcuts-without-uac-prompts-in-windows-vista/
You just need to find a way to create the task programatically from your setup.
On the other hand, I totally agree with Steven too. Try to do it the 'right' way and don't trick the Windows security. It's a good thing and working around it makes the system potentially unsecure, and you don't want to be the one compromising tht Security of others computers.
Has anyone managed to get administration rights through the UAC without restarting the application or embedding a manifest file?
I'd like to write to some files that only administrators can modify, without relying to another elevated application. Is it possible to impersonate an administrator previously calling with some native API the UAC prompt?
I guess this is not possible and I'll have to use an external tool with elevated rights, but I'm asking just in case.
EDIT: I know there are some other similar questions around, but since they do not cover the topic of impersonation (as fas as I've seen), nor some possible native call to the UAC prompt I decided to give a new thread a go...
As stated in this other question, it is not possible, you have can eleveate COM object or another process, but not the current process.
Request Windows Vista UAC elevation if path is protected?
I read that thread (along with a lot more heh), but you never know what other people has managed to do recently. And maybe the release of SP2 changed something, dunno.
Well, I guess there are no changes on how the UAC works nor any discovery on workarounds, so I'll mark the previous answer as the right one.
I'll make another application that performs the administrative tasks I need.
Thank you.
If all you want to do it get admin rights without a manifest (ie: im assuming you're not talking about cracking/hacking the UAC implementation), then just create a shortcut with the "Run As Admin" checkbox checked. You can programmatically generate this shortcut as long as you look up how short cuts are written (in terms of their fiel contents) and I'm sure there is some name/value pair you will need to include inside the shortcut to ensure that Run As Admin is checked by default. Now, when people run that shortcut instead of your exe, they will get prompted to run your exe in elevated mode (with admin rights), and this way you will not need to restart or use a manifest.
Excuse me if I have misunderstood your question.
Adding a manifest file in the same directory as the executable "works for me". Not actually getting the permissions, but it prompts for the permission.
Okay I've spent the afternoon researching and haven't had much luck finding the answer to this. I am trying to prevent an application from launching via some sort of dll or background application. It is to be used in monitoring application usage and licenses at my institution. I have found leads here regarding WqlEventQuery and also FileSystemWatcher. Neither of these solutions appear to work for me because:
With WqlEventQuery I was only able to handle an event after the process was created. Using notepad as a test, notepad was visible and accessible to me before my logic closed it. I attempted to Suspend/Resume the thread (I know this is unsafe but I was testing/playing) but this just hung the window until my logic finished.
With FileSystemWatcher I was not able to get any events from launching a .exe, only creating, renaming and deleting files.
The goal here is to not let the application launch at all unless my logic allows it to launch. Is this possible? The next best solution I came up with was forcing some type of modal dialog which does not allow the user to interact with anything, once the dialog is closed the application is killed. My concern here is killing the application nicely and handling applications with high overhead when they load such as Photoshop or something. This would also interfere with a feature I was hoping to have where the user could enter a queue until a license is available. Is this my best route? Any other suggestions?
Thanks
edit: To clarify this is not a virus or anything malicious. It's not about preventing access to a blacklist or allowing access through a whitelist. The idea is to check a database on a case by case basis for certain applications and see if there is a license available for use. If there is, let the app launch, if not display a dialog letting the user know. We also will use this for monitoring and keeping track if we have enough licenses to meet demand, etc. An example of one of these apps is SPSS which have very expensive licenses but a very limited pool of people using it.
Could you use
System.Diagnostics.Process.GetProcessesByName
in a loop to look for the process?
It might work if you don't use too aggressive a polling rate.
You are indeed close, take a look at the WMI Management Events. http://msdn.microsoft.com/en-us/library/ms186151%28VS.80%29.aspx
Sample code from Microsoft: http://msdn.microsoft.com/en-us/library/ms257355(VS.80).aspx
Subscribing to the appropriate event will provide your application with the appropriate information to perform what you described.
Not sure if this is a GOOD solution but you could do something like pass a key into main so that if the key is not present or valid the application shuts down. Then when you open the application in your code, just pass the key in. Someone would then have to know the key in order to start the application.
This is assuming you have access to the application in question's source code, which upon reading your question again, I'm not so sure of.
I assume you don't have source for the application you want to prevent from loading...
Have you considered using a system policy? That would be the best-supported way to prevent a user from launching a program.
You could have a service running that force-kills any app that isn't "whitelisted", but I can't say how well that would work.
I wonder if you are taking the wrong approach. Back in the day there was a Mac app that would prevent access to the desktop and had buttons to launch a set list of applications.
IDEA
What if you had a wrapper for the approved apps then only allow your wrapper to run on the computer?
I would expect there is some way of hooking an application launch, but can't help directly on that front.
You may be able to improve your current approach by detecting the application's window opening and hiding it (move it offscreen) so that the user can't attempt to interact with it while you are trying to shut it down.
However, another approach that may be possible (depending on your circumstances) would be to write an application launcher. This simply is a replacement for the shortcut to the application that checks your licencing conditions, and then does a Process.Start to launch the real .exe at that point. This would work well for any application. (I used a system like this for starting up applications with specialised environment settings and it works beautifully)
You could combine this with your current approach as a fall-back for "clever" users who manage to circumvent your launcher.
If my understanding is right you want to create an application what will prevent the computer user to start any other process except ones for a white-list.
If this is the case, monitor the process list of processes (in a while loop) using System.Diagnostics.Process (the GetProcesses method gives the list of all running ones)
Just kill the process when it starts.
Or if your machines have Windows 7 (Windows 2008??) you can use AppLocker. http://www.microsoft.com/windows/enterprise/products/windows-7/features.aspx#applocker Just let Windows prevent the startup.
You might want to look at this product: http://www.sassafras.com/licensing.html Personally I can't stand it, but that's because it does what you describe. Might save you some coding.
You could actually edit the registry so when you click a psd, your launcher gets called instead of photoshop. Your launcher then checks for licenses and if there is one starts photoshop with the path of the file.
This is a long shot but you may find it helpful.
Perceived Types and Application Registration
http://msdn.microsoft.com/en-us/library/cc144150(VS.85).aspx