impossible to change privilege level of an app ?

Another thought, since you're talking to the programmer, it might be a good idea to shoot him/her off a list of your users token privileges and to see whether they are fully fledged tokens, filtered tokens or something less likely to receive an admin prompt. The programmer would know what tokens are required to run their software (you could always ask for this too) and from the comparison you should be able to see exactly what's causing your issue.

Open an elevated command prompt and type whoamI /priv into a command prompt and post it here. NOTE: The whoamI /priv does work from a normal command prompt; but you only get a partial list of results.

About tokens
As far as I can remember.... and there's likely to be holes in my knowledge *grin*. When you sign into windows you receive 2 access tokens, one for group membership and another for authorization and access control, fully fledged tokens are granted to:
Built-In Administrators
Power Users
Account Operators
Server Operators
Printer Operators
Backup Operators
RAS Servers Group
Windows NT 4.0 App Compat Group
Network Configuration Operators
Domain Administrators
Domain Controllers
Certificate Publishers
Schema Administrators
Enterprise Administrators
Group Policy Administrators

i tried to find an MS article on the above, other than in my onenote's but I couldn't sorry. But I did find this info on whoamI /priv that you might find useful.

Good Luck
Timo

hackerman1 said:

hi !

thanks for the tip about secpol.msc.
but i can´t check that now.
yesterday i decided that i had wasted too much time on this.

so i uninstalled a2, then i tried to start a2.exe from another folder in which i have another a2-installation for WS-2008,
that a2start.exe had normal rights BEFORE i uninstalled a2 from W7.
but AFTER the uninstall it got changed to "Run as admin" !

so i then reinstalled a2 to another folder with another name, as i suspected i would get the same problem again otherwise.

now everything is normal again with a2, no UAC-prompts anymore.
the a2start.exe in the WS-2008 installation is still marked as "Run as admin"...

a small note: i use a common program-partition for both W7 & WS-2008.

Congratulations on persevering and getting it working *sigh of relief*.

There are particular folders like 'system32', 'windows', 'program files' that require stronger tokens and force the UAC prompt. I wonder if your new folder was not one of these?

Just a quick note:

If you are sharing "E:\Program files\a2" between Windows Server 2008 and Windows 7, you need to realize that Windows Server 2008 = Windows Vista, there have been issues with Vista and 7 sharing the same applications in the same folder(s). -WS

hi !

NO, a2 is installed in 2 DIFFERENT folders.
it also was before the problem started...

have i explained this so badly ?
sorry !

a2 was installed on the same partition but is 2 separate folders:
in W7: "E:\Program files\EAM"
in WS2008: "E:\Program files\EAM WS 2008"

i uninstalled a2 from W7, and then deleted "E:\Program files\EAM".

then i tried to start a2´s main file (GUI) a2start.exe from "E:\Program files\EAM WS 2008".

THAT a2start.exe had normal "Privelege level" BEFORE i uninstalled a2 from "E:\Program files\EAM".
i know it because i checked the properties of a2start.exe in "E:\Program files\EAM WS 2008" BEFORE i uninstalled a2 from W7.
i also started a2start.exe, and it started without any UAC-prompts.
i then checked the properties of a2start.exe again, still no change.

but AFTER a2 was uninstalled from W7 it got changed to "Run as admin" !
i had a suspicion it would happen....

a2 is now installed to a new folder "E:\Program files\a2" and everything is back to normal,
except a2start.exe in "E:\Program files\EAM WS 2008", which still has a changed privilege level.

hackerman1 said:

NO, a2 is installed in 2 DIFFERENT folders.
it also was before the problem started...

That is good, I just wanted to note it, just in case.

Hi Hackerman1,

I can't say with certainty how the tokens are affected with the sharing of program files on different disks. I can only guess that whoever is the owner of the disk/folder (W7 or S2008) might affect the tokens and whether or not it's recognized as a "Program Files" folder, could even be the logged in user?

I have S2008 and W7 on different partitions as well although my program files are localized.You have me curious and I'd like to test this further! Unfortunately it's exam week for me so I've no time to set up your scenario and check it. It might be interesting to check whoamI from both OS' and compare this to secedit and folder permissions and ownership. I'd be curious to find out if any are different and if changing them alters the admin prompt scenario.

RE: Secpol

hackerman1 said:

hi!

"Behavior of the elevation prompt for administrators in Admin approval mode"
is set to: "Prompt for consent on secure desktop"

"Behavior of the elevation prompt for standard users" is set to:
"Prompt for credentials on secure desktop"

Note the difference in your "Behavior of the elevation prompt for administrators in Admin approval mode"
I'm pretty certain that the default should be "Prompt for consent for non-windows binaries"

I didn't mention previously but "Behavior of the elevation prompt for standard users" should be "prompt for credentials".

Perhaps WindowsStar or another reader can verify theirs?

-Timo

PS: You've probably already noted this, but our timezone differences may make for delays in my replies. :)