Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: impossible to change privilege level of an app ?

04 Jul 2010   #11
hackerman1

W7-Enterprise + WS-2008 (Converted to Workstation)
 
 

hi !

thanks for the tip about secpol.msc.
but i canīt check that now.
yesterday i decided that i had wasted too much time on this.

so i uninstalled a2, then i tried to start a2.exe from another folder in which i have another a2-installation for WS-2008,
that a2start.exe had normal rights BEFORE i uninstalled a2 from W7.
but AFTER the uninstall it got changed to "Run as admin" !

so i then reinstalled a2 to another folder with another name, as i suspected i would get the same problem again otherwise.

now everything is normal again with a2, no UAC-prompts anymore.
the a2start.exe in the WS-2008 installation is still marked as "Run as admin"...

a small note: i use a common program-partition for both W7 & WS-2008.


My System SpecsSystem Spec
.
04 Jul 2010   #12
TimStitt

Windows 7 Ultimate 64 bit
 
 

Another thought, since you're talking to the programmer, it might be a good idea to shoot him/her off a list of your users token privileges and to see whether they are fully fledged tokens, filtered tokens or something less likely to receive an admin prompt. The programmer would know what tokens are required to run their software (you could always ask for this too) and from the comparison you should be able to see exactly what's causing your issue.

Open an elevated command prompt and type whoamI /priv into a command prompt and post it here. NOTE: The whoamI /priv does work from a normal command prompt; but you only get a partial list of results.

About tokens
As far as I can remember.... and there's likely to be holes in my knowledge *grin*. When you sign into windows you receive 2 access tokens, one for group membership and another for authorization and access control, fully fledged tokens are granted to:
Built-In Administrators
Power Users
Account Operators
Server Operators
Printer Operators
Backup Operators
RAS Servers Group
Windows NT 4.0 App Compat Group
Network Configuration Operators
Domain Administrators
Domain Controllers
Certificate Publishers
Schema Administrators
Enterprise Administrators
Group Policy Administrators

i tried to find an MS article on the above, other than in my onenote's but I couldn't sorry. But I did find this info on whoamI /priv that you might find useful.

Good Luck
Timo
My System SpecsSystem Spec
04 Jul 2010   #13
TimStitt

Windows 7 Ultimate 64 bit
 
 

Quote   Quote: Originally Posted by hackerman1 View Post
hi !

thanks for the tip about secpol.msc.
but i canīt check that now.
yesterday i decided that i had wasted too much time on this.

so i uninstalled a2, then i tried to start a2.exe from another folder in which i have another a2-installation for WS-2008,
that a2start.exe had normal rights BEFORE i uninstalled a2 from W7.
but AFTER the uninstall it got changed to "Run as admin" !

so i then reinstalled a2 to another folder with another name, as i suspected i would get the same problem again otherwise.

now everything is normal again with a2, no UAC-prompts anymore.
the a2start.exe in the WS-2008 installation is still marked as "Run as admin"...

a small note: i use a common program-partition for both W7 & WS-2008.
Congratulations on persevering and getting it working *sigh of relief*.

There are particular folders like 'system32', 'windows', 'program files' that require stronger tokens and force the UAC prompt. I wonder if your new folder was not one of these?
My System SpecsSystem Spec
.

04 Jul 2010   #14
hackerman1

W7-Enterprise + WS-2008 (Converted to Workstation)
 
 

hi !

iīve been using a2 for long and i have never seen this before, until a few days ago.
Emsisoft has not changed anything in a2, itīs running now, without any "admin-rights" for a2start.exe, a scheduled scan also starts normally without any UAC-prompts.

somehow something got changed on my computer.
before uninstalling i also tried to "Take ownership" of a2start.exe, but it didnīt help...

maybe i CAN find something in secpol.msc, since the other a2start.exe in the WS2008-folder had the privilege level changed when i uninstalled a2 from the W7-folder,
which btw. i think is weird.
iīm going to take a look...

Quote   Quote: Originally Posted by TimStitt View Post
There are particular folders like 'system32', 'windows', 'program files' that require stronger tokens and force the UAC prompt. I wonder if your new folder was not one of these?
hmm, now you make me confused....

my "new" a2-folder for W7 is "E:\Program files\a2".
and the problem has now disappeared...
the old a2-folder was also on E.

i have several partitions, i use a system-partition for each O/S, all other programs are installed on a separate program-partition which is common for both O/Sīs.

here is a detailed description about my system:
A few tips about performance etc.

when running W7:
W7=C
WS2008=D
Programs=E

a2 is not installed on C, so i donīt understand what "windows" & "system32" has to do with it ?

iīm also going to check whoamI /priv.
My System SpecsSystem Spec
04 Jul 2010   #15
hackerman1

W7-Enterprise + WS-2008 (Converted to Workstation)
 
 

hi!

Quote   Quote: Originally Posted by TimStitt View Post
Hi hackerman1,

What if the issue is a change in your PC's config, not Emisofts'? Check secpol.msc User account control settings, especially two in the screen prints I took below. The pics show the defaults for Windows 7.

I'll have a bit of a think and see what else sprigs to mind, will let you know if I come up with something.

PS: I know you said you haven't changed anything; but please check anyway; besides you may be able to massage your settings here to make it work (balance that with security of course ).

iīve checked secpol.msc:

"Behavior of the elevation prompt for administrators in Admin approval mode"
is set to: "Prompt for consent on secure desktop"

"Behavior of the elevation prompt for standard users" is set to:
"Prompt for credentials on secure desktop"
My System SpecsSystem Spec
04 Jul 2010   #16
WindowsStar

Windows 7 Enterprise (x64); Windows Server 2008 R2 (x64)
 
 

Just a quick note:

If you are sharing "E:\Program files\a2" between Windows Server 2008 and Windows 7, you need to realize that Windows Server 2008 = Windows Vista, there have been issues with Vista and 7 sharing the same applications in the same folder(s). -WS
My System SpecsSystem Spec
04 Jul 2010   #17
hackerman1

W7-Enterprise + WS-2008 (Converted to Workstation)
 
 

hi !

NO, a2 is installed in 2 DIFFERENT folders.
it also was before the problem started...

have i explained this so badly ?
sorry !

a2 was installed on the same partition but is 2 separate folders:
in W7: "E:\Program files\EAM"
in WS2008: "E:\Program files\EAM WS 2008"

i uninstalled a2 from W7, and then deleted "E:\Program files\EAM".

then i tried to start a2īs main file (GUI) a2start.exe from "E:\Program files\EAM WS 2008".

THAT a2start.exe had normal "Privelege level" BEFORE i uninstalled a2 from "E:\Program files\EAM".
i know it because i checked the properties of a2start.exe in "E:\Program files\EAM WS 2008" BEFORE i uninstalled a2 from W7.
i also started a2start.exe, and it started without any UAC-prompts.
i then checked the properties of a2start.exe again, still no change.

but AFTER a2 was uninstalled from W7 it got changed to "Run as admin" !
i had a suspicion it would happen....

a2 is now installed to a new folder "E:\Program files\a2" and everything is back to normal,
except a2start.exe in "E:\Program files\EAM WS 2008", which still has a changed privilege level.
My System SpecsSystem Spec
04 Jul 2010   #18
WindowsStar

Windows 7 Enterprise (x64); Windows Server 2008 R2 (x64)
 
 

Quote   Quote: Originally Posted by hackerman1 View Post
NO, a2 is installed in 2 DIFFERENT folders.
it also was before the problem started...
That is good, I just wanted to note it, just in case.
My System SpecsSystem Spec
04 Jul 2010   #19
hackerman1

W7-Enterprise + WS-2008 (Converted to Workstation)
 
 

hi !

when i installed WS2008, after having done the workstation conversion,
i decided to install a2 in a new folder for WS2008 just because it could be some compatibility-issues with a2.
and i really didnīt want to get any security-problems on W7, caused by some WS2008-problems, because a2 is my primary A/V, although i also have MSE, Avast & MBAM installed, i normally use only a2 for realtime-protection.
My System SpecsSystem Spec
04 Jul 2010   #20
TimStitt

Windows 7 Ultimate 64 bit
 
 

Hi Hackerman1,

I can't say with certainty how the tokens are affected with the sharing of program files on different disks. I can only guess that whoever is the owner of the disk/folder (W7 or S2008) might affect the tokens and whether or not it's recognized as a "Program Files" folder, could even be the logged in user?

I have S2008 and W7 on different partitions as well although my program files are localized.You have me curious and I'd like to test this further! Unfortunately it's exam week for me so I've no time to set up your scenario and check it. It might be interesting to check whoamI from both OS' and compare this to secedit and folder permissions and ownership. I'd be curious to find out if any are different and if changing them alters the admin prompt scenario.

RE: Secpol
Quote   Quote: Originally Posted by hackerman1 View Post
hi!

"Behavior of the elevation prompt for administrators in Admin approval mode"
is set to: "Prompt for consent on secure desktop"

"Behavior of the elevation prompt for standard users" is set to:
"Prompt for credentials on secure desktop"
Note the difference in your "Behavior of the elevation prompt for administrators in Admin approval mode"
I'm pretty certain that the default should be "Prompt for consent for non-windows binaries"

I didn't mention previously but "Behavior of the elevation prompt for standard users" should be "prompt for credentials".

Perhaps WindowsStar or another reader can verify theirs?

-Timo

PS: You've probably already noted this, but our timezone differences may make for delays in my replies.
My System SpecsSystem Spec
Reply

 impossible to change privilege level of an app ?




Thread Tools




Similar help and support threads
Thread Forum
Compatibility Privilege Level setting will not take
Hello I hope I chose the right sub for this question. I have been running Visual Studio as an administrator for quite a long time. The first time I launched it as an administrator, Windows remembered the setting and it's been that way ever since, which was actually a nice feature up until all...
System Security
Can I change gamepad buttons at driver level?
Hi guys and gals, I have a slight problem and I wanted to ask you for help... I recently installed Matrix: The Path of Neo, which is a great game, but its PC port is horrible. The problem is, the game detects any gamepad and maps its buttons automatically, with no options to change the...
Gaming
Low system sound level, high music level?
Is there a chance do define two different audio levels? I guess I am not the only one listening to music with my computer - so I'd like to avoid awkward and looooud system sounds while turning up my stereo... is there a chance to do so? I know that apple has it, not sure bout win7... thx
Sound & Audio
How to see privilege level of programs?
Is there any way to see the privilege level (admin or standard) of the programs running? Thought that maybe Task Manager or Process Expolorer might have a column to show that but they don't seem to have it.
General Discussion
How to Change volume level only with mousewheel
To change the volume level on Linux just put the little arrow-click on the audio icon on the taskbar and use the mouse wheel without having to click. This is possible in Windows Seven, changing some configuration in the system?
Sound & Audio
Internet Explorer Content Advisor - Change Ratings Level
How to Change Ratings Level in Internet Explorer Content Advisor Content Advisor uses ratings that websites provide to identify potentially offensive content. This will show you how to change the category rating levels to what level you want instead. By default, Internet Explorer is set for...
Tutorials


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Đ Designer Media Ltd

All times are GMT -5. The time now is 09:23.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App