I have 2 applications written in Delphi. The first exe (with a user interface) calls another using ShellExecuteEx(), which runs as a background process.
When the first exe invokes the second, one of these two things happen:
When I log in as an admin, a UAC dialog comes up with the Allow/Cancel prompts. Selecting Allow continues the execution.
If I log in as non-admin, an admin credentials dialog box is displayed, and I need to enter the admin username/password to continue.
On both occasions, I want the second exe to run without any user intervention. How can I make it possible?
And yes, I tried applying the ElevateCreateProcess mitigation as suggested by SUA tool, but it doesn't seem to work - the behaviour is as before.
Thanks for your help.
The first EXE needs to be launched with elevated privileges to invoke the second without a UAC prompt. Or...you can use a manifest for the second EXE telling Vista that it's not an admin tool and to just run as the current user.
Saved as Second.exe.manifest
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<!-- Vista UAC Support -->
<ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2">
<ms_asmv2:security>
<ms_asmv2:requestedPrivileges>
<ms_asmv2:requestedExecutionLevel level="asInvoker" />
</ms_asmv2:requestedPrivileges>
</ms_asmv2:security>
</ms_asmv2:trustInfo>
</assembly>
What is the file name of your second file?
Vista assumes administrator privileges are needed for certain file names - most notably files with the name "setup" or "install" in them.
Also: If what you want is to be able to run a program with administrator privileges without having Vista throw a UAC prompt up, then you're out of luck. That would be a serious breach of security if that was possible.
Does your second program need administrator privileges?
What happens when you try to execute the second program directly from Explorer? A UAC prompt? If so, then Vista is trying to run it as Administrator, either because of the file name of the file, or because a manifest (internal or external) requests is.
Yes, you'll need an application manifest that looks similar to this
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="UacTest" type="win32"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="highestAvailable"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Take note of the "requestedExecutionLevel" tag
Related
I create a new application with a form that needs to be displayed without scaling but as designed with a fixed dimension in pixels (Position is poScreenCenter for example). When setting Scaled to false, the form is instead displayed with some default width and height, ignoring the designed dimensions. Setting Scaled to true works, it is displayed as designed, but scaling is not wanted.
I have tried to set DPI awareness to None or Unaware, but this has no effect.
I got similar if not the same issues while porting huge CAD/CAM project from BDS2006 C++ -> RAD11 C++ as a test of functionality before purchasing new RAD11:
scaled up all VCL components
but not scaled all glyphs causing very small glyphs
not scaled some forms and dynamic panels causing scaled up components will not fit into their designed area
speed buttons containing Captions even if they should not
ManualDock is corrupting Width,Height causing scale is applied twice on docked windows messing up custom layouts
I was planning to change the sizes of problematic VCL components (really just few form sizes and all glyphs) with code at apps init (or maybe create some utility that adjust *.dfm files like I did before for app auto translations and other stuff before so I have parsers ready to go so that it would not be a big deal) and planning to obtain scaling needed for this either by winapi GetScaleFactorForDevice or by the bugged behavior of ManualDock in RAD11
However before that I needed to start my app with admin priviledges from within RAD11 IDE as I deal with device drivers and stuff that needs admin priviledges...
I found and follow this tutorial:
elevated-privileges-for-delphi-applications
Which Immediately solved all my scaling issues too so no need to handle those for me anymore... Hope it helps you too (maybe even the scaling off option will work again as should have not tested it yet).
Now the App is scaled but correctly (it behaves as not scaled app just bigger)...
So in a nutshell (if the link got broken in time) you need to Add to project a XML file with *.manifest extention like this one:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity type="win32" name="Here_Your_Project_filename_without_extention" version="1.0.0.0" processorArchitecture="x86"/>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
language="*"
processorArchitecture="*"/>
</dependentAssembly>
</dependency>
<!-- Windows Vista application security requirements. -->
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="requireAdministrator"
uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<!--Windows 7-->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--Windows Vista-->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
</application>
</compatibility>
</assembly>
note that Here_Your_Project_filename_without_extention in 3th line just replace it with the projects name. After that you open your:
Project->Options->Application->Manifest
set Manifest file to custom and at the bottom browns and select the created manifest file ...
That is it just recompile your App and run ... Please let me know if it helped or not.
I tested this on Win10 and RAD11 C++ (trial version win32 target)
This let me thinking that scaling related bugs might be caused by something in auto-generated manifest (have no knowledge and experience with those so I am just wild guessing) file which is bypassed by this approach...
I think you also do not need to use the admin rights part of the manifest so you might want to change that once this is already working for you.
I published an intranet on IIS 7.5. If I try to go to the website, I get "403 - Forbidden: Access is denied - You do not have permission to view this directory or page using the credentials that you supplied".
If I right click on the application folder on IIS Manager and go to Manage Application and then Browse, I get "HTTP Error 403.14 - Forbidden - The Web server is configured to not list the contents of this directory". It then proceeds to tell me that A default document is not configured etc. etc. I do have a default document listed in the web.config file as follows:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<directoryBrowse enabled="false" />
<modules runAllManagedModulesForAllRequests="true" />
<defaultDocument>
<files>
<add value="Index.cshtml" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
What am I doing wrong? Many thanks.
check the folders permissions: right click on the folder, click on properties go to Security and add the appropriate user (like IUSR_...). hope it helps.
It turned out I was publishing the app completely the wrong way. I was going by how previous ASP.Net apps created as Websites and not Solutions were published. This MVC app needed to be placed in inetpub/wwwroot folder in the server. If I published through Visual Studio I think this would have happened anyway. I didn't have VS in the server. So I placed the files manually there (just copied from my local inetpub/wwwroot since I successfully published there earlier). The last thing I needed to do was go to IIS Manager and converting the project folder into an Application. Now cooking on gas.
I am currently editing a project that was opened from a source control at my business. When trying to debug locally I get the error
Validating Web Site
: Build (web): The pre-application start initialization method Start
on type System.Web.WebPages.Deployment.PreApplicationStartCode threw
an exception with the following error message: Access to the path
'C:\Users\gary\Documents\Visual Studio 2010\WebSites\DOISAdminPortal\'
is denied..
Ive done some research and a lot of people say to delete the
add key="webpages:Enabled" value="true"
from the web.config file. It was never included in the config file so that shouldn't be the issue.
Anyone have any suggestions??
The files which were contained in the VS 2010 folder needed to be given permissions to the iis express user iis_iusrs. once this was done I was able to access all files in the directory and was able to debug the page.
Short Answer: Try turning off impersonation for local testing.
For my case, our web.config had the following line:
<identity impersonate="true" userName="DOMAIN2\admin" password="12345"/>
under the </system.web> section.
This impersonated identity functioned on the production server, but when running it on my local, the user admin from domain DOMAIN2 did not have the same privileges because my local machine was on a different domain say DOMAIN3 and did not by default give DOMAIN2\admin any rights on the system.
One way I circumvented the issue is by turning off impersonation like follows:
<identity impersonate="false" userName="DOMAIN2\admin" password="12345"/>
I suppose this defaulted my settings to use the rights from the currently logged in user.
I added NLog to my project. Following the instructions I created NLog.config.
<?xml version="1.0" ?>
<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<targets>
<target name="file" xsi:type="File"
layout="${longdate} ${logger} ${message}"
fileName="${basedir}/${shortdate}.log" />
</targets>
<rules>
<logger name="*" minlevel="Debug" writeTo="file" />
</rules>
</nlog>
and then just log something.
var logger = LogManager.GetCurrentClassLogger();
logger.Info("xxxx");
With the developer web server it work fine, but when I publish the app to IIS, no logs are created.
Edit website permissions in IIS and under security tab give IIS_IUSRS group full privileges.
In Application, Pools find the pool your application is using and set some specific user.
The image below describes the procedure step by step:
Does NLog.config have the property "Copy to Output Directory" set as "Copy always"?
One of the problem is IIS doesn't have permission to write in log file. If you are sure you have NLog.Config in your release and the log file is still not generating then give full access to your IIS application pool.
You can add "throwExceptions="true" to your nlog config to see what is the problem. Should be something like this:
<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.nlog-project.org/schemas/NLog.xsd NLog.xsd"
autoReload="true"
throwExceptions="true"
internalLogLevel="Off" internalLogFile="c:\temp\nlog-internal.log">
After you are sure about it is access problem you can do like below for giving access to your application pool.
First find your application pool (in case you don't know) :
On IIS manager right click your web page name.
On Manage Website tab click Advanced Settings.
You will see Application pool name on top.
Give full access to your application pool :
On IIS manager right click your web page name.
Click Edit Permissions.
Select Security Tab on opened window.
Click Edit button
Select your application pool name. (If your application pool is not in the list then you have to add it)
And at down select full access and than select ok and leave.
First of all, this is my third question on the similar topic.. and still I have no answer, maybe only approaching it (see first, second).
My web application (ASP.NET MVC3 under IIS 7.5) runs git to access some github repositories. After I upgraded my workstation to Windows SP1 it stopped to work. The reason was that as soon as git started, it actually runs ssh.exe to communicate with github. The ssh.exe appears to hangs up, so all application hangs.
The application pool used by that application use the same process identity as myself. But using ProcessHacker I can see following picture:
Because of USERPROFILE is pointed to /system32/config/systemprofile ssh.exe is expecting to have .ssh folder, that contains public/private keys. Since keys are not there it hangs.
But keys are typically in ~/.ssh (in my case c:\users\alexander.beletsky.ssh). As soon as I copied keys into /system32/config/systemprofile application started to work as expected.
My question is, why does w3wp.exe thinks that its profile in /system32/config/systemprofile? is it possible to change that? it is expected behaviour for application pool or just issue of my machine?
Waiting for any clues!
EDIT
Load User Profile property of Application Pool is set to TRUE.
ssh.exe is actually using HOME environment variable. Check if it set correctly.
As my machine on which this works has the same value in enviroment page of process hacker, and still
Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) has value of my user appData, and I have SP1, I think that it should not be related to it, but to something in your configuration that could have been changed. Check if your inetmgr has properly set identity for your application. Open C:\inetpub\temp\appPools\yourAppPoolName\yourAppPoolName.config and check if this setting exists:
<configuration>
....
<system.applicationHost>
<sites>
<site name="Default Web Site" id="1" serverAutoStart="true">
<application path="/yourAppPath" applicationPool="yourAppPoolName">
<virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot\yourAppPath" userName="yourUserName" password="[enc:AesProvider:someHashHere=:enc]" />
</application>
...
</site>
</sites>
<system.applicationHost>
<configuration>
If not, you can configure it there (put password in plain text or you can configure it using inetmgr like I described in my answer to your other question).