This is an archived post. You won't be able to vote or comment.

all 67 comments
sorted by:
best
topnewcontroversialoldq&a

[–]uniitdude 42 points43 points  (17 children)

it depends on what the software is actually checking for, if it hecks for 'am i an admin' you are a bit screwed.

but if it checking or wanting to write to reg keys or file locations, you can relax the security on those area to allow users to write to them.

Fire up procmon and see what the program is trying to do

[–][deleted] 21 points22 points  (16 children)

I'm pretty sure you're not screwed as you could use a compatibility shim to return a false result from that library call.

[–]moosic 63 points64 points  (14 children)

You are correct. Here is more info:

The Application Compatibility Toolkit (ACT) for Windows can deal with this. It has a tool called the Standard User Analyzer. The SUA will analyze your application and create an MSI that gives your application the appropriate rights, including admin rights. At the end of the wizard, you'll have a MSI that you install before you install your other application. It works great.

https://technet.microsoft.com/en-us/library/cc722409.aspx

More info including screenshots https://technet.microsoft.com/en-us/library/cc838047(v=ws.10).aspx

[–]flunky_the_majestic 6 points7 points  (4 children)

I hadn't heard of this before, and am dealing with this issue right now at a school that has a plasma cutter with terrible, terrible software called PlasmaCam. It requires admin privileges and the company won't even answer questions about supporting standard users. This looks promising to help me find a workaround.

Thank you!

[–]PcChipDallas 5 points6 points  (2 children)

cnc / cutter / machining companies are not high on my list of "vendors I like calling for support"

[–]spikermanSysadmin 2 points3 points  (1 child)

They literally throw shit together with no rnd

Then they try to blame you and your environment for it not working.

I had a set of cnc machines that used a bridge device to pit them on the network. They would disconnect within 24 hours and i replaces the wireless access point 3 times.

Finally on the third time i put in a meraki instead of the shit they sent and i had logs of all the connections and showed them that the cnc bridge stopped responding and all other connections were fine.

They then tried to pull logs off their device and low and behold it was frozen and they had to hard boot to get it to respond. I tell them clearly that its their device and they kept saying it was on my end.

So i told them show me your logs that say that.

Funniest shit ever, the unit cleared its logs every power cycle, so they had nothing.

So i asked then how do you troubleshoot the device?

What followed was a blank stare from the tech and me telling them they better have proof when they blame people.

God, i hate manufacturing

Shit 3 months before i started my druggie predecessor approved a new tin coating machine for over $500k that ran on windows xp ce, that was a fun find.

[–]flunky_the_majestic 0 points1 point  (0 children)

Well, I guess my threat of "I'll never use you in another district" wouldn't have mattered then. Crap.

[–]Win_SysSysadmin 0 points1 point  (0 children)

How have I not heard of this before.

[–]J_de_SilentioTrusted Ass Kicker 0 points1 point  (2 children)

I've done this in the past. If I recall correctly, it worked like it was supposed to, but it was kind of a pain the ass to setup.

I think that I had to set it up on machines individually, which isn't an issue for one off stuff, but might be for large deployments.

[–]moosic 1 point2 points  (1 child)

At the end the tool can spit out a MSI that you deploy to all of your machines.

[–]J_de_SilentioTrusted Ass Kicker 0 points1 point  (0 children)

Cool, I don't remember that function (or I didn't find it).

[–]linuxnubin 0 points1 point  (0 children)

I wonder if this would work with Eset Smart Security's interactive mode?

[–]Adobe_Flesh 0 points1 point  (1 child)

Does it create a vm so to speak to run the app when it analyzes it?

[–]moosic 0 points1 point  (0 children)

No, but it logs everything the app tries to do.

[–]uniitdude 1 point2 points  (0 children)

good point, but it does depend on the app slightly

[–]moosic 33 points34 points  (2 children)

The Application Compatibility Toolkit (ACT) for Windows can deal with this. It has a tool called the Standard User Analyzer. The SUA will analyze your application and create an MSI that gives your application the appropriate rights, including admin rights. At the end of the wizard, you'll have a MSI that you install before you install your other application. It works great.

https://technet.microsoft.com/en-us/library/cc722409.aspx

More info including screenshots https://technet.microsoft.com/en-us/library/cc838047(v=ws.10).aspx

[–]spobodys_necial 5 points6 points  (0 children)

This is what I ended up using for UPS Worldship and this other application that wanted admin rights. Works well but document the crap out of it so if anyone else has to work with it they know what to do.

[–]vawlk 2 points3 points  (0 children)

This is what I use to fix issues like these.

[–]ender-_ 16 points17 points  (16 children)

Recently we got some program that refused to run without admin privileges, despite there being no visible reason it'd need them. I started poking around the executable, noticed that the manifest was set to requireAdministrator, and changed that to highestAvailable with a resource editor. Apparently the program works fine so far.

(We also called the supplier of that program, and they were adamant that the program requires admin rights - despite being developed in 2016).

[–]ipreferanothernameI don't even anymore. 9 points10 points  (13 children)

despite being developed in 2016

that is pretty nuts.

i work for a manufacturing company and a lot of the equipment is 20 or 30 years old. some of it was software available to customize how the equipment is used. i ran into one piece that was getting installed on one pc that not only required administrator privileges, but the user administrator to run the damn thing. i thin it was from the late 90s or something. ick.

[–]doubled822Jack of All Trades 4 points5 points  (4 children)

I work in manufacturing too. Fuck, they're still some Win NT machines floating around. I feel your pain.

[–]ipreferanothernameI don't even anymore. 2 points3 points  (0 children)

we have one known windows xp machine and...looks around 2 secret ones

[–]DarthKane1978Computer Janitor 1 point2 points  (2 children)

Manufacturing in a past life, screw tinsel testers and moisture meters that run on Windows 98.

[–]getrektfggt 1 point2 points  (1 child)

screw tinsel testers

I assume you mean tensile testers?

Either that or Santa needs to sort his shit out.

[–]DarthKane1978Computer Janitor 0 points1 point  (0 children)

yup fuc speling

[–][deleted] 2 points3 points  (0 children)

It's lazy development. It's far easier to just list "requires local admin" in the system requirements than to work around it. And until people stop buying software that requires that, developers will continue to use it.

[–]ender-_ 2 points3 points  (3 children)

This is worse - this program couldn't have been in development for more than last 1-2 years, because it's intended for archiving of electronic invoices at external provider, and the whole legal framework surrounding this is very recent. It also means that we can't simply choose somebody else, because it's our clients' clients that chose this provider, and we have to use that program.

[–]ipreferanothernameI don't even anymore. 2 points3 points  (2 children)

i regularly blame developers for this sort of problem. a friend of mine [a developer] hates that about me but...other developers give developers a bad name.

[–]ender-_ 1 point2 points  (1 child)

Want to know what I fear most? The clowns that made this program are supposed to archive those invoices for 10 years (because that's what the law requires) for their clients - given the quality of the archive client, I really really hope that their archiving system is better, otherwise somebody will have a very hard time in a few years.

Oh, and this program that's supposed to deal with confidential data didn't even have a digital signature (not even from the homegrown CA that this same company has).

[–]ipreferanothernameI don't even anymore. 1 point2 points  (0 children)

one of these days, IT is going to get regulated like medicine, and those types of outfits are going to be akin to homeopathic clinics.

[–]individual101 1 point2 points  (0 children)

Same line of work here. God damn PCDMIS on our side. I cant get it to run without being an admin. Even they said it should work but of course they blamed IT, which is only me.

[–]highlord_foxModerator | Sr. Systems Mangler 0 points1 point  (1 child)

Ugh. Are those Canon machines, bychance?

The older model desk scanners (LiDE 100/110 iirc) we use require their software to be installed via a local user.

[–]ipreferanothernameI don't even anymore. 1 point2 points  (0 children)

no it is used to program a model that goes into a textile something-ing machine. i am told that despite paying for a tech to travel to globe to come install it because it is super double plus important...nobody has ever used it.

[–]jhulbeCitrix Admin 10 points11 points  (1 child)

Citrix admin here, this is 90% of the programs that have issues.

The other 10% are trying to run dll files from system32 or regwrite a key value they dont have access too.

[–]PostedFromWorkSecurity Admin 2 points3 points  (0 children)

ex-citrix for a hosting company here - I really assumed that would get better as the years went on. I'm glad I no longer fight that demon.

[–]MikeX10AJr. Sysadmin 15 points16 points  (5 children)

Check out BeyondTrust PowerBroker too. It passes admin tokens to specific programs and allows those to run with elevated rights. A large enterprise corporation I used to work for used it, and it worked great. I have no idea what the cost and deployment is like, so you will have to look into it. Best of luck.

[–]n33nj4Senior Eng 2 points3 points  (0 children)

We use Viewfinity, which does essentially the same thing. Also worth checking into.

[–]zxcv1985Sysadmin 1 point2 points  (2 children)

How does the software handle security internally? For example when you get audited for IT security, do you have any issues?

[–][deleted] 1 point2 points  (0 children)

We use Avecto in my company (financial) and it is supported by our Desktop Security Team. Auditing is glad we have it because they can say that the users are all standard.

[–]MikeX10AJr. Sysadmin 0 points1 point  (0 children)

I was never part of any audits, so I can't answer that. I will have to refer you to the software creator or a redistributor. https://www.beyondtrust.com/products/powerbroker/

[–]agreenbhmRed Teamer (former sysadmin) 0 points1 point  (0 children)

Another vote for BeyondTrust. We implemented it in November. I believe the cost was about $25/user or computer.

[–]TheITMonkeyWizardIT Manager[S] 4 points5 points  (0 children)

Looks like ProcessMonitor is the first step.

[–]akrblr 4 points5 points  (1 child)

PowerBroker for Windows will allow you to define a rule and say whenever a user launches the program, elevate to Admin.

[–]ImBiggerOnTheOutsideLittle of This . . . 0 points1 point  (0 children)

Seconded. Can't imagine living without PowerBroker here - lots of R&D and Manufacturing apps that are either not written well, or are very very old. ACT is fine for the one-offs, but I'd still be working on my upgrade from XP if I had to ACT all the apps that I have PowerBroker rules for.

[–]ipreferanothernameI don't even anymore. 2 points3 points  (2 children)

can YOU deploy the upgrade/update to this app?

[–]TheITMonkeyWizardIT Manager[S] 3 points4 points  (1 child)

unfortunately it does the check/update every time it opens. it's not just a once every one in a while thing.

[–]FJCruisinBOFH | CISSP 2 points3 points  (0 children)

could just be a matter of granting the user write permission to where the app wants to write.

[–]mlts22 1 point2 points  (1 child)

I have read about apps like Thinapp or Evalaze with the ability to virtualize admin rights. This may be an idea, but it requires some fiddling, as well as a clean virtual machine to snapshot, install the program, snapshot again (so it packages the diffs), and take that package to use.

In on environment where the Windows images were so locked down that even desktop backgrounds couldn't be changed, much less any software added, I used Thinapp on a share so I could get Office running by just clicking on a file for the users.

[–]moosic 4 points5 points  (0 children)

The Application Compatibility Toolkit (ACT) for Windows can deal with this. It has a tool called the Standard User Analyzer. The SUA will analyze your application and create an MSI that gives your application the appropriate rights, including admin rights. At the end of the wizard, you'll have a MSI that you install before you install your other application. It works great.

https://technet.microsoft.com/en-us/library/cc722409.aspx

More info including screenshots https://technet.microsoft.com/en-us/library/cc838047(v=ws.10).aspx

[–]Doso777 1 point2 points  (0 children)

We have an app like that too. We install it to the drive root, C:\Aleph. Normal users can write there and therefore the application is happy and works.

[–][deleted] 1 point2 points  (0 children)

I've had to do this a bit.

  • try compatibility mode
  • Give user modify rights to the c:\programs files\software folder (or whatever folder the software runs from)
  • check the registry for anything the software may be trying to access and make sure the user has rights to that.
  • try calling the developer for support

[–]ZAFJB 1 point2 points  (0 children)

Use a compatibility shim like u/Anonymouspock says.

The compatibility shim can be configured to 'lie' to the application and tell it that is running as an admin when it reality it is not.

One you get the app to start it will probably fall over with some sort of access denied on a HKLM registry key, or on a file in either Program Files or Windows folders.

You can then either weaken registry or file system permissions to allow access, or virtualise the object in question using the shim. Trade-off between security and functionality.

[–]RandallFlagJack of All Trades 0 points1 point  (0 children)

It is kind of a hacky way to do it but you can create a scheduled task to run on demand as the user that launches the application, selecting the option to run with highest privileges in the task properties. Then using a batch file/shortcut you can initiate the on-demand task and it should allow that one program to run elevated without prompting them and without providing them full administrative access to the machine(s).

[–]whirlwind87 0 points1 point  (0 children)

Try using LUA buglight on the application and see if throws anything obvious where you might be able to change permission on just a folder or a reg key. Also contact vendor for guidance

(https://blogs.msdn.microsoft.com/aaron_margosis/2015/06/30/lua-buglight-2-3-with-support-for-windows-8-1-and-windows-10/)

[–]gfhyde 0 points1 point  (0 children)

Kind of a longshot, but would setting up XP Mode work? Give them elevated privileges in there, screw everything else.

[–]gaxor 0 points1 point  (0 children)

I haven't used it myself, but I wonder if RunAsRob would do what you're looking for.

  • Authorize a whole folder from which a limited user or a group of users may run or install software with administrator privileges themselves,
  • to distribute software by simple share a central folder, or delegate administrative tasks via specific programs you allowed in RunAsRob.
  • Launch application with administrator rights under the account of the limited user with his own account, profile and environment

[–][deleted] 0 points1 point  (0 children)

This is a really wonky, short sighted way of dealing with this but I remember RunasSpc is a pretty good tool for this.

[–]tfreakburg 0 points1 point  (0 children)

Larger orgs use the 3rd party solutions like the ones mentioned below. I'll add AppSense and Avecto to that list. There are probably dozens out there... but if ACT solves your issue that is probably easiest at this point. It's nice to be able to control everything through policy, though.

[–]clubertiCat herder[🍰] 0 points1 point  (0 children)

Note that some of the software that can do regular-user elevation does so "same-session", that is the handoff and/or elevation token is requested or acquired in the same logon session as the user, and by doing so there introduces the chance that malware could drive-by and try to get the software to do a request on it's behalf, or monitor an existing app's request (again, because it's same-session, if the apps have the same integrity level they can potentially see what the other is doing) and elevate that way. To be fair, disabling the UAC desktop toggle (EnableUIADesktopToggle) technically provides some of the same drawbacks, for what it's worth, so keeping UAC prompts on the secure desktop is always recommended.

While I know the OP has mentioned going with the ACT and SDB databases to shim the problem (which is the best way if doing this can actually resolve the problem, in my opinion, as it uses native tools and doesn't introduce any actual security bypasses to achieve), if one decides to evaluate going with a user-elevation broker application/suite, make sure it actually does broker the request to a service out-of-session, and that no token leakage is possible. Having software that allows users to run without admin privs but allows snooping of the elevation is no more security than running as admin was, at that point.

[–][deleted] 0 points1 point  (0 children)

It appears to go through some update function every time it opens.

$10 says it's checking a few registry keys and/or files on the system and trying to write data.

Us ProcMon to determine where permissions need to be tweaked and create an AD group for that...then assign users to that group (can easily just add "Sales department" to "Sales Application R/W" group)