We have an application that needs get from an Administrator account to another limited account and the other way around. Currently we are setting the auto logon in the registry, then reboot the machine. This takes up to 3 reboots as the machines are EWF enabled. Our customer support just cannot sit around and wait for the remote machines to reboot while there's an angry customer on the phone.
We have a windows service and a ui running on the machines (written in C#). Most of them are windows 7, but some are windows xp and windows 8.
I was wondering if anybody here knows a way to maybe trick windows into thinking it was just rebooted and auto log into an account. Anybody know of anything? I do know there are tricky ways to log into an account automatically from the login screen, but as far as I understand that's going to require writing a module to replace GINA in windows XP, and in windows vista and up, since GINA was replaced with a "Content Provider", writing a Content Provider or something, both of which seem overkill, but a possible future solution. Any ideas?
NOTE: We are not switching between accounts so that the application can run a process under that account, we are switching between accounts so real people have either administrative access or limited access to the computer. Hope that makes it a little more clear
If you have an application that needs to run between other users and an administrator, you should be creating a launcher application. The launcher application should be using Process.Start() to start your application. You can supply ProcessStartInfo arguments to Process.Start() so that you can run the application using different credentials.
Here'some help. For Xp, there's a simple registry key that does it (search google for AutoLogon), for Win7, it's a bit more complex. See this topic:
http://answers.microsoft.com/en-us/windows/forum/windows_7-security/how-to-turn-on-automatic-logon-in-windows-7/99d4fe75-3f22-499b-85fc-c7a2c4f728af
I think we had something like this running somewhere, but it wasn't my task and the collegue is on vacation this week. Maybe the above link helps, i'll ask him otherwise.
Related
I read some topics here, but I haven't found the solution of my problem.
I wrote application(C#, WPF, EF, sql server compact) that should start at windows startup. I tried to achieve that in two ways:
Add entry to windows register. Unfortunately that wasn't work on Windows 7. I found here that adding a shortcut to Startup folder can solve my problem...
I've added shortcut to my application in Startup folder. Unfortunately again it is not working...
My application is starting with admin permissions because is using external dll's sql server compact. Maybe this is reason? In addition my application is not signed and probably will not be. Also writing a wcf service could be bad idea in my application.
Do you have any suggestions, or solutions for that problem?
It's against windows guidelines ( and enforced by the operating system ) to put a program that requires UAC elevation in the startup process. It's a horrible user experience to be prompted for elevation every time they logon to a computer.
I would factor the wcf / sql into a service and keep the client side UI elevation free.
Reference: Error message when you start a Windows Vista-based computer: "Windows has blocked some startup programs"
The solution for that problem was to make user to install sql server compact on his own computer instead of embeding it in application folder and change permissions for application to asInvoker from admin.
I didnt get correct answer and got lots of answers like "we can not do like this" for my previous questions.
Thats why I decided to explain in detail about my problem please help me if you can or please ask your friend who can answer this.
Now my problem:
Step 1:
I created a C# program which edits various windows registries.
For editing windows registries we must have an Admin privilege.
My program is running fine in Administrator mode without any problem.
Step 2:
I want my program to be run into limited user mode also. If few people didnt get what I am saying here is that I want to run my above C# code into Guest mode.
In guest mode there is a restriction that We can not change Windows Registries.
So as I am executing my Application, I am getting one notification which is asking for Admin Password.
After inserting Admin Password my application is working fine.
Step 3:
I want that my application must not ask Admin password every time in Guest/limited account.
I also want that in Guest mode my Application should work.
I also want that in Guest mode my Application should be able to access and change Windows Registries.
Step 4:
Lot of people replied me that we can not do this in Guest mode since Windows is restricting users to edit windows registries for security purpose. So please if you also feel like this then please do not reply to this question.
I am answering to those people that, all good antivirus which run into Guest mode has access to Windows Registries.
Step 5:
Since I know Admin Password so is there any way of saving Admin password in our C# code and bypass popup message of asking Admin password again and again.
Is there any way that we will instruct Windows that our application will be running in Admin mode and do not ask for Admin password again and again
How Antivirus application running in Guest mode do all the operation like deleting virus from system32 folder and resetting registries after Virus attack. These antivirus application never asks for "We found a virus in System32 folder, Since I am running in Guest mode and unable to delete virus, so please enter Admin password so that I can delete virus"
I hope you understood what i mean to ask?
I want to develop a C# application which should run in any mode (Admin/Guest/Limited) and should be able to Create, Edit and Delete Windows Registries.
Note: Please do not answer this with "right click and Run As Administrator".
To the best of my knowledge, antivirus software solves this problem by running two (or more) processes: a user interface program running as the guest user, and a privileged process (usually a Windows service). The user program is not able to actually manipulate privilege-restricted resources (like secure registry hives) -- instead, it communicates with the privileged process (hopefully in some secure way) and the privileged process performs the privileged action on behalf of the user.
This is the same kind of technique by which programs ever access privileged resources, such as hardware. Your user-level process doesn't (usually) have the right to perform various hardware actions, like remapping memory in the MMU, but the OS does, and you can get the OS to do what you want by asking it to. System calls thunk into kernel mode, which is fully privileged. However, the system call interface limits the kinds of privileged actions which you can take.
I cant help but saying, NO, you cant do admin things under a guest account. And no- you cant programmatically bypass UAC.
Maybe the following 2 workarounds are interresting for you?
I believe antivirus software runs under the System account (can only be installed by an administrator). For your application, you can create a server/client architecture (both running no the same machine) where the server is installed by the administrator (as part of the whole package) and runs by default under the System account. Then you can use the client on the quest account to send commands to the server.
One other solution might be not to use the registry directly but use another underlying datastore which is accessible by a guest account and synchronize that on demand with the registry (startup and shutdown?), so you only need the admin to login once or twice during the run of your app.
I wrote a C# application that is running well on my xp development machine.
When my client is running it on different PC, it seems to freeze on both vista and 7 machines.
I would like to know if there is any issue on running dotnet applications on vista/7.
I compiled the application for both framework 2.0 and 3.5 but it didn't help.
The log file neither doesn't help.
Is there any way to know where is the application freezing (of course, the client doesn't have VS for attaching to the application) ?
Thank you in advance for any help.
Pierre.
Generally, .NET application should run the same on any Windows version with .NET framework installed. Most common problem that occur are related to the new User Account Control policy in Vista and 7, which prevents applications from accessing areas requiring elevated privileges (which would otherwise run fine under an Administrator account in XP).
For example, if your application is trying to write configuration settings to the Program Files folder (which is a really bad idea, btw), or is using some hardcoded disk or registry paths instead of environment variables provided in .NET classes, it may fail under Vista.
To quickly check if this is an UAC privilege problem, try to run the application as an administrator (have your client right click the .exe file and select Run as Administrator). If it works, then this suggests that you need to examine your code and update it to make sure you are only accessing allowed areas.
Check this link for more information: Making apps UAC aware.
As redsquare suggested, the best way to test your application in a variety of Windows systems is to run them in several virtual machines (MS Virtual PC or VMWare Player, both of them free for download).
You do not give much information in order for us to help a great deal.
I would start by trying to recreate the issue locally on a virtual machine (vista one available here) and then profiling the app with something like memprofiler.
Ask your client to capture a process dump using Windows Task Manager,
In Task Manager, find the process that hangs.
Right click and capture a memory dump.
Then you can do some analysis on the dump to see why it hangs.
If you are not familiar with dump analysis, find someone who can help or open a support case via http://support.microsoft.com
csharp applications are supposed to run on vista/win7. This is their home:)
Your problem is not the OS. its your application.
Most probably the application is looking for a file, a folder, something on the client side that is not there and its freezing. this is my experience.
Check for project independencies and make sure you have shipped to your clients everything your project needs.
and last, distribute to one client the debug version with debug messages enable and get the feedback from their system.
I'am managing a Lab with around 15 Computers. I wrote a little program to start all of the from one computer and to shut all of them down from a remote computer... So far so good. But it would be really nice to get all computers to do a login (credentials given from the app). There are on all 15 Computers the same user accounts (exp1/exp2). Sometimes all computers are needed logged in by exp1 and sometimes as exp2. Are there any Ideas how I can do this? Any hints on what to search? I'm googling now for a long time.
Please help.
Cheers
Eydrian
As the commenter said you can set the autolongin and reboot the machines or you can get some kind of remote control software like netop. There is no way built into windows to login remotely to the gui primary windows station as it would be a massive security risk.
You don't mention the version of Windows. If it's XP you might be able to do it with a GINA replacement. Some information can be found here:
http://msdn.microsoft.com/en-us/magazine/cc163803.aspx
In Vista GINAs was replaced with Credential Providers but I think they are more limited.
I'm running on a Windows 2000 Pro SP4 box (off domain) and trying to impersonate a local user on a Windows XP box (on domain). I'm using code very similar to the WindowsImpersonationContextFacade in the question posted here: How can I temporarily impersonate a user to open a file?. I am using impersonation to remotely start and stop windows services as well as access network shares (for some automated integration tests).
To get this working, i had to use LOGON32_PROVIDER_DEFAULT and LOGON32_LOGON_NEW_CREDENTIALS when calling LogonUser. Everything worked beautifully ( Windows XP on domain to Windows XP on domain, Windows XP on domain to Windows Server 2003 off domain, and even Windows XP on domain to Windows 2000 off domain). The one issue was running on Windows 2000 Pro SP4 off the domain and trying to impersonate a local user on a Windows XP box running on the domain.
To get the Windows 2000 piece working, i had to use LOGON32_PROVIDER_WINNT50 and LOGON32_LOGON_NEW_CREDENTIALS when calling LogonUser. This seemed to get me 95% of the way there, i could now impersonate the local user on the XP box and start/stop services as well as access a network share using the impersonated credentials. I'm running in to one problem though, calling Undo impersonation and closing the token handle seems to leave the connection to the remote box open. After about 10 or so impersonation calls, further impersonation attempts will fail with an error saying something about too many connections are currently open. If i look at the Computer Management -> System Tools -> Shared Folders -> Sessions on my remote Windows XP box, i can see about 10 sessions open to the Windows 2000 box. I can manually close these (i think they may eventually close themselves, but not very quickly) and then impersonation begins working again few more times. This open session issue doesn't seem to be a problem in any of my other test scenarios, just when running locally on a Windows 2000 box.
Any ideas?
Edit 1:
After some more testing and trying out many different things, this seems to be an issue with open sessions not being reused. On Windows 2000 only, every call to LogonUser to get a token and then using that token to impersonate seems to result in a new session being created. I'm guessing Windows XP & Windows Server 2003 are reusing open sessions since i don't seem to be having any issues with them. If I call LogonUser once, then cache the token, I seem to be able to make as many calls to impersonate as I need using the cached token without running in to the "too many connections" issue. This seems like an ugly work around though since i can't call CloseHandle() on my token every time i perform impersonation. Anybody have any thoughts or ideas, or am i stuck with this ugly hack? Thanks
In case anyone is ever interested, i never did find a good solution to this problem. The work-around that i went with was to cache the token returned from LogonUser, and then reuse that token with every impersonation call. This made things work great, but its not something i'd ever want to do in production code.
"start/stop services as well as access a network share". Depending on your code, this can lead to such issues.
Calling Undo only releases impersonation involved resources, but not all resources your application uses.