Analysis and Solution of permissions in win7

Document directory

• 2.1 How is the operating system tested?
• 2.2 problems with the heuristic installer detection method:

 

1. Why does the system prompt insufficient permissions when running software in win7?

To reduce the risk of computer systems, Windows Vista introduces the UAC (User Access Control) mechanism. By default, applications run under normal user permissions. Windows 7 inherits this mechanism. Generally, applications run as administrator. On other operating systems (such as Windows XP), there is no UAC restriction, and the permission to run programs will not be reduced. If you log on with an administrator account, the software installation will not cause any problems. However, in Windows 7, because of the existence of UAC, the user permission for executing the application is reduced, and the application cannot run normally. For example, some applications can run normally only after the Administrator permission is required, especially for the installation program. They need to go to some areas that require special permissions, such as "program
Files "or the HKEY_LOCAL_MACHINE of the Registry is written. In this case, even if the user logs on as an administrator account (not the default Administrator Account), they will encounter an access denial error, or the data is redirected to another location by UAC virtualization and cannot be correctly executed.

2. How does win7 determine the applications that require administrator permission to run?

The Microsoft operating system uses a heuristic installer detection method to determine whether an application is an installer (which requires administrator permission to run). If the operating system determines that the application is an installer, it will request the user to obtain the Administrator permission during execution so that the application can be correctly executed.

2.1 How is the operating system tested?

All 32-bit applications developed before Windows Vista without manifest (including external and internal) will undergo this heuristic installer detection. The operating system assumes that these applications are legacy and they all need to perform setup checks to determine whether these applications require administrator privileges to run properly. In the face of such applications, the heuristic installation detection of the operating system usually uses the following methods to determine whether a 32-bit application is installed:

1) the file name contains keywords such as "Install", "setup", and "Update.

2) the following fields of version Resources contain keywords: vendor (vendor), company name (companyName), product name (productname), file description, and initial file name (original filename), internal file name (internal name), export name (export name ).

3) Include keywords in the manifest of the executable file.

4) Include keywords in the specific stringtable linked to the executable file.

5) The resource file data linked to the executable file contains key attributes.

6) The executable file contains a specific byte sequence.

2.2 problems with the heuristic installer detection method:

I thought the operating system would automatically determine whether administrator permissions are required for any of our installers, but this is not the case, the operating system only uses a very simple way to judge (for example, through some keywords), so this method is not accurate. If a series of operations (such as copying files to the system directory and writing the Registry) performed by our installer require administrator permissions, and the installer does not have the above detection features, therefore, the operating system will think that the program does not require administrator permissions, resulting in installation failure. Due to insufficient permissions during the installation process, the following page may pop up:

In this case, we generally choose to run the software as an administrator.

3. Why does some software require "running as an administrator "?

For applications that require administrative permissions to perform operations (such as modifying the registry, listening to ports, and writing files to the system directory), administrator permissions are required for execution. When UAC is enabled, programs executed in win7 or Vista are executed in a way with low permissions by default. In this way, some operations that require administrator permissions will fail. To ensure that the operation is successful, you must request the Administrator permission to complete the operation after obtaining the Administrator permission. Programs that require administrator permission can be divided into three types:

1) there is a UAC shield icon identifier:

1> the operating system determines that the operating system is an installer Based on the heuristic installer detection method and requires the administrator privilege to run the agent.

2> Add the manifest file to the application to inform the operating system that the application requires administrator permission to run.

2) The UAC shield icon does not exist, but the process permission is elevated in the program.

3) The UAC shield icon does not exist, and the program does not have any operation to escalate the process permissions.

In the first two cases, if the user runs the application under the Administrator account, the dialog box Indicating whether to run the application is automatically displayed (if the user runs the application under the standard account, the dialog box for entering the administrator password will pop up.) After the user's permission is obtained, the program is automatically promoted to the Administrator's permission to execute the program. The program is successfully executed.

In the third case, the program fails to run directly because it requires the Administrator permission to execute the task, but the operating system does not know the operation and the program does not have the permission to upgrade. Then you can select "Run as administrator" to execute the application.

4. How can I allow the program to run automatically with administrator permissions?

There are three methods:

1) add keywords to the installer (for heuristic installer detection methods)

2) simply add a manifest file for the application to tell the operating system whether the program is installed and whether administrator permissions are required. If the source code of the application cannot be obtained, we only need to add an external manifest file to the application in the same directory of the application.

3) Improve the application running permission

5. How to add the manifest file to request administrator permissions?

You can add it in vc6.0 as follows:

Add a "Custom" resource and "Resource Type", enter 24, and change the resource ID to 1. The content is:

<? XML version = "1.0" encoding = "UTF-8" standalone = "yes"?>

<Assemb lyxmlns = "urn: Schemas-Microsoft-com: ASM. V1" manifestversion = "1.0">

<Assemblyidentity

Version = "1.0.0.0"

Processorarchitecture = "x86"

Name = "certappins.exe. manifest"

Type = "Win32"

/>

<Trustinfo xmlns = "urn: Schemas-Microsoft-com: ASM. V3">

<Security>

<Requestedprivileges>

<Requestedexecutionlevel level = "requireadministrator" UIAccess = "false"/>

</Requestedprivileges>

</Security>

</Trustinfo>

</Assembly>

Note: certappins.exe is the application name.

6. How can I improve the application permissions?

VC can be implemented in the following way:

Bool elevatecurrentprocess (cstring scmdline)

{

Tchar szpath [max_path] = {0 };

If (: getmodulefilename (null, szpath, max_path ))

{

// Launch itself as administrator.

Shellexecuteinfo sei = {sizeof (shellexecuteinfo )};

Sei. lpverb = _ T ("RunAs ");

Sei. lpfile = szpath;

Sei. lpparameters = (lpctstr) scmdline;

// Sei. hwnd = hwnd;

Sei. nshow = sw_shownormal;

If (! Shellexecuteex (& SEI ))

{

DWORD dwstatus = getlasterror ();

If (dwstatus = error_cancelled)

{

// The user refused to allow privileges elevation.

Return false;

}

Else

If (dwstatus = error_file_not_found)

{

// The file defined by lpfile was not found and

// An error message popped up.

Return false;

}

Return false;

}

Return true;

}

Return false;

}

7. Auto-start of applications under win7

1) the application with the shield icon (the operating system detects the keyword or adds the manifest file) will not be executed after it is started (permission escalation is useless ).

2) applications without the shield icon can be executed after startup. Execution successful or failed.

If the application can be correctly executed without administrator permissions, the application is successfully started after it is started. If the application requires administrator permission, the execution result is divided into two situations:

1> If the application does not have permission escalation, the operation can be performed after the application is started, but the operation fails;

2> This application performs permission escalation. After the application is started, it can be executed successfully.

To sum up, if you want to start an application that requires administrator permission, you must ensure that:

1) This application has no keywords (refer to the heuristic installer detection method)

2) You have not added the manifest file to request administrator permissions.

3) Improve process permissions in the program

Note: the first two items ensure that the application does not contain the shield icon.

 

To ensure that an application that requires administrator permission to run runs properly (no need to start automatically at startup), you can simply add keywords or add manifest to request administrator permission.

8. UAC permission adjustment method:

By default, the User Account Control Function grants users standard permissions. If a program requires the Administrator permission to run, the User Account Control function will ask the user whether to improve the permission of the task.

Permission adjustment type:

1) Timely Privilege Escalation (OTs );

2) Permission escalation.

If the current user is an account of the Local System Administrator group (not the default Administrator Account of the system), the permission escalation method is adopted. The dialog box Indicating whether to allow running is displayed. After obtaining user permission, the dialog box is promoted to administrator permission. If the current user is not a local system administrator group account (such as a standard user or guest account), immediate permission escalation is adopted. When running the application, you must enter the administrator password and escalate the password to Administrator after confirmation.

9. Why do I have no administrator permission to log on to Windows 7 as an administrator?

Because of the UAC (User Account Control) mechanism, even if the user logs in as an administrator account, the permission for executing the application is reduced, so there is no real administrator permission.

10. What are the differences between the Administrator and the win7 built-in account "Administrators" permissions?

The Administrator here is also called a local administrator group user, while the built-in account administrators also calls it a super administrator account. The difference is that, by default, the Administrator account enables UAC and is limited by the UAC mechanism, while the built-in account administrators (disabled by default) has full permissions, UAC is disabled by default (equivalent to the administrator account of other operating systems, such as Windows XP). When installing software, UAC is not restricted.