Vista UAC - handle privileges elevation

Similar Messages

• How do I get an extended SecurityManager to handle privileged code?

  Hi.
  I have written my own SecurityManager which asks if the user wants to allow the action before denying it. It also offers to write the whole permission into the current policy file.
  The problem I have is that I can't get the securitymanager to handle privileged code. At the moment I get the call stack and check which classes that doesn't have the permission, check their codebase and write the permission to that codebase. But that will fail if any code is privileged.
  So what I need is to get some information about those protection domains that are marked privileged, and it seems that the only way to get that is by using DomainCombiner.
  But it doesn't seem to work at all, thinking that it might have something to do with that I have to run the critical code in my security manager as privileged, and that I do something wrong when I am extracting the DomainCombiner.
  Well, I hope you understand my problem and that someone have some nice idea about how to do it in a clean nice way.
  best regards,
  Fredrik

  Might be better if I post the whole code, it aint that big.
  package tddc03;
  public class SecMan2 extends SecurityManager { 
      private static String separator = System.getProperty("file.separator");
      public SecMan2() {
           super();
      public void checkPermission(final Permission perm) {
       try {
           super.checkPermission(perm);
       catch (final SecurityException se) {
           System.out.println("Securityexception caught: " + se.getMessage());
           System.out.println("Would you like to: 1. Allow once, 2. Allow everytime, 3. Deny?");
           try {
            char res = (char)System.in.read();
            /*Read until end of line, or eof. to descard anything other then the first character*/
            char tmp;
            int readItem;
            do {
                tmp = (char) (readItem = System.in.read());
            }  while ( tmp != '\n' && readItem != -1 );
            if ((res != '1') && (res != '2')) {
                System.out.println("deny!");
                throw se;
            else if (res == '2')
                 /*Well, we need to make the handleException() code to run as privileged code
                  * since it need access to resources that the caller shouldn't have access to.
                  * The code that runs marked as privileged only rely on its own permission, so
                  * we can give this package the permission to write to the policy file without giving
                  * it to the program that is running*/
                  try {
                      AccessController.doPrivileged(
                                     new PrivilegedExceptionAction() {
                                         public Object run() throws SecurityException {
                                                    handleException(se, perm);
                                                    return null;
                  } catch (PrivilegedActionException e) {
                      throw (SecurityException) e.getException();
           } catch (IOException ioe) {
                System.out.println("IOException on input:" + ioe.getMessage());
                throw se;
       catch (Exception e) {
           System.out.println("Exception caught :" + e.getMessage());
           e.printStackTrace();
      private void handleException(SecurityException e, final Permission perm) {
       String provider;
       Vector<String> codebase = new Vector();
       /*if you only using your own policy file, there will be one '=' infront of the
         searchpath which we have to remove*/
       provider = System.getProperty("java.security.policy");     
       provider = provider.replaceFirst("=","");     
       /*this means we have to use the default one.*/
       if (provider == null)
           provider = System.getProperty("java.home") + separator +"lib"
            + separator +"security"+separator+"java.policy";
       //codebase = "file:" + System.getProperty("user.dir") + separator + "-";
       Class[] classes = getClassContext();
       ProtectionDomain pd = null;
       for(int i=0; i < classes.length; i++) {
           pd = classes.getProtectionDomain();
       if (pd.implies(perm) == true) {
                      System.out.println(i + ". " + classes[i].toString());
       else {
                      System.out.print(i + ". " + classes[i].toString()+ "[");
                      System.out.println(pd.getCodeSource().getLocation().toString() + "]");
                      codebase.add(pd.getCodeSource().getLocation().toString());
       final File policy_file = new File(provider);
       final PolicyParser parser = new PolicyParser();
       PolicyParser.PermissionEntry perm_entry;
       PolicyParser.GrantEntry grant_entry;
       //Traverse the exception message to get the specs for the new permission
       String perm_type, perm_action, perm_param;
       try {
       //We need to get the data from the exception message, so we will split it up.
       String temp[] = e.getMessage().split("[()]",3);
       temp = temp[1].split("\\s",3);
       perm_type = temp[0];
       perm_param = temp[1];
       if (temp.length > 2)
            perm_action = temp[2];
       else
            perm_action = "";
       perm_entry = new PolicyParser.PermissionEntry(perm_type, perm_param, perm_action);
       FileReader p_reader = new FileReader(policy_file);
       parser.read(p_reader);
       p_reader.close();
       //Travers all grants, looking for the current codeBase
       PolicyParser.GrantEntry list_entry;
       Enumeration elements;
       for(Enumeration ec = codebase.elements(); ec.hasMoreElements();) {
            elements = parser.grantElements();
            grant_entry= new PolicyParser.GrantEntry();
            grant_entry.codeBase = (String) ec.nextElement();
            while(elements.hasMoreElements()) {
            list_entry = (PolicyParser.GrantEntry) elements.nextElement();
            //If null == null or codeBase == codeBase
            if (grant_entry.codeBase.equals(list_entry.codeBase)) {
                 list_entry.add(perm_entry);
                 //To mark that the entry was successfully found
                 grant_entry = null;
                 break;
            if (grant_entry != null) {
            grant_entry.add(perm_entry);
            parser.add(grant_entry);
       FileWriter p_writer = new FileWriter(policy_file);
       parser.write(p_writer);
       p_writer.close();
       Policy.getPolicy().refresh();
       } catch (IOException ioe) {
       System.out.println("IOException caught:" + ioe.getMessage());
       } catch (ParsingException pe) {
       System.out.println("ParsingException caught:" + pe.getMessage());
       } catch (Exception ex) {
       System.out.println("Exception caught:" + ex.getMessage());

• 9.1 freezes if Vista UAC is on.

  Running Vista SP2.  If User Account Contorl (UAC) is on, Reader 9.1 will open and disply the first page of ducument, then freezes and can only be closed via the task manager.   This happens both when running Reader as a stand-alone, or through Firefox or IE.  If I open Reader directly rather than by clickiing a file, it locks up right away.
  The usual UAC warning does *not* appear. The reader opens fine and then locks up.
  This also prevents 9.1 from being removed or updated while UAC is on.  It gets almost thru the process, then throws an error message (something about being unable to get something from V8) then stops.
  This does not affect Reader v 8.  All works OK if UAC is turned off (but then I get that annoying reminder to check my security settings.)
  Suggestins?

  Turn UAC off and pray that Windows 7 fixes the problem.

• Cisco Clean Access Agent and Vista/UAC

  Anyone have any idea on how to allow the agent to start w/o kicking off UAC for a non-admin user? Hate the thought of having to disable security (UAC) to further security (enforce software policies). Thanks in advance.
  Dean
  Univ of Dayton

  Just to follow up (on my own post ;-)):
  "What you are seeing is unfortunately expected behavior. With 4.1.3.1 we ask for the highest available privileges. As an admin this produces a UAC prompt to give all privileges. There has been an enhancement bug filed to change the behavior in future versions."

• Vista PDF Preview handler installed on Win 7 32 bit does not work.

  There is no discoverable information regarding failure to preview Adobe PDF files on Win 7 32 bit. The advice for 64 bit does not work. Adobe continues to install the Vista preview handler on my Windows 7 computer, which I suspect is the issue. Is there any way to find and install the Windows 7 32 bit handler or is there a registry hack that permits 11 to access the vista version or what? This is a repeat post, as I cannot locate the first and assume that there have been no responses, as I  have received no alerts.
  If you have an answer I will name my first born for you. He is 41 and object loudly, but no price to great.....

  I have fifteen minutes to mark this as a question, despite the fact that no question link or icon exists. Adobe?

• Hyper-V, RDC, UAC and Ctrl Alt End

  Greetings,
  Got a new computer running Win8.1 Pro. Still adjusting to Win8.1, but thought I'd give Hyper-V a spin so I can "replace" another system that I need to use for remote access to a client system. Be nice to just have one computer to do all my work.
  I've been using two systems to get my work done due to VPN conflicts - my primary work system connects me to work using one vendor's VPN, the remote client system uses a different VPN, and when I've worked on getting the VPNs to place nice together I have
  had little success.
  So I've been using two different, older and lower powered computers to get this done, but now I was thinking I could use Hyper-V to create a VM for accessing my remote client using their VPN without losing my work VPN connection.
  I've got the VM setup and configured, running Win7 Pro (because that's the other license I've got), and the VPN installed on it. I can connect to my work VPN, spin up the VM and connect to the client with their VPN, and RDC to the servers I need to work
  on when I need to work on them. Works great, right up to the point where the client UAC requires Admin elevation for the MMC (or other management type program). Up pops the box that says Press Ctrl-Alt-End to use my entered credentials, which have admin rights,
  to pass the creds on to the program.
  I can't figure out how to get Ctrl-Alt-End to the RDC dialog!
  I'm opening Hyper-V manager, then connecting to the VM on my computer. From the Virtual Machine Connection window, log into the client VPN, fire up RDC and connect to the server (logging in to their domain, etc.). I try to load the program on the client
  server in RDC, the UAC pops up, and - nothing. Hitting Ctrl-Alt-End on my keyboard brings up the lock screen on the Hyper-V connection, it doesn't pass it through to the active RDC session. I've loaded the onscreen keyboard on the remote server, clicked Ctrl
  Alt End, but that doesn't seem to pass into the UAC.
  I've thought - maybe I should configure my VM for remote access, then I can RDC to the VM, then RDC to the client's server, then... but... would that work?
  Suggestions?
  Thanks,
  Steven

  Greetings, Thanks for the reply. I'm not trying to use Ctrl-Alt-Del to clear anything, I'm not trying to use Ctrl-Alt-Del at all. Here's what I'm attempting:
  Fire up a VM, log into the VM, run the customer's VPN
  RDC to the customer's server
  Run the management app on the customer's server that needs elevated privileges
  In the RDC session to the customer's server:
   I get a UAC dialog, asking if "I want to complete this action by entering my credentials on the authentic Windows logon screen" or "I don't want to complete this action"
  I click the first option ("I want to complete...")
  I get a second UAC dialog saying "Press Control+Alt+End" to enter your credentials"
  I'm not able to press Control+Alt+End and have it go to the server in the RDC session, the VM is capturing it first; I HAVE tried it using the onscreen keyboard in the RDC session also without success
  (I took screen caps of the dialogs, but, I've pulled an all-nighter working on another issue and couldn't seem to figure out how to insert them here... doh!)
  So - no Ctrl-Alt-Del
  Next time I need to get to the client's server I'll have to check the settings for keyboard shortcut forwarding. Thanks for the suggestion.
  Steven

• Win 7 32 bit Adobe PDF preview handler issues (NOT 64 bit issue)

  No previews available in Outlook or Explorer (for documents in folders). Investigation shows the Vista preview handler installed.  repeated reinstall of Reader changes nothing.
  Attempts to use the registry hack provided on several sites for W7 64 do not work (because this is 32 bit)  Download site correctly identifies the OS as Win 7.. What to do? Thank you. 

  I have fifteen minutes to mark this as a question, despite the fact that no question link or icon exists. Adobe?

• Windows 7 UAC

  To get round the Vista UAC 'trust message' I codeSigned my application which worked fine but in windows 7 it now displays the 'Do you want to allow the following program to make changes to this computer?' message.
  Does anyone know how I can get rid of this message?
  BTW; I posted this question on the bottom of another thread I have reposted it on its own as I don't think the thread title of 'VeriSign' was very appropriate.

  From other forum threads it initially seems to be a UAC-specific issue where setting an application to 'Run as Administrator' causes that prompt every time. Unforutunately, this looks to be a UAC issue that has nothing to do with your signed app.
  If you have 'Run as Administrator' enabled for your app then maybe disable it and see if the message stops coming up... sorry that I can only provide troubleshooting steps and not an actual solution.

• How to create full new user with all privileges

  how to create full new user with all privileges?
  and how to delete existing users?
  Thanks in advance..

  Common solution is probably to use sudo for privilege elevation, wiki should help

• Service Manager Disabled - Vista Business

  Hi,
  I have started a clean installation of Business One on a Windows Vista Business environment. I have installed SQL 2005 Standard Edition SP2 and then installed the Server Component for SBO. After installing the Server Tools from SBO 2007A PL8 i cannot seem to start any of my services. All the buttons on my service manager are "Greyed Out" therefore cannot import a licence file, cannot start the licence server etc...
  Has anyone experiance a similar problem, or am I missing something?
  Please help....
  Regards
  Grant

  I'm experiencing the same problem.
  I haven't gone around to try this yet, but I think there might be some issues around the vista UAC. I'll post back if I figure out what to do.
  If anyone else could post their experience it would great. Any experience around vista could help too...

• Adobe 7 profesional on vista 64

  I installed adobe 7 profesional on vista 64 but printer drivers are not installed so it is not possible to generate new pdf files; any help to find out how to install pdmaker in vista?

  VISTA might handle AA7 as I recall, but AA8.1.2 was the first to work with 64 bit OS.

• Epson 4870 on Vista with CS3 will not scan

  I have an Epson 4870 scanner which I'm using with my Vista Home Premium (32 bit)software. When I first installed it, it worked fine. However, some update came along and made that a thing of the past. I've tried uninstalling and reinstalling. (The drivers are said to be Vista compatible, and they were for a while) I've searched the forum and Googled, but the only new advice I've seen is to turn off the Vista UAC or whatever, which opens the computer to security risks. Even with UAC off, it still doesn't work. I've considered getting a V700 or V750, but the reviews I've read don't show a significant difference in quality over the 4870, and I don't have enough 8x10 transparencies to warrant purchasing for that alone. I've also uninstalled and reinstalled CS3, trashed preferences, jumped over the moon while spinning counterclockwise, etc. Any suggestions?

  May I suggest checking to verify the drivers you have been trying to install. I just went to http://esupport.epson-europe.com/ProductHome.aspx?lng=en-GB&data=kVFQIoh3k1lpFyj2g2kFaMGu aI64nFnyUrvjJMOEt4IU003D&tc=6
  and downloaded the Epson Scan 3.0u file listed for Vista and for the Epson 4870 scanner. After expanding the .exe file to a folder, I found that this software supports multiple scanners, your included. In checking Es34.inf I found the following:
  "[Version]
  Signature="$Windows NT$"
  LayoutFile=Layout.inf, Layout1.inf, Layout2.inf
  Class=Image
  ClassGUID={6bdd1fc6-810f-11d0-bec7-08002be2092f}
  Provider=%Mfg%
  CatalogFile.nt=es34.cat
  DriverVer=12/21/2006,3.0.4.0
  [ControlFlags]
  ExcludeFromSelect=*
  [DestinationDirs]
  DefaultDestDir=11 ; LDID_SYS
  DS.Files=10,TWAIN_32\ESCNDV
  TBL.Files=10,TWAIN_32\ESCNDV\ESSYS ; LDID_WIN\TWAIN_32\ESCNDV\ESSYS
  DRV.Files=10,TWAIN_32\ESCNDV\ES0034
  FFMT.Files=10,TWAIN_32\ESCNDV\ES0034\FFMT
  EPSON.Color.Files=23 ; LDID_SYS\COLOR
  ES34.Color.Files=23 ; LDID_SYS\COLOR
  USB.Scan.CopySys32Files=10,system32\drivers ; LDID_WIN\system32\drivers
  [Strings]
  Mfg = "EPSON"
  ES34.DeviceDesc = "EPSON Perfection 4870"
  DSName = "EPSON Perfection 4870"
  StartButton = "Start Button"
  RegSection = "SOFTWARE\EPSON\EPSON Scan\ES0034"
  RegSection.x64 = "SOFTWARE\WoW6432Node\EPSON\EPSON Scan\ES0034"
  ScanApp = "EPSON Smart Panel"
  DiskName = "EPSON Scanners Driver Disk"
  ICCName = "PER487_R.ICM,PER487_T.ICM"
  It does appear this is the correct Vista driver and software to support your scanner. May I suggest it is possible to have corrupt files not being rewritten on reinstallation. After uninstalling and possibly running a registry cleaner, you might try installing the software and drivers from Safe Mode. Hopefully this will keep other drivers and antivirus software drivers from loading, giving you a better opportunity at a successful install.

• Help: IPOD service problem when installing in Vista

  Message reads something like Ipod Service did not start make sure you have sufficient permissions. It then gives the option to retry or cancel. This happens at some point in the installation process.
  I have among other things tried out all the steps outlined on the apple website, ensured I have admin access, created another admin account, msconfig, deleted completely all traces of Apple products even tried installing an earlier version all to no avail. I have contacted apple as well who though responsive were not much help either pointing me in the direction of well web links to manuals on the apple website. I also have SP1 installed. So My MS side of life is sorted.
  I am fed up and might just have to return my IPOD touch if no joy. This is probably my last chance to make this work. Unfortunate that what is presumably a lovely piece of kit is a nightmare simply because I don't use an apple machine.
  Alternatively can anyone suggest other ways to get this IPOD touch working other than Itunes. GGRRRRRRRRRRRRRRRRRRRRRH

  New developments:
  1) At the point in the installation where it tries to start services, I get an error message saying that IPOD Service did not start. Ensure you have enough permissions.
  2) I have done this using administrator account and even turned off Vista UAC all to no avail.
  3) I have also uninstalled with Windows install clean up like for the 20th time.
  4) Even when I do a clean uninstall and delete every trace of files and folders in other parts of the C:\ I stll find that IPOD service is listed and stopped. How is that possible?
  5) Any time I attempt to start IPOD service in task manager I get an error message saying Windows could not start the IPOD Service on Local Computer Error 2: The system cannot find the file specified.
  6) There are only two options available when it stalls in no.4 above ie. either to retry or to cancel. When you cancel it rolls back the installation.
  7) When I went to C:\Program Files folder there was no IPOD\bin folder and hence no IPOD Service folder.
  8) Yesterday I decided to circumvent the installation procedure by opening folder rather than opening the file. I was able to save a few IPOD and ITunes files which would not have been possible if I had selected cancel because when rolling back it deletes most of the vital folders and files.
  9) When I click on the Ipod service icon at this stage, nothing still happens. Also when I click on Itunes icon at this stage I get an error message saying some vital files are missing please reinstall.
  Is there a registry hack to resolve this issue? I am convinced that it is the only way to get me out of the doldrums. I must also mention that I have Vista service pack 1 intalled.

• 2007A en Windows Vista

  Buenas Tardes,
  Estamos intentando instalar el Service Manager del 2007A en un Windows Vista Home Premiun, para correrlo localmente en un equipo y no nos deja activarlo. Quisiera saber si alguien lo ha podido hacer o si en realidad no se puede correr dicho servicio en Vista.
  Gracias.
  Carlos Navarro

  Estimado Carlos
  Nosotros ya nos enfrentamos a este problema y la solución es muy sencilla, aunque se pierde una característica de seguridad en Windows Vista.
  El procedimiento es el siguiente:
  Si ya tienes una instalación de SAP en el equipo borrala completamente, incluso la carpeta y reinicia el equipo.
  Luego desconecta la caracteristica de seguridad de Windows Vista (UAC) o User Account Control o Control de cuentas de usuario, este parametro se encuentra dentro de Panel de Control/ Cuentas de Usuario
  Luego instala SAP normalmente y no debieras tener problemas
  El gran cambio lo notarás por que Windows ya no te pedira confirmación para ejecutar cada programa.
  En nuestro caso hemos dejado desconectada la carácteristica de seguridad luego de instalar SAP no conozco el comportamiento si vuelve a conectarse.
  Saludos y espero que todo te resulte bien
  Mauricio Cáceres H
  VisualK Chile

• ScriptListener under Vista

  hi
  I have been trying to run the script listener, but I think I have a Vista UAC problem (since the listener writes to the root directory).
  Has anybody used the listener under Vista with success, and how?
  Thanks
  Malan

  Yes they are for CS3/CS4 but if running CS2 you would need to create them in the root directory.
  Glad your working ok.