Solving poorly programmed app that requires local admin rights

Dashrender

I have an app that won't run as a non admin that I really want to get to work as a non admin.

I've downloaded and used both Process Explorer and Process Monitor, but I can't seem to find exactly where the permissions are not working.

Of course these tools are collecting so much data I try to filter it down, perhaps I'm filtering to much.

Anyone successfully do this before and have a write up?

scottalanmiller

That's an interesting challenge. I'm not sure how to track that down, but this should be interesting to see how the process wors.

Dashrender

@scottalanmiller said in Solving poorly programmed app that requires local admin rights:

That's an interesting challenge. I'm not sure how to track that down, but this should be interesting to see how the process wors.

I found many Registry locations it was touching, I gave them all full access, rarely did I see a folder access other than install directory, I did give the install directory full access to all users.

dafyre

Check the Task Manager and see what other processes start when you launch the app, and make sure that all of the processes it starts are included in the "Include" filter in Process Monitor.

You can also search the list for "Access Denied"

iroal

For this kind of programs I use runasspc

http://www.robotronic.de/runasspcEn.html

It creates an encrypt certificate with the user and password with admin rights to execute the program as Admin.

It's easy to do.

Dashrender

@iroal said in Solving poorly programmed app that requires local admin rights:

For this kind of programs I use runasspc

http://www.robotronic.de/runasspcEn.html

It creates an encrypt certificate with the user and password with admin rights to execute the program as Admin.

It's easy to do.

This is a work around I'm currently deploying, but it makes things a real hassle because the application is running as another user, hence my documents, printers, etc are all on another profile, not the user's.

I really want to solve this in the user's own space.

iroal

@Dashrender said in Solving poorly programmed app that requires local admin rights:

@iroal said in Solving poorly programmed app that requires local admin rights:

For this kind of programs I use runasspc

http://www.robotronic.de/runasspcEn.html

It creates an encrypt certificate with the user and password with admin rights to execute the program as Admin.

It's easy to do.

This is a work around I'm currently deploying, but it makes things a real hassle because the application is running as another user, hence my documents, printers, etc are all on another profile, not the user's.

I really want to solve this in the user's own space.

Yes, I know it's a real hassle, but sometimes it's faster create a new profile that use other alternatives like Process Monitor.

Dashrender

@iroal said in Solving poorly programmed app that requires local admin rights:

@Dashrender said in Solving poorly programmed app that requires local admin rights:

@iroal said in Solving poorly programmed app that requires local admin rights:

For this kind of programs I use runasspc

http://www.robotronic.de/runasspcEn.html

It creates an encrypt certificate with the user and password with admin rights to execute the program as Admin.

It's easy to do.

This is a work around I'm currently deploying, but it makes things a real hassle because the application is running as another user, hence my documents, printers, etc are all on another profile, not the user's.

I really want to solve this in the user's own space.

Yes, I know it's a real hassle, but sometimes it's faster create a new profile that use other alternatives like Process Monitor.

Well, after already soaking the client for 5-10 hours trying to get it to work the other ways, I did resort to runasspc, but I think it's more because I don't have a good handle on the process of solving the problem.

TAHIN

The Standard Analyzer Tool, part of the Application Compatability Toolkit (ACT) from Microsoft might help. It is designed as an application development tool, but I've heard of people using it to supplement installers to give the application appropriate rights during the install. The end result will be two installers. One for the app, and one for the rights.

https://technet.microsoft.com/en-us/library/cc838047(v=ws.10).aspx

I've never tried it - ProcMon/Exp has always given me what I needed for simple apps. So if you do use it, please report back

Dashrender

LOL even MS has a failout to running as local admin.

TAHIN

When I go the manual route, I install to a test machine and log in as a normal user. When the app doesn't launch, I start with broad changes (give rights to the whole program files(x86) directory) then test again. I start at the file level, then move to the registry. Have ProcExp open and look for red/green entries. With ProcMon you can play with 'access denied' filters. After you've opened it up enough to get it to work as a standard user, start locking things down one at time until it breaks again.

Like I said, I usually get pretty lucky, ProcExp will launch a process that points right to it.

TAHIN

@Dashrender

@Dashrender said in Solving poorly programmed app that requires local admin rights:

LOL even MS has a failout to running as local admin.

Yep it looks pretty slick. Reddit is still good for something

Dashrender

@TAHIN said in Solving poorly programmed app that requires local admin rights:

When I go the manual route, I install to a test machine and log in as a normal user. When the app doesn't launch, I start with broad changes (give rights to the whole program files(x86) directory) then test again. I start at the file level, then move to the registry. Have ProcExp open and look for red/green entries. With ProcMon you can play with 'access denied' filters. After you've opened it up enough to get it to work as a standard user, start locking things down one at time until it breaks again.

Like I said, I usually get pretty lucky, ProcExp will launch a process that points right to it.

Starting from an Open System and locking it down seems like it would be much more difficult than going the other way.

For example, I don't want to give full control access to the entire Programs Files directory. Only the application folder in question.

Dashrender

@TAHIN said in Solving poorly programmed app that requires local admin rights:

@Dashrender

@Dashrender said in Solving poorly programmed app that requires local admin rights:

LOL even MS has a failout to running as local admin.

Yep it looks pretty slick. Reddit is still good for something

I don't follow?

wirestyle22

Really good question. I didn't know how to even begin to work out an issue like this. Learned something. Thanks!

TAHIN

@Dashrender

@Dashrender said in Solving poorly programmed app that requires local admin rights:

@TAHIN said in Solving poorly programmed app that requires local admin rights:

When I go the manual route, I install to a test machine and log in as a normal user. When the app doesn't launch, I start with broad changes (give rights to the whole program files(x86) directory) then test again. I start at the file level, then move to the registry. Have ProcExp open and look for red/green entries. With ProcMon you can play with 'access denied' filters. After you've opened it up enough to get it to work as a standard user, start locking things down one at time until it breaks again.

Like I said, I usually get pretty lucky, ProcExp will launch a process that points right to it.

Starting from an Open System and locking it down seems like it would be much more difficult than going the other way.

For example, I don't want to give full control access to the entire Programs Files directory. Only the application folder in question.

Sometimes it's that easy, but sometimes I have trouble narrowing it down to a specific system component (ie - is it registry, the application directory, something in /Windows, /appdata, etc...). I've found that starting with broad strokes can help narrow it down faster.

TAHIN

@Dashrender

I don't follow?

I learned about that tool on reddit.

Jason

depends on the program some we use Process Explorer to find what it's doing

other times we use compatibility toolkit like for UPS worldship

https://community.spiceworks.com/how_to/36348-man-ups-allow-users-to-update

wrx7m

When I migrated from XP to 7, I ran into issues with programs requiring local admin and rights to run. Specifically, the UPS Worldship updater. I found that using the Microsoft Application Compatibility Toolkit was the answer. You create a small DB that allows you to specify certain executable to run as a local admin without prompting the user to specify admin credentials.

https://msdn.microsoft.com/en-us/library/windows/desktop/dd562082(v=vs.85).aspx

Dashrender

Thanks to those that mentioned the Application Compatibility Toolkit.

I installed this last night and spent around 4 hours having it create and apply mitigations to my program and it still never worked.

Damn this program is stubborn! This program specifically checks what permission level it has on several processes. If I have time I'll dig out a log and post it.