Solving poorly programmed app that requires local admin rights
-
@TAHIN said in Solving poorly programmed app that requires local admin rights:
When I go the manual route, I install to a test machine and log in as a normal user. When the app doesn't launch, I start with broad changes (give rights to the whole program files(x86) directory) then test again. I start at the file level, then move to the registry. Have ProcExp open and look for red/green entries. With ProcMon you can play with 'access denied' filters. After you've opened it up enough to get it to work as a standard user, start locking things down one at time until it breaks again.
Like I said, I usually get pretty lucky, ProcExp will launch a process that points right to it.
Starting from an Open System and locking it down seems like it would be much more difficult than going the other way.
For example, I don't want to give full control access to the entire Programs Files directory. Only the application folder in question.
-
@TAHIN said in Solving poorly programmed app that requires local admin rights:
@Dashrender said in Solving poorly programmed app that requires local admin rights:
LOL even MS has a failout to running as local admin.
Yep it looks pretty slick. Reddit is still good for something
I don't follow?
-
Really good question. I didn't know how to even begin to work out an issue like this. Learned something. Thanks!
-
@Dashrender said in Solving poorly programmed app that requires local admin rights:
@TAHIN said in Solving poorly programmed app that requires local admin rights:
When I go the manual route, I install to a test machine and log in as a normal user. When the app doesn't launch, I start with broad changes (give rights to the whole program files(x86) directory) then test again. I start at the file level, then move to the registry. Have ProcExp open and look for red/green entries. With ProcMon you can play with 'access denied' filters. After you've opened it up enough to get it to work as a standard user, start locking things down one at time until it breaks again.
Like I said, I usually get pretty lucky, ProcExp will launch a process that points right to it.
Starting from an Open System and locking it down seems like it would be much more difficult than going the other way.
For example, I don't want to give full control access to the entire Programs Files directory. Only the application folder in question.
Sometimes it's that easy, but sometimes I have trouble narrowing it down to a specific system component (ie - is it registry, the application directory, something in /Windows, /appdata, etc...). I've found that starting with broad strokes can help narrow it down faster.
-
-
depends on the program some we use Process Explorer to find what it's doing
other times we use compatibility toolkit like for UPS worldship
https://community.spiceworks.com/how_to/36348-man-ups-allow-users-to-update
-
When I migrated from XP to 7, I ran into issues with programs requiring local admin and rights to run. Specifically, the UPS Worldship updater. I found that using the Microsoft Application Compatibility Toolkit was the answer. You create a small DB that allows you to specify certain executable to run as a local admin without prompting the user to specify admin credentials.
https://msdn.microsoft.com/en-us/library/windows/desktop/dd562082(v=vs.85).aspx
-
Thanks to those that mentioned the Application Compatibility Toolkit.
I installed this last night and spent around 4 hours having it create and apply mitigations to my program and it still never worked.
Damn this program is stubborn! This program specifically checks what permission level it has on several processes. If I have time I'll dig out a log and post it.
-
One of the issues I had with the ACT is that I couldn't save the log files unless I ran ACT as an admin, but this brought along the problem that ACT would only run in privileged mode, which allowed my application to run and ACT to create some additional mitigations, but still not enough to make the program work as a non admin.
-
@Dashrender What about RemoteApp? Would that help at all?
-
@aaronstuder said in Solving poorly programmed app that requires local admin rights:
@Dashrender What about RemoteApp? Would that help at all?
RemoteApp is just the application running on a Terminal Server, right? So that wouldn't help, because I'd still have to have it running as an admin on the TS.
-
@Dashrender The app would have admin right on the server, but none on the workstation? Maybe I am misunderstanding?
-
@aaronstuder You would have to give everyone admin rights on the Terminal Server.
-
@brianlittlejohn said in Solving poorly programmed app that requires local admin rights:
@aaronstuder You would have to give everyone admin rights on the Terminal Server.
https://s-media-cache-ak0.pinimg.com/736x/3a/92/3a/3a923ace4ce91fac6c8d406d94bb9846.jpg
http://sd.keepcalm-o-matic.co.uk/i/there-s-no-way-this-could-possibly-go-wrong.png
