Prev: SmartCard removal monitoring in GINA under Terminal Services / Citrix
Next: How can VS2010 setup continue as an elevated admin after reboot?
From: Nobody on 22 Apr 2010 13:29 This has nothing to do with "kernel", but any service running as SYSTEM or scheduled task like others mentioned(which could run as SYSTEM) can do whatever it wants. Not to mention that Windows Installer itself runs as a service. See also these articles which cover several OS'es: Description of the RunOnceEx Registry Key http://support.microsoft.com/kb/310593 A definition of the Run keys in the Windows XP registry http://support.microsoft.com/kb/314866/EN-US/ Definition of the RunOnce Keys in the Registry http://support.microsoft.com/kb/137367 INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup http://support.microsoft.com/kb/179365
From: Jonathan de Boyne Pollard on 22 Apr 2010 13:22 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> <blockquote cite="mid:OECrbug4KHA.5548(a)TK2MSFTNGP04.phx.gbl" type="cite"> <blockquote type="cite"> <p>Scheduled Tasks can launch elevated without triggering a UAC prompt (you need admin rights to create such a task), so maybe the first half of the installer schedules the second half to run at the next login. </p> <p>I have not checked that that is what it does, but I think it's one way it could work. </p> </blockquote> <p>It must be that. The only other way would be via some sort of whitelist and surely Microsoft wouldn't be that stupid?! </p> </blockquote> <p>Untrue. There's at least one other way for a setup program to be invoked ahead of everything else — under the aegis of the Local System account, no less — during system initialization: <a href="http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/windows-nt-6-boot-process.html#SMSS"><code>SetupExecute</code></a>. It's not really an appropriate environment for an <em>application</em> setup program to run in, but it's there. It won't be what's happening in this case, unless you are seeing the setup program run before you even log in, but it's one of several ways to do this sort of thing other than by scheduling tasks. (-:<br> </p> </body> </html>
From: Stefan Kuhr on 23 Apr 2010 06:28 Hello Nobody, On 4/22/2010 7:29 PM, Nobody wrote: > This has nothing to do with "kernel", but any service running as SYSTEM or > scheduled task like others mentioned(which could run as SYSTEM) can do > whatever it wants. Not to mention that Windows Installer itself runs as a > service. See also these articles which cover several OS'es: > > Description of the RunOnceEx Registry Key > http://support.microsoft.com/kb/310593 > > A definition of the Run keys in the Windows XP registry > http://support.microsoft.com/kb/314866/EN-US/ > > Definition of the RunOnce Keys in the Registry > http://support.microsoft.com/kb/137367 > > INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup > http://support.microsoft.com/kb/179365 > > I am well aware of these keys but my perception is, that these keys start child processes of Explorer.exe with the same unprivileged token that explorer uses on Vista++ with UAC turned on. Please feel free to correct me if I am wrong. -- S
From: Stefan Kuhr on 23 Apr 2010 06:34 Jonathan, On 4/22/2010 7:22 PM, Jonathan de Boyne Pollard wrote: >> >>> >>> Scheduled Tasks can launch elevated without triggering a UAC prompt >>> (you need admin rights to create such a task), so maybe the first >>> half of the installer schedules the second half to run at the next >>> login. >>> >>> I have not checked that that is what it does, but I think it's one >>> way it could work. >>> >> It must be that. The only other way would be via some sort of >> whitelist and surely Microsoft wouldn't be that stupid?! >> > Untrue. There's at least one other way for a setup program to be invoked > ahead of everything else � under the aegis of the Local System account, > no less � during system initialization: |SetupExecute| > <http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/windows-nt-6-boot-process.html#SMSS>. > It's not really an appropriate environment for an /application/ setup > program to run in, but it's there. It won't be what's happening in this > case, unless you are seeing the setup program run before you even log > in, but it's one of several ways to do this sort of thing other than by > scheduling tasks. (-: > I assumed it was clear from my description that I logged in after reboot and that the setup automatically continued as an interactively logged in administrator user with a token that was *not* a restricted token. It was not SYSTEM. Probably I should have described this more precisely. -- S
From: Manfred on 23 Apr 2010 10:30
Maybe look again at RunOnce again. From http://blogs.msdn.com/uac: "A couple of exceptions to note: First, setup applications that need to complete their setup after a reboot should be putting their application in the RunOnce key. This key gets consumed by the next Administrator account that logs on, and the setup will continue without the need for an elevation. (This key can only be set by a program running with elevated privileges.)" "Stefan Kuhr" <kustt110(a)gmx.li> wrote in message news:#oDBM$s4KHA.1924(a)TK2MSFTNGP06.phx.gbl... > I am well aware of these keys but my perception is, that these keys start > child processes of Explorer.exe with the same unprivileged token that > explorer uses on Vista++ with UAC turned on. Please feel free to correct > me if I am wrong. |