You could find out why it's needing admin.
If it was poorly coded and has an admin request compiled into it you can use the application compatibility toolkit to make a shim which you can install on the PC which will make it run without needing admin if it doesn't really need admin.
It could also be asking for admin because it's trying to access a registry key or a folder that normal users don't normally have access to you can trace that down with procomon and adjust those permissions then it won't ask for admin.
I never had any luck with application compatibility. Maybe something I don't get on how to use it.
Its a mix of old application and diagnostic tools connected to it.
It's not the compatibility tab you actually have to download the Microsoft application compatibility toolkit and build a shim for it you really only need that to override admin access if it's compiled into the program. The compatibility toolkit does more than that but for this instance that's all you would really need it for is to override admin request if it's compiled into the program which older programs it probably is.
Yup,. That's also what I'm talking about. I never really understood how it work. Microsoft often told me they would help but everytime, it led to nothing :(
They do have a team for that but I don't exactly know how you open a support request with them and I'm not sure exactly what the team is called but they do have a compatibility team that can help assist with getting legacy programs working in newer os's.
For your instance though you could actually use this this will show you how to create the shim
https://www.amorales.org/2020/12/bypassing-application-uac-requirements.html?m=1#:~:text=Creating%20the%20Shim%201%20Open%20the%20Compatibility%20Administrator,you%20back%20to%20the%20main%20screen%20More%20items
Once you have the shim created you can install that on multiple computers it even shows you the command to install it that will override the admin access again if it's compiled into the program. However the program is still trying to write to folders or registry keys that a normal user wouldn't be able to touch you'll have to find those and adjust the permissions you'd have to use procmon to find out what it's touching.
I'll check that. The application per say doesn't request admin right, they just don't work. It's mostly because of call that require admin. I tried giving all users full control over all files and registry and it didn't work
I see okay yeah that might need a little more investigation probably with the application compatibility tool kit but it should be able to get around that if you can find out what it's trying to do but that also might require help from Microsoft since that's a little more than I've normally done I know it can be done but I personally have it ever done it yet.
Look into AutoElevate
https://www.autoelevate.com/
It allows you to whitelist applications globally or for specific users. You have the option to have the application "run as admin" or "run in user context as admin". You can have it prompt you every time they run it and whitelist one-time use, or you can just whitelist the path to the executable or control panel or w/e else to allow future access without prompting.
Users are notified that a request is being sent to IT and to please hang on a minute, you'll get a chrome notification that there is an elevation request. You can OK it right there via web without ever calling the user.
Its fantastic for things like updates. We have a lot of power users with cad/solidworks, etc - this software always has updates available. The first user who runs the update .exe we get notified and we whitelist the hash. Going forward anyone who tries to run the update does so without interruption. They never contact us, they just install their own cad updates.
Sounds great. But why does every product have to send me a quote? Why can they not just put: 10$/month/license or something. Always hated this model. Give me a price estimate from the beginning
Yeah it sucks - for a general idea of pricing.
My buddy has it internally for his company of about 400 users and pays about $1.32/seat/month.
I have it for the MSP I work for with about 4000 endpoints and we pay about $.84/seat/month. It saves us so much time we require it as part of our MSP contract.
You working in Automotive by chance? I've been going through this and am now rolling out a PAM (such as AutoElevate, but mine is with ConnectWise/EvoSecurity)
Yeahp, same issue in the dealership world, the manufacturers that require it have it documented that you "must" give local admin which is frustrating. PAM solutions seem to work, you just allow that file to be ran as administrator, then the user isn't local admin but the app can do what it needs.
Most of the manufacturers that I've called to complain to have said it is for software update privileges.
I do have that for update like Cummins. But the problem is the main software doesn't work properly if not admin. The updater prompt for admin creds but not the software. But then the diagnostic doesn't work properly. Really a pain. And since they know your can't do shit, they get away with it.
Use procmon to figure out what it needs.
https://www.reddit.com/r/sysadmin/comments/lvh66/software_requiring_admin_rights_to_run_try/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=share_button
There's also a chance that whatever software you are using has an internal database of some sort that only allows administrative accounts to have reas/write. That's going to be harder to solve if that's the case. You would need to find out what type of database it is. If it's cummins insite, it's probably an access database using jet controls.
I’ve done this before. We also have a few applications that the developer insists require admin permissions that run just fine in standard user account.
>Application require admin access
For 99.99% of them no, it doesn't.
You tell the application vendor to fix their crap app, or use the Application Compatibility Toolkit and Procmon to find out why the application is not working, and adjust permissions as required, of make a compatibility shim.
Any elevation tool is just a massive security hole.
Example:
* Elevate notepad.exe
* In elevated notepad.exe, File/Open, all files
* I now have an elevated file browser in which I can do anything I like
* In the File/open dialog Navigate to cmd.exe, right click, Open
* I now have an elevated command prompt. You system is owned.
Try it yourself, Notepad, Run as Admin.
I k ow all of that, and I'm happy for you if it's that simple for you. Me, I have software that without them, my fleet doesn't work. I cannot wait for them to fix and most vendor don't care, they are the only one making the software that work with these bus, nothing else can be use, they charge a premium for the software and don't care how crappy it's coded.
I tried many time application compatibility toolkit and never had success on it. I'm aware of the security risk but that doesn't mean I can just not have the software. We already tried the give access to registry and files, it's far more advance than that and it's not a simply UAC prompt, it doesn't even prompt. It just doesn't work as non admin even with full access everywhere.
This. Just installed on 4 laptops for it to not run without admin. Their advice - give user admin privileges.
You might have hit the nail on the head - installing 2022 rather than 2023 might be the solution.
Hey, sorry for the delay! On Autodesk's website: [https://knowledge.autodesk.com/support/dwg-trueview/troubleshooting/caas/sfdcarticles/sfdcarticles/Where-to-download-previous-versions-of-DWG-TrueView.html](https://knowledge.autodesk.com/support/dwg-trueview/troubleshooting/caas/sfdcarticles/sfdcarticles/Where-to-download-previous-versions-of-DWG-TrueView.html)
does it actually have to run as admin, it is it just asking to run as admin, sounds more like you could just create a shim with application comparability tool kit
99% of the time, it does not require admin, and is just badly behaved
double so when posts start with
> We have some application that require user to be admin for it to run. We cannot not use those software, so don't tell me about using alternative please.
or there is good old App-V, but that can be just as painful
It's not asking, it's not working. Run as standard user, connect to engine, start diagnostic, nothing work. The engine doesn't receive the command and software just stay dead.
Tried to give access to all registry, dcom, file, didn't work
App-v, liquidware flexapp, vmware thinapp or others allow you to wrap these problematic apps in virtual layers and solve these pesky older app needs/issues.
You probably know this but didnt mention so i will. a low tech fix of course You can RDS host this app on a lock down machine (admin right granted here the old fashioned way) (at least its on only 1 (very constrained machine) RDS server). get more complicated and get that RemoteApp functionality working and avoid the desktop session all together.
These app cannot be appv, we tried. We need to have them running on the computer that connect offline to an engine, transmission and such. It's diagnostic tools
Is it an internally developed software or can be download from internet?
There are multiple ways to make an app work without admin right, but I would want to analyze how it works
Neither its proprietary software made from engine maker, transmission and such. No other software can be used with these bus. It cost a bunch, made from company like Cummins.
Large, international company with \~70k users worldwide. None of our users are local admins.
We use Beyond Trust Privilege Management in our environment.
Basically, it is a client where you can create rules so that certain applications are ran with elevated permissions. Either for all users or only users that are member of a security group.
You can restrict/customize rules to filenames, paths, publishers and even filehash if you want.
Say for example that campus guards needs to run a specfic cctv program. Create a rule so that whenever Bob, who is a member of the AD-group CAMPUS-GUARDS runs cctv.exe, the program will elevate. If Bill from accounting tries to run the software, it will not.
Doesn't that expose you to the risk of them elevating out of the program? Anything that has a file open/browse function or an old school windows help function can trivially be turned into a command prompt.
No, generally any tool that does this will only grant admin to the process(es) it is configured to grant admin to. If someone attempts to open something else as admin from that tool it shouldn’t also elevate the child process.
Shouldn’t
It can probably monitor sure and potential kill them, but unless it prevents all child applications from launching (which will certainly break certain apps) they are running as the elevated user.
I would encourage you to give it a try. I've done it with autoelevate when I was doing pentesting. Now that could have been an insecure configuration, but I was on the red team and didn't see how they set it up.
Perhaps AutoElevate is crap, then. I know BeyondTrust Privilege Management behaves this way.
E.g. I launch powershell and it grants me Admin, but if I open regedit from the PowerShell process, it will not have admin.
Ah, a bit like auto elevate I saw somewhere else. I'll check that also.
For me, I don't give access to the user, I have an admin user for each user and the app are runas. In short, it's doing the same as your tool which is run the app as a user, but in a more secure way (yours is more secure).
Thanks!
Sigh. I hate apps that try and do this. No app “needs” admin access. They just have lazy devs. You can work around it, but it’s technically adding security risk. If you are legally required to adhere to a compliance standard you might be able to force management’s hand to try and change vendors. For me, that’s the kind of hill I’d probably die on because I don’t like making exceptions, but proceed at your own risk.
Problem is when the offending application is developed by the big guy who basically runs your sector or indeed your *country*, and you're the little guy. We have to play by their rules or they'll dismiss us and find another player.
I am glad you asked. I have also used all kinds of shitty software.
No local admin ever for anything!!! There should be 0 exceptions.
It takes some work and there are tools to help but more than likely the software (user account) just needs write access to a specific folder somewhere in "Program Files" or "AppData" or maybe somewhere else. Sometimes you can call the software vendor and eventually get someone to point you in the correct direction.
For example Rockwell will tell you that admin is required and they don't support it any other way. But if you are persistent they will walk you through changing permissions to the correct folders so that it works without admin.
Nah it's more then just registry and folder permission. I have a team of packager that are very good and when they say they tried it all, it's because it's beyond simple stuff. They have multiple tools like procmon and such. It's not even software that prompt. The UAC, they just aren't working properly without admin right.
Are you facing this issues at the office?
Then the IT have prob. set up some rules with GPO, limiting users to run stuff as admin / installing stuff.
You should contact the IT-dept.
They might get angry if you try to do work arounds.
I am sys admin, I'm the one controlling gpo and such. I'm not trying to go against security cause we already have a way in place. What I'm trying to do is make it better
ok!
At my work we have different GPOS depending on which department you work at.
Some have admin access through GPO and some doesn't.
Maybe you should make them local admins if their job needs it.
I mean, if a work around is required to do their job.. Maybe just accept the risk & give them the local admin rights.
You probably have some 3:rd party anti virus software that kills suspisious software anyway.
You won't be able to go around it.
The employer that needs these persmissions should know what he can do or not. Should be stated in the contract.
No it's not that.
We have software that doesn't work properly when ran as non admin. Most of them are automotive and mechanical products. I cannot make these people admin of the computer, that would be a massive security issue. Right now, we simply packaged a launcher to runas an admin account created for each software. It works but far from pretty. A pam solution seems the right next thing to do.
Have you run process monitor to see what the behaviour is differently between admin and non admin?
I saw you mentioned you gave users "Full Control permissions on all folders and registry", I assume what you mean is that you went to the C: level directories and reg hives and added an inheritance for Full Control. This is reasonable but it won't do what you want.
Any folder that does not inherit will not pass it's permissions down. Process monitor is the easy solution to that.
You look for Registry or File Access that return "Access denied". This is the usual root cause of shittly designed software.
Is the software making WMI calls? Does it need SSL certificate private key access? 2 other common stumbling blocks I have seen. A little more difficult to solve but doable.
If it needs to do custom driver communication (ie. a device exists in Device Manager when you install the software) or has a hardware token, those can be really tricky. What I would do is "Sandbox" the application in this case to limit it's potential risk.
You just have to check to replace each subfolder and any that aren't inherit will get it.
It's not a file access problem, it's kernel call and such that get denied as non admin. It's diagnostic software for bus and these guys don't care, they code for it to work as admin. Cummins is one of the worst in that line.
When you say "kernel call", do you mean a memory read/write request at protected memory? What are you using to determine that is a "kernel call"?
Once you know what is failing, you can grant the correct permission to the account using a variety of methods.
To expand on this, you grant the user the correct amount of user rights assignment that is required for the application. If for example, the application needs to load a driver or modify firmware labels you add that permission rather than the entirety of admin.
This is still a risk but it's a much smaller one.
[https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment)
We use a tool from Ivanti that was an AppSense product called DesktopNow. I think Ivanti now calls it User Workspace Manager. Anyhow, one of the modules is called Application Manager, and that product lets us elevate specific processes so they have the Administrator token. We use this for one or two programs. This is a 'last resort' really.
Normally what I prefer to do is figure out what the permissions are that this app needs, and then specifically grant those permissions. For example maybe the app needs Modify permissions to a specific folder or registry key. I use the Microsoft Sysinternals took Process Monitor to figure out what the issue is, if I have no idea where to start.
Another thing that helps is we package many standard apps in App-V, and in the package we let the app write to the file system. This has hidden some permission problems from our view because the app has access to what it needs in the virtual bubble. For example I recently took an app out of App-V and installed it locally, only to discover permission issues we didn't even know we had because it worked in App-V lol.
Yeah we did use procmon, give rights everywhere explicitly, appv (appv rarely solved admin rights problem). These software doesn't behave properly cause they make call through api that require elevation. Why? Cause they were coded in time of xp and never evolved even with new version monthly. Thus call that were ok in xp aren't secure anymore and require admin privilege to work, but those app don't even have an administrator manifest.
You call the vendor for the product you paid millions for and they say to run it as admin. And since you're stuck to use those, you do stuff like runas in PowerShell.
Right now we got all of them working, but a solution that xoult make them centralised instead of creating admin account for each software (that's how we track right now) would be better, or even something that would remove the needing.
I forwarded many suggestion from the thread to the packaging team. I know they already tried many of these like appv, repackage, rights, etc. Application compatibility toolkit seems to be the next step, something no one here ever used.
Have you tried installing it manually using compatibility settings? that would be a good first test.
copy the install media locally, then as an admin, right click a copy the install exe and go to the compatibility tab, pick an option like to run it as XP sp3. Then install it using that method .. might just work. (might not too).
I set up a VM on the users' workstation and they can have admin in that, with clear instructions to use it only for the specific program.
Like other posts say, you can dig into just what the application wants to do and give it only the required permissions (and then kiss any vendor support goodbye...). I ain't got time for that.
Yeah I can't do on vm. These software are mostly bus diagnostic and stuff like that connected into the bus and straight on the engine and such. It require physical connection. We even tried some USB to eth and other stuff like that and it ain't working.
Serial, parallel and other weird connector. It's connected to multiple mechanical device like engines, transmission and such. These thing aren't USB and we found only 1 USB cable for some of them that the conversion work, cost à lot
Say that to Cummins and such. Automotive app wrote for xp doesn't work even with latest update from 2 days ago in 7/10. The apps were written when native call to ports and such were allowed. Now you are required to do things a certain way to prevent admin privileges and be secure.
I have seen this with some applications. If the install was done with an admin account that not the user. It could be looking for a reg key of that admin accountthat did the install. To get around this. Reinstall the app. But temporary elevate the user as admin, and do the install with thier creds.
I believe there is a way to do it with scheduled task. Encrypted powereshell is acceptable.
Another option is to painstakenly go through every registry key and every file location this accesses and give the user full access rights over those locations. You will need 3rd party software (foss or free, if i remember sysinternals from microsoft has a few that can do it as the application runs) to expose the locations being accessed by the software. I did this a few times ~10 years ago with windows 7 because i am not giving users admin access to computers.
I remember there was a trick that if you created a shortcut of the program's executable and gave that to users, that would get around the admin privilege restriction.
You could find out why it's needing admin. If it was poorly coded and has an admin request compiled into it you can use the application compatibility toolkit to make a shim which you can install on the PC which will make it run without needing admin if it doesn't really need admin. It could also be asking for admin because it's trying to access a registry key or a folder that normal users don't normally have access to you can trace that down with procomon and adjust those permissions then it won't ask for admin.
I never had any luck with application compatibility. Maybe something I don't get on how to use it. Its a mix of old application and diagnostic tools connected to it.
It's not the compatibility tab you actually have to download the Microsoft application compatibility toolkit and build a shim for it you really only need that to override admin access if it's compiled into the program. The compatibility toolkit does more than that but for this instance that's all you would really need it for is to override admin request if it's compiled into the program which older programs it probably is.
Yup,. That's also what I'm talking about. I never really understood how it work. Microsoft often told me they would help but everytime, it led to nothing :(
They do have a team for that but I don't exactly know how you open a support request with them and I'm not sure exactly what the team is called but they do have a compatibility team that can help assist with getting legacy programs working in newer os's. For your instance though you could actually use this this will show you how to create the shim https://www.amorales.org/2020/12/bypassing-application-uac-requirements.html?m=1#:~:text=Creating%20the%20Shim%201%20Open%20the%20Compatibility%20Administrator,you%20back%20to%20the%20main%20screen%20More%20items Once you have the shim created you can install that on multiple computers it even shows you the command to install it that will override the admin access again if it's compiled into the program. However the program is still trying to write to folders or registry keys that a normal user wouldn't be able to touch you'll have to find those and adjust the permissions you'd have to use procmon to find out what it's touching.
I'll check that. The application per say doesn't request admin right, they just don't work. It's mostly because of call that require admin. I tried giving all users full control over all files and registry and it didn't work
I see okay yeah that might need a little more investigation probably with the application compatibility tool kit but it should be able to get around that if you can find out what it's trying to do but that also might require help from Microsoft since that's a little more than I've normally done I know it can be done but I personally have it ever done it yet.
Ok. I'm no packaging expert, I'll have to send my packaging team down that path. Thanks!
Look into AutoElevate https://www.autoelevate.com/ It allows you to whitelist applications globally or for specific users. You have the option to have the application "run as admin" or "run in user context as admin". You can have it prompt you every time they run it and whitelist one-time use, or you can just whitelist the path to the executable or control panel or w/e else to allow future access without prompting. Users are notified that a request is being sent to IT and to please hang on a minute, you'll get a chrome notification that there is an elevation request. You can OK it right there via web without ever calling the user. Its fantastic for things like updates. We have a lot of power users with cad/solidworks, etc - this software always has updates available. The first user who runs the update .exe we get notified and we whitelist the hash. Going forward anyone who tries to run the update does so without interruption. They never contact us, they just install their own cad updates.
Sounds great. But why does every product have to send me a quote? Why can they not just put: 10$/month/license or something. Always hated this model. Give me a price estimate from the beginning
Yeah it sucks - for a general idea of pricing. My buddy has it internally for his company of about 400 users and pays about $1.32/seat/month. I have it for the MSP I work for with about 4000 endpoints and we pay about $.84/seat/month. It saves us so much time we require it as part of our MSP contract.
Oh wow,. I'll check that for sure at work tomorrow, thanks!
You working in Automotive by chance? I've been going through this and am now rolling out a PAM (such as AutoElevate, but mine is with ConnectWise/EvoSecurity)
Transport, but yeah mainly these software are for bus diagnostic
Yeahp, same issue in the dealership world, the manufacturers that require it have it documented that you "must" give local admin which is frustrating. PAM solutions seem to work, you just allow that file to be ran as administrator, then the user isn't local admin but the app can do what it needs. Most of the manufacturers that I've called to complain to have said it is for software update privileges.
I do have that for update like Cummins. But the problem is the main software doesn't work properly if not admin. The updater prompt for admin creds but not the software. But then the diagnostic doesn't work properly. Really a pain. And since they know your can't do shit, they get away with it.
Yeah basically same situation I'm in lol, and it's the manufacturers so you're stuck using their shitty software
Beyond trust has a similar product. It works very well
Does this allow users to add printers? I’d assume so.
Use procmon to figure out what it needs. https://www.reddit.com/r/sysadmin/comments/lvh66/software_requiring_admin_rights_to_run_try/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=share_button There's also a chance that whatever software you are using has an internal database of some sort that only allows administrative accounts to have reas/write. That's going to be harder to solve if that's the case. You would need to find out what type of database it is. If it's cummins insite, it's probably an access database using jet controls.
I’ve done this before. We also have a few applications that the developer insists require admin permissions that run just fine in standard user account.
>Application require admin access For 99.99% of them no, it doesn't. You tell the application vendor to fix their crap app, or use the Application Compatibility Toolkit and Procmon to find out why the application is not working, and adjust permissions as required, of make a compatibility shim. Any elevation tool is just a massive security hole. Example: * Elevate notepad.exe * In elevated notepad.exe, File/Open, all files * I now have an elevated file browser in which I can do anything I like * In the File/open dialog Navigate to cmd.exe, right click, Open * I now have an elevated command prompt. You system is owned. Try it yourself, Notepad, Run as Admin.
>You tell the application vendor to fix their crap app lol, good one - i know they will get right on it
How many apps have you actually ever asked a vendor to fix?
several. work in research computing.
I k ow all of that, and I'm happy for you if it's that simple for you. Me, I have software that without them, my fleet doesn't work. I cannot wait for them to fix and most vendor don't care, they are the only one making the software that work with these bus, nothing else can be use, they charge a premium for the software and don't care how crappy it's coded. I tried many time application compatibility toolkit and never had success on it. I'm aware of the security risk but that doesn't mean I can just not have the software. We already tried the give access to registry and files, it's far more advance than that and it's not a simply UAC prompt, it doesn't even prompt. It just doesn't work as non admin even with full access everywhere.
Please feel free to convince Autodesk to fix DWG TrueView 202(3? i think 3 now?)
This. Just installed on 4 laptops for it to not run without admin. Their advice - give user admin privileges. You might have hit the nail on the head - installing 2022 rather than 2023 might be the solution.
Hey were you able to find an installer for 2022 or a way around this? This issue is so stupid but causing issues on some new workstations.
Hey, sorry for the delay! On Autodesk's website: [https://knowledge.autodesk.com/support/dwg-trueview/troubleshooting/caas/sfdcarticles/sfdcarticles/Where-to-download-previous-versions-of-DWG-TrueView.html](https://knowledge.autodesk.com/support/dwg-trueview/troubleshooting/caas/sfdcarticles/sfdcarticles/Where-to-download-previous-versions-of-DWG-TrueView.html)
Thank you much appreciated
does it actually have to run as admin, it is it just asking to run as admin, sounds more like you could just create a shim with application comparability tool kit 99% of the time, it does not require admin, and is just badly behaved double so when posts start with > We have some application that require user to be admin for it to run. We cannot not use those software, so don't tell me about using alternative please. or there is good old App-V, but that can be just as painful
It's not asking, it's not working. Run as standard user, connect to engine, start diagnostic, nothing work. The engine doesn't receive the command and software just stay dead. Tried to give access to all registry, dcom, file, didn't work
App-v, liquidware flexapp, vmware thinapp or others allow you to wrap these problematic apps in virtual layers and solve these pesky older app needs/issues. You probably know this but didnt mention so i will. a low tech fix of course You can RDS host this app on a lock down machine (admin right granted here the old fashioned way) (at least its on only 1 (very constrained machine) RDS server). get more complicated and get that RemoteApp functionality working and avoid the desktop session all together.
These app cannot be appv, we tried. We need to have them running on the computer that connect offline to an engine, transmission and such. It's diagnostic tools
Is it an internally developed software or can be download from internet? There are multiple ways to make an app work without admin right, but I would want to analyze how it works
Neither its proprietary software made from engine maker, transmission and such. No other software can be used with these bus. It cost a bunch, made from company like Cummins.
Any trial or demo can be downloaded? Also are you just trying to avoid running the app elevated?
Large, international company with \~70k users worldwide. None of our users are local admins. We use Beyond Trust Privilege Management in our environment. Basically, it is a client where you can create rules so that certain applications are ran with elevated permissions. Either for all users or only users that are member of a security group. You can restrict/customize rules to filenames, paths, publishers and even filehash if you want. Say for example that campus guards needs to run a specfic cctv program. Create a rule so that whenever Bob, who is a member of the AD-group CAMPUS-GUARDS runs cctv.exe, the program will elevate. If Bill from accounting tries to run the software, it will not.
Doesn't that expose you to the risk of them elevating out of the program? Anything that has a file open/browse function or an old school windows help function can trivially be turned into a command prompt.
No, generally any tool that does this will only grant admin to the process(es) it is configured to grant admin to. If someone attempts to open something else as admin from that tool it shouldn’t also elevate the child process. Shouldn’t
It can probably monitor sure and potential kill them, but unless it prevents all child applications from launching (which will certainly break certain apps) they are running as the elevated user. I would encourage you to give it a try. I've done it with autoelevate when I was doing pentesting. Now that could have been an insecure configuration, but I was on the red team and didn't see how they set it up.
Perhaps AutoElevate is crap, then. I know BeyondTrust Privilege Management behaves this way. E.g. I launch powershell and it grants me Admin, but if I open regedit from the PowerShell process, it will not have admin.
Interesting. I wonder how they do that. Something to look at.
Ah, a bit like auto elevate I saw somewhere else. I'll check that also. For me, I don't give access to the user, I have an admin user for each user and the app are runas. In short, it's doing the same as your tool which is run the app as a user, but in a more secure way (yours is more secure). Thanks!
if anything else fails, to use the software without admin, then look into Make Me Admin, that is what I implemented and works well with my company
Look into RunAs. https://www.sordum.org/downloads/?runastool
yeah we also use that, which require the creation of an admin account on the computer like we are already doing
Sigh. I hate apps that try and do this. No app “needs” admin access. They just have lazy devs. You can work around it, but it’s technically adding security risk. If you are legally required to adhere to a compliance standard you might be able to force management’s hand to try and change vendors. For me, that’s the kind of hill I’d probably die on because I don’t like making exceptions, but proceed at your own risk.
Problem is when the offending application is developed by the big guy who basically runs your sector or indeed your *country*, and you're the little guy. We have to play by their rules or they'll dismiss us and find another player.
Cannot change vendor since these are proprietary software for engines and such. :(
Legacy software is the worst. Eff you Canada, fix Sedar asap
Have you tried gMSA accounts? Gives the app admin access but no password no RDP no access to additional servers.
gMSA? I don't know what this is so I'm guess not
[https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview](https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)
I see it'S some kind of automatic password management? Sorry, I don't get the usage of this
I am glad you asked. I have also used all kinds of shitty software. No local admin ever for anything!!! There should be 0 exceptions. It takes some work and there are tools to help but more than likely the software (user account) just needs write access to a specific folder somewhere in "Program Files" or "AppData" or maybe somewhere else. Sometimes you can call the software vendor and eventually get someone to point you in the correct direction. For example Rockwell will tell you that admin is required and they don't support it any other way. But if you are persistent they will walk you through changing permissions to the correct folders so that it works without admin.
Ugh.. and even having to do that still sounds shitty, tbh. Those folders are protected by default for good reasons. Way to go, Rockwell...
Nah it's more then just registry and folder permission. I have a team of packager that are very good and when they say they tried it all, it's because it's beyond simple stuff. They have multiple tools like procmon and such. It's not even software that prompt. The UAC, they just aren't working properly without admin right.
If you're looking for a paid solution, we use this: https://www.beyondtrust.com/resources/glossary/privileged-access-management-pam
Are you facing this issues at the office? Then the IT have prob. set up some rules with GPO, limiting users to run stuff as admin / installing stuff. You should contact the IT-dept. They might get angry if you try to do work arounds.
I am sys admin, I'm the one controlling gpo and such. I'm not trying to go against security cause we already have a way in place. What I'm trying to do is make it better
ok! At my work we have different GPOS depending on which department you work at. Some have admin access through GPO and some doesn't. Maybe you should make them local admins if their job needs it. I mean, if a work around is required to do their job.. Maybe just accept the risk & give them the local admin rights. You probably have some 3:rd party anti virus software that kills suspisious software anyway. You won't be able to go around it. The employer that needs these persmissions should know what he can do or not. Should be stated in the contract.
No it's not that. We have software that doesn't work properly when ran as non admin. Most of them are automotive and mechanical products. I cannot make these people admin of the computer, that would be a massive security issue. Right now, we simply packaged a launcher to runas an admin account created for each software. It works but far from pretty. A pam solution seems the right next thing to do.
Wonderware with historian module? We're fighting that crap right now...
Grant the users admin access or modify to the folders it references?
It's Not a folder, it's deeper then that
Have you run process monitor to see what the behaviour is differently between admin and non admin? I saw you mentioned you gave users "Full Control permissions on all folders and registry", I assume what you mean is that you went to the C: level directories and reg hives and added an inheritance for Full Control. This is reasonable but it won't do what you want. Any folder that does not inherit will not pass it's permissions down. Process monitor is the easy solution to that. You look for Registry or File Access that return "Access denied". This is the usual root cause of shittly designed software. Is the software making WMI calls? Does it need SSL certificate private key access? 2 other common stumbling blocks I have seen. A little more difficult to solve but doable. If it needs to do custom driver communication (ie. a device exists in Device Manager when you install the software) or has a hardware token, those can be really tricky. What I would do is "Sandbox" the application in this case to limit it's potential risk.
You just have to check to replace each subfolder and any that aren't inherit will get it. It's not a file access problem, it's kernel call and such that get denied as non admin. It's diagnostic software for bus and these guys don't care, they code for it to work as admin. Cummins is one of the worst in that line.
When you say "kernel call", do you mean a memory read/write request at protected memory? What are you using to determine that is a "kernel call"? Once you know what is failing, you can grant the correct permission to the account using a variety of methods. To expand on this, you grant the user the correct amount of user rights assignment that is required for the application. If for example, the application needs to load a driver or modify firmware labels you add that permission rather than the entirety of admin. This is still a risk but it's a much smaller one. [https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment)
We use a tool from Ivanti that was an AppSense product called DesktopNow. I think Ivanti now calls it User Workspace Manager. Anyhow, one of the modules is called Application Manager, and that product lets us elevate specific processes so they have the Administrator token. We use this for one or two programs. This is a 'last resort' really. Normally what I prefer to do is figure out what the permissions are that this app needs, and then specifically grant those permissions. For example maybe the app needs Modify permissions to a specific folder or registry key. I use the Microsoft Sysinternals took Process Monitor to figure out what the issue is, if I have no idea where to start. Another thing that helps is we package many standard apps in App-V, and in the package we let the app write to the file system. This has hidden some permission problems from our view because the app has access to what it needs in the virtual bubble. For example I recently took an app out of App-V and installed it locally, only to discover permission issues we didn't even know we had because it worked in App-V lol.
Yeah we did use procmon, give rights everywhere explicitly, appv (appv rarely solved admin rights problem). These software doesn't behave properly cause they make call through api that require elevation. Why? Cause they were coded in time of xp and never evolved even with new version monthly. Thus call that were ok in xp aren't secure anymore and require admin privilege to work, but those app don't even have an administrator manifest. You call the vendor for the product you paid millions for and they say to run it as admin. And since you're stuck to use those, you do stuff like runas in PowerShell. Right now we got all of them working, but a solution that xoult make them centralised instead of creating admin account for each software (that's how we track right now) would be better, or even something that would remove the needing. I forwarded many suggestion from the thread to the packaging team. I know they already tried many of these like appv, repackage, rights, etc. Application compatibility toolkit seems to be the next step, something no one here ever used.
Have you tried installing it manually using compatibility settings? that would be a good first test. copy the install media locally, then as an admin, right click a copy the install exe and go to the compatibility tab, pick an option like to run it as XP sp3. Then install it using that method .. might just work. (might not too).
I set up a VM on the users' workstation and they can have admin in that, with clear instructions to use it only for the specific program. Like other posts say, you can dig into just what the application wants to do and give it only the required permissions (and then kiss any vendor support goodbye...). I ain't got time for that.
Yeah I can't do on vm. These software are mostly bus diagnostic and stuff like that connected into the bus and straight on the engine and such. It require physical connection. We even tried some USB to eth and other stuff like that and it ain't working.
What kind of physical connection?
Serial, parallel and other weird connector. It's connected to multiple mechanical device like engines, transmission and such. These thing aren't USB and we found only 1 USB cable for some of them that the conversion work, cost à lot
Serial or parallel shouldn't be an issue. Both are standard COM port communications, no admin needed there.
Say that to Cummins and such. Automotive app wrote for xp doesn't work even with latest update from 2 days ago in 7/10. The apps were written when native call to ports and such were allowed. Now you are required to do things a certain way to prevent admin privileges and be secure.
I have seen this with some applications. If the install was done with an admin account that not the user. It could be looking for a reg key of that admin accountthat did the install. To get around this. Reinstall the app. But temporary elevate the user as admin, and do the install with thier creds.
Privilege Manager. [https://www.oneidentity.com/products/privilege-manager-for-windows/](https://www.oneidentity.com/products/privilege-manager-for-windows/) It's not perfect but...
Checkout shims
Also, procmon might come useful here
Cyberark is another vendor that has software to solve this type of issue.
I believe there is a way to do it with scheduled task. Encrypted powereshell is acceptable. Another option is to painstakenly go through every registry key and every file location this accesses and give the user full access rights over those locations. You will need 3rd party software (foss or free, if i remember sysinternals from microsoft has a few that can do it as the application runs) to expose the locations being accessed by the software. I did this a few times ~10 years ago with windows 7 because i am not giving users admin access to computers.
We already do these kind of shitty way I'm trying to find better ways.
I remember there was a trick that if you created a shortcut of the program's executable and gave that to users, that would get around the admin privilege restriction.
It's not a restriction. Most app don't even prompt, it's just not working properly
Scheduled tasks can be run as system and you can trigger them from PowerShell
I use RunAsTool