#211965 - 2016-09-30 07:41 PM
Windows 10 AU, UAC and problems with Writevalue
|
IanDubbelboer
Fresh Scripter
Registered: 2004-06-25
Posts: 24
|
I am having problems with balancing Windows 10 UAC settings for legacy apps while maintaining correct functioning of Kixtart's Writevalue function in a login script.
I am a supporting multiple different clients at multiple sites, so I can not be overly draconian about forcing policy. The typical results are that the users must have local admin rights to install software/work with various legacy apps, but want new apps like edge to work too.
OS: Windows 10 Pro AU, Windows Server 2012 R2
Kixtart 4.66
EnableLinkedConnections is currently being set to 1 by GPO and confirmed working.
In order for Edge (and such apps) to work User Account Control: Run All administrators in Admin Approval Mode is enabled
In order for Edge (and like apps) to work User Account Control: Admin Approval Mode for the Built-in Administrator is enabled
The UAC notification slider is set to minimum or Never Notify
I am testing this setup using the following script:
Break On
? SETOPTION("WOW64AlternateRegView","ON")
? WriteValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","EnableLinkedConnections","1","REG_DWORD")
exit
Returns
OFF
5
So the writevalue statement fails with a Error 5 which I believe is rights related.
I tried a Shell "Reg ADD" and also get an Access Denied error
If disable User Account Control: Admin Approval Mode for the Built-in Administrator
It returns:
OFF
0
So it works, but of course the Edge no longer works, giving the can't be ran by built in administrator error
Is there anyway for Writevalue to work and Windows 10 apps to work at the same time?
Edited by IanDubbelboer (2016-09-30 07:45 PM)
|
|
Top
|
|
|
|
#211968 - 2016-09-30 08:30 PM
Re: Windows 10 AU, UAC and problems with Writevalue
[Re: Allen]
|
IanDubbelboer
Fresh Scripter
Registered: 2004-06-25
Posts: 24
|
Currently testing running as the User
Intended to run as a login script
The script has a visible element that employs kixforms. I never got around to figuring out if I could still have that work with as a Startup script.
|
|
Top
|
|
|
|
|
#211972 - 2016-09-30 08:58 PM
Re: Windows 10 AU, UAC and problems with Writevalue
[Re: IanDubbelboer]
|
Allen
KiX Supporter
Registered: 2003-04-19
Posts: 4562
Loc: USA
|
You know I was sitting here trying to remember how I got around some of this stuff at one point, prior to switching some things up, and it finally hit me. Like you I had the UAC down to the bottom level, but was unable to get admin things done even when the user had Admin perms. I stumbled into a program called elevate.exe, which surprisingly enough would put kixtart into a higher mode, but NOT display the UAC, and would allow me to do what I wanted.
I used this one:
https://jpassing.com/2007/12/08/launch-elevated-processes-from-the-command-line/
but also found this one:
http://code.kliu.org/misc/elevate/
An admin script would also be another way around all this, as well as using the Task Scheduler with highest permissions.
|
|
Top
|
|
|
|
|
#211974 - 2016-09-30 09:38 PM
Re: Windows 10 AU, UAC and problems with Writevalue
[Re: Allen]
|
Arend_
MM club member
Registered: 2005-01-17
Posts: 1896
Loc: Hilversum, The Netherlands
|
On Windows 10 the only way to truly disable UAC is per registry.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=dword:00000000
Or as code:
$=WriteValue('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System','EnableLUA',0,'REG_DWORD')
The slider only drops it to 1, leaving it still enabled.
Edited by Arend_ (2016-09-30 09:42 PM)
Edit Reason: Added reasoning
|
|
Top
|
|
|
|
|
#211978 - 2016-10-01 12:33 AM
Re: Windows 10 AU, UAC and problems with Writevalue
[Re: Arend_]
|
IanDubbelboer
Fresh Scripter
Registered: 2004-06-25
Posts: 24
|
Modifying the login.bat to use Elevate.exe to call KIX32 does the job.
Writevalue works with UAC turned on from a login
As the website does a poor job explaining, here is my batch file for reference if other need this solution. I am arranging to copy Kix32.exe and Kixforms.dll to a local c:\KIX folder in the main login script, which most probably do not do, but you should be able to deduce any changes you needed for your own environment.
The biggest issue involved the use of absolute paths on everything. That is not unexpected as run as administrator messes with your executing path.
@ECHO OFF
IF EXIST %SystemDrive%\KIX\KIX32Current.txt GOTO LOCAL
GOTO REMOTE
:LOCAL
%0\..\elevate -c %SystemDrive%\KIX\Kix32 %0\..\RLCMAIN.KIX -f
GOTO END
:REMOTE
%0\..\elevate -c %0\..\Kix32 %0\..\RLCMAIN.KIX -f
:END
Thanks very much for the help.
|
|
Top
|
|
|
|
|
#212021 - 2016-10-13 12:56 AM
Re: Windows 10 AU, UAC and problems with Writevalue
[Re: IanDubbelboer]
|
IanDubbelboer
Fresh Scripter
Registered: 2004-06-25
Posts: 24
|
Couple of addendums on batch file
This version deals with XP systems which have no idea what UAC is
@ECHO OFF
ver | findstr /i "5\.1\."
IF %ERRORLEVEL% EQU 0 GOTO XP
IF EXIST %SystemDrive%\KIX\KIX32Current.txt GOTO LOCAL
GOTO REMOTE
:LOCAL
%0\..\elevate -c %SystemDrive%\KIX\Kix32 %0\..\RLCMAIN.KIX -f
GOTO END
:REMOTE
%0\..\elevate -c %0\..\Kix32 %0\..\RLCMAIN.KIX -f
GOTO END
:XP
%0\..\Kix32 RLCMAIN.KIX -f
GOTO END
:END
EXIT
I also found some issues with Terminal server, which can be avoided by checking the computer name first in the batch file and avoiding using elevate. There may be a better work around for these issues too, but I did not spend much time on it.
Finally, if you call sub-scripts from within your scripts make sure you give an absolute path during the call so:
Would fail to find the script.
CALL "@SCRIPTDIR/$DriveMappingFile"
Would work fine.
There is a 32-bit and a 64-bit version of elevate, but I found the 32-bit version seems to work fine in all situations.
Edited by IanDubbelboer (2016-10-13 12:56 AM)
|
|
Top
|
|
|
|
|
#212200 - 2017-01-09 11:21 PM
Re: Windows 10 AU, UAC and problems with Writevalue
[Re: Allen]
|
ScottAtTOS
Just in Town
Registered: 2011-02-18
Posts: 3
Loc: FL
|
there are setting to tweak in GPO for the UAC that will let you pull the slider all the way down "0" and still run "Metro" apps 8/8.1/10. My problem is that I do all the windows stuff in GPO but still do a lot of software customizing and file work with Kixtart...I need the slider to be set to "2" but have windows not stop the world to make me click ok for my Kixtart.exe to run at login. The work arounds I've found are good for some but don't suit my particular needs. I'm probably going to have move to powershell and away from Kixtart if I can't find a viable solution.
GPO Settings to look at:
ComputerConfiguration
Policies
Windows Settings
Security Settings
Local Policies/Security Options
User Account Control
Policy Setting
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Elevate without prompting
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials
User Account Control: Detect application installations and prompt for elevation Disabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Enabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled
|
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 360 anonymous users online.
|
|
|
