Page 1 of 1 1
Topic Options
#211965 - 2016-09-30 07:41 PM Windows 10 AU, UAC and problems with Writevalue
IanDubbelboer Offline
Fresh Scripter

Registered: 2004-06-25
Posts: 24
I am having problems with balancing Windows 10 UAC settings for legacy apps while maintaining correct functioning of Kixtart's Writevalue function in a login script.

I am a supporting multiple different clients at multiple sites, so I can not be overly draconian about forcing policy. The typical results are that the users must have local admin rights to install software/work with various legacy apps, but want new apps like edge to work too.

OS: Windows 10 Pro AU, Windows Server 2012 R2
Kixtart 4.66

EnableLinkedConnections is currently being set to 1 by GPO and confirmed working.

In order for Edge (and such apps) to work User Account Control: Run All administrators in Admin Approval Mode is enabled

In order for Edge (and like apps) to work User Account Control: Admin Approval Mode for the Built-in Administrator is enabled

The UAC notification slider is set to minimum or Never Notify

I am testing this setup using the following script:

 Code:
Break On
? SETOPTION("WOW64AlternateRegView","ON")
? WriteValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","EnableLinkedConnections","1","REG_DWORD")
exit


Returns

OFF
5

So the writevalue statement fails with a Error 5 which I believe is rights related.

I tried a Shell "Reg ADD" and also get an Access Denied error

If disable User Account Control: Admin Approval Mode for the Built-in Administrator

It returns:

OFF
0

So it works, but of course the Edge no longer works, giving the can't be ran by built in administrator error

Is there anyway for Writevalue to work and Windows 10 apps to work at the same time?







Edited by IanDubbelboer (2016-09-30 07:45 PM)

Top
#211966 - 2016-09-30 08:13 PM Re: Windows 10 AU, UAC and problems with Writevalue [Re: IanDubbelboer]
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4545
Loc: USA
Are you running a traditional logon script or a startup script. The reason I ask is, I didn't think EnableLinkedConnections was necessary if its a logon script. (Nevermind that setting is not supported by MS).
Top
#211968 - 2016-09-30 08:30 PM Re: Windows 10 AU, UAC and problems with Writevalue [Re: Allen]
IanDubbelboer Offline
Fresh Scripter

Registered: 2004-06-25
Posts: 24
Currently testing running as the User

Intended to run as a login script

The script has a visible element that employs kixforms. I never got around to figuring out if I could still have that work with as a Startup script.

Top
#211972 - 2016-09-30 08:58 PM Re: Windows 10 AU, UAC and problems with Writevalue [Re: IanDubbelboer]
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4545
Loc: USA
You know I was sitting here trying to remember how I got around some of this stuff at one point, prior to switching some things up, and it finally hit me. Like you I had the UAC down to the bottom level, but was unable to get admin things done even when the user had Admin perms. I stumbled into a program called elevate.exe, which surprisingly enough would put kixtart into a higher mode, but NOT display the UAC, and would allow me to do what I wanted.

I used this one:
https://jpassing.com/2007/12/08/launch-elevated-processes-from-the-command-line/

but also found this one:
http://code.kliu.org/misc/elevate/

An admin script would also be another way around all this, as well as using the Task Scheduler with highest permissions.

Top
#211974 - 2016-09-30 09:38 PM Re: Windows 10 AU, UAC and problems with Writevalue [Re: Allen]
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
On Windows 10 the only way to truly disable UAC is per registry.
 Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=dword:00000000

Or as code:
 Code:
$=WriteValue('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System','EnableLUA',0,'REG_DWORD')


The slider only drops it to 1, leaving it still enabled.


Edited by Arend_ (2016-09-30 09:42 PM)
Edit Reason: Added reasoning

Top
#211975 - 2016-09-30 09:54 PM Re: Windows 10 AU, UAC and problems with Writevalue [Re: Arend_]
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4545
Loc: USA
Which breaks the new Apps from the store, ie Edge. It's fubar, and I completely get his frustation.
Top
#211976 - 2016-09-30 10:43 PM Re: Windows 10 AU, UAC and problems with Writevalue [Re: Allen]
ShaneEP Moderator Offline
MM club member
*****

Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
Windows 10 wont even let you run calc.exe when UAC is off. Explain that one to me.
Top
#211977 - 2016-09-30 11:38 PM Re: Windows 10 AU, UAC and problems with Writevalue [Re: ShaneEP]
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Hey, I didn't say it was pretty...
Top
#211978 - 2016-10-01 12:33 AM Re: Windows 10 AU, UAC and problems with Writevalue [Re: Arend_]
IanDubbelboer Offline
Fresh Scripter

Registered: 2004-06-25
Posts: 24
Modifying the login.bat to use Elevate.exe to call KIX32 does the job.

Writevalue works with UAC turned on from a login

As the website does a poor job explaining, here is my batch file for reference if other need this solution. I am arranging to copy Kix32.exe and Kixforms.dll to a local c:\KIX folder in the main login script, which most probably do not do, but you should be able to deduce any changes you needed for your own environment.

The biggest issue involved the use of absolute paths on everything. That is not unexpected as run as administrator messes with your executing path.

 Code:
@ECHO OFF

IF EXIST %SystemDrive%\KIX\KIX32Current.txt GOTO LOCAL
GOTO REMOTE

:LOCAL
%0\..\elevate -c %SystemDrive%\KIX\Kix32 %0\..\RLCMAIN.KIX -f
GOTO END

:REMOTE
%0\..\elevate -c %0\..\Kix32 %0\..\RLCMAIN.KIX -f

:END



Thanks very much for the help.

Top
#212021 - 2016-10-13 12:56 AM Re: Windows 10 AU, UAC and problems with Writevalue [Re: IanDubbelboer]
IanDubbelboer Offline
Fresh Scripter

Registered: 2004-06-25
Posts: 24
Couple of addendums on batch file

This version deals with XP systems which have no idea what UAC is


 Code:
@ECHO OFF

ver | findstr /i "5\.1\."
IF %ERRORLEVEL% EQU 0 GOTO XP

IF EXIST %SystemDrive%\KIX\KIX32Current.txt GOTO LOCAL
GOTO REMOTE

:LOCAL
%0\..\elevate -c %SystemDrive%\KIX\Kix32 %0\..\RLCMAIN.KIX -f
GOTO END

:REMOTE
%0\..\elevate -c %0\..\Kix32 %0\..\RLCMAIN.KIX -f
GOTO END

:XP
%0\..\Kix32 RLCMAIN.KIX -f 
GOTO END

:END
EXIT


I also found some issues with Terminal server, which can be avoided by checking the computer name first in the batch file and avoiding using elevate. There may be a better work around for these issues too, but I did not spend much time on it.

Finally, if you call sub-scripts from within your scripts make sure you give an absolute path during the call so:

 Code:
CALL $DriveMappingFile


Would fail to find the script.

 Code:
CALL "@SCRIPTDIR/$DriveMappingFile"


Would work fine.

There is a 32-bit and a 64-bit version of elevate, but I found the 32-bit version seems to work fine in all situations.


Edited by IanDubbelboer (2016-10-13 12:56 AM)

Top
#212200 - 2017-01-09 11:21 PM Re: Windows 10 AU, UAC and problems with Writevalue [Re: Allen]
ScottAtTOS Offline
Just in Town

Registered: 2011-02-18
Posts: 3
Loc: FL
there are setting to tweak in GPO for the UAC that will let you pull the slider all the way down "0" and still run "Metro" apps 8/8.1/10. My problem is that I do all the windows stuff in GPO but still do a lot of software customizing and file work with Kixtart...I need the slider to be set to "2" but have windows not stop the world to make me click ok for my Kixtart.exe to run at login. The work arounds I've found are good for some but don't suit my particular needs. I'm probably going to have move to powershell and away from Kixtart if I can't find a viable solution.

GPO Settings to look at:
ComputerConfiguration
Policies
Windows Settings
Security Settings
Local Policies/Security Options
User Account Control
Policy Setting
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Elevate without prompting
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials
User Account Control: Detect application installations and prompt for elevation Disabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Enabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled

Top
#212201 - 2017-01-10 05:11 AM Re: Windows 10 AU, UAC and problems with Writevalue [Re: ScottAtTOS]
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4545
Loc: USA
I had to separate my scripts into a startup script and a logon script. The stuff that required elevated permissions moved to the startup script, and the mapping of printers, drives, and personal settings all move to the logon script.
Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 557 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.105 seconds in which 0.075 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org