|
|
|||||||
I am having problems with balancing Windows 10 UAC settings for legacy apps while maintaining correct functioning of Kixtart's Writevalue function in a login script. I am a supporting multiple different clients at multiple sites, so I can not be overly draconian about forcing policy. The typical results are that the users must have local admin rights to install software/work with various legacy apps, but want new apps like edge to work too. OS: Windows 10 Pro AU, Windows Server 2012 R2 Kixtart 4.66 EnableLinkedConnections is currently being set to 1 by GPO and confirmed working. In order for Edge (and such apps) to work User Account Control: Run All administrators in Admin Approval Mode is enabled In order for Edge (and like apps) to work User Account Control: Admin Approval Mode for the Built-in Administrator is enabled The UAC notification slider is set to minimum or Never Notify I am testing this setup using the following script: Code: Break On ? SETOPTION("WOW64AlternateRegView","ON") ? WriteValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","EnableLinkedConnections","1","REG_DWORD") exit Returns OFF 5 So the writevalue statement fails with a Error 5 which I believe is rights related. I tried a Shell "Reg ADD" and also get an Access Denied error If disable User Account Control: Admin Approval Mode for the Built-in Administrator It returns: OFF 0 So it works, but of course the Edge no longer works, giving the can't be ran by built in administrator error Is there anyway for Writevalue to work and Windows 10 apps to work at the same time? |
||||||||
|
|
|||||||
Are you running a traditional logon script or a startup script. The reason I ask is, I didn't think EnableLinkedConnections was necessary if its a logon script. (Nevermind that setting is not supported by MS). |
||||||||
|
|
|||||||
Currently testing running as the User Intended to run as a login script The script has a visible element that employs kixforms. I never got around to figuring out if I could still have that work with as a Startup script. |
||||||||
|
|
|||||||
You know I was sitting here trying to remember how I got around some of this stuff at one point, prior to switching some things up, and it finally hit me. Like you I had the UAC down to the bottom level, but was unable to get admin things done even when the user had Admin perms. I stumbled into a program called elevate.exe, which surprisingly enough would put kixtart into a higher mode, but NOT display the UAC, and would allow me to do what I wanted. I used this one: https://jpassing.com/2007/12/08/launch-elevated-processes-from-the-command-line/ but also found this one: http://code.kliu.org/misc/elevate/ An admin script would also be another way around all this, as well as using the Task Scheduler with highest permissions. |
||||||||
|
|
|||||||
On Windows 10 the only way to truly disable UAC is per registry. Code: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "EnableLUA"=dword:00000000 Or as code: Code: $=WriteValue('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System','EnableLUA',0,'REG_DWORD') The slider only drops it to 1, leaving it still enabled. |
||||||||
|
|
|||||||
Which breaks the new Apps from the store, ie Edge. It's fubar, and I completely get his frustation. |
||||||||
|
|
|||||||
Windows 10 wont even let you run calc.exe when UAC is off. Explain that one to me. |
||||||||
|
|
|||||||
Hey, I didn't say it was pretty... |
||||||||
|
|
|||||||
Modifying the login.bat to use Elevate.exe to call KIX32 does the job. Writevalue works with UAC turned on from a login As the website does a poor job explaining, here is my batch file for reference if other need this solution. I am arranging to copy Kix32.exe and Kixforms.dll to a local c:\KIX folder in the main login script, which most probably do not do, but you should be able to deduce any changes you needed for your own environment. The biggest issue involved the use of absolute paths on everything. That is not unexpected as run as administrator messes with your executing path. Code: @ECHO OFF IF EXIST %SystemDrive%\KIX\KIX32Current.txt GOTO LOCAL GOTO REMOTE :LOCAL %0\..\elevate -c %SystemDrive%\KIX\Kix32 %0\..\RLCMAIN.KIX -f GOTO END :REMOTE %0\..\elevate -c %0\..\Kix32 %0\..\RLCMAIN.KIX -f :END Thanks very much for the help. |
||||||||
|
|
|||||||
Couple of addendums on batch file This version deals with XP systems which have no idea what UAC is Code: @ECHO OFF ver | findstr /i "5\.1\." IF %ERRORLEVEL% EQU 0 GOTO XP IF EXIST %SystemDrive%\KIX\KIX32Current.txt GOTO LOCAL GOTO REMOTE :LOCAL %0\..\elevate -c %SystemDrive%\KIX\Kix32 %0\..\RLCMAIN.KIX -f GOTO END :REMOTE %0\..\elevate -c %0\..\Kix32 %0\..\RLCMAIN.KIX -f GOTO END :XP %0\..\Kix32 RLCMAIN.KIX -f GOTO END :END EXIT I also found some issues with Terminal server, which can be avoided by checking the computer name first in the batch file and avoiding using elevate. There may be a better work around for these issues too, but I did not spend much time on it. Finally, if you call sub-scripts from within your scripts make sure you give an absolute path during the call so: Code: CALL $DriveMappingFile Would fail to find the script. Code: CALL "@SCRIPTDIR/$DriveMappingFile" Would work fine. There is a 32-bit and a 64-bit version of elevate, but I found the 32-bit version seems to work fine in all situations. |
||||||||
|
|
|||||||
there are setting to tweak in GPO for the UAC that will let you pull the slider all the way down "0" and still run "Metro" apps 8/8.1/10. My problem is that I do all the windows stuff in GPO but still do a lot of software customizing and file work with Kixtart...I need the slider to be set to "2" but have windows not stop the world to make me click ok for my Kixtart.exe to run at login. The work arounds I've found are good for some but don't suit my particular needs. I'm probably going to have move to powershell and away from Kixtart if I can't find a viable solution. GPO Settings to look at: ComputerConfiguration Policies Windows Settings Security Settings Local Policies/Security Options User Account Control Policy Setting User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Elevate without prompting User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials User Account Control: Detect application installations and prompt for elevation Disabled User Account Control: Only elevate executables that are signed and validated Disabled User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled User Account Control: Switch to the secure desktop when prompting for elevation Enabled User Account Control: Virtualize file and registry write failures to per-user locations Enabled |
||||||||
|
|
|||||||
I had to separate my scripts into a startup script and a logon script. The stuff that required elevated permissions moved to the startup script, and the mapping of printers, drives, and personal settings all move to the logon script. |