VS2005/Vista issues

I spoke too soon about VS2005 Vista SP1 being more reliable; doing rather trivial
single-threaded app debugging, I've managed to crash it six times in the last hour.  Each
time it seems to crash for a different reason, or at least as the consequence of some
completely different action on my part.  

For those who have been using it, however, I've got a couple questions:

It must be run as administrator, which requires an administrator password.  What I'd like
to do is set myself up to run as a normal user, but with the privileges of running as
administrator whenever I want to with only the simple confirmation box (not the need to
type in a name and password each time).  Any possibility Vista supports something like
this?

Even though I've run as administrator and sucessfully set the Explorer parameters to
never, ever hide anything at all, the VS file dialogs always hide extensions.  Or is this
just another of the many user-hostile features that Vista now sports?

When VS2005 comes back up, it shows the most recent project (I don't yet have "projects",
plural).  If I click on it, it tells me that it cannot open
i:\myclient\projects\test\test.sln, and would I like to remove this from the list.  I say
'yes', then I go to file, open, solution, go to the i:\ drive (which is my server), go to
myclient\projects, got to i:\myclient\projects\test, see 'test' (not test.sln), click it,
and the project opens.  So why can it find it from the open dialog but not from the MRU
list?  Or is this Yet One More VS Bug?  The next time it crashes and comes back, the
scenario repeats.

Another cute feature of Vista: I need to set an environment variable, as user 'flounder'.
I can't.  I need to run as Administrator.  But then I can't change the environment
variable for 'flounder', I can only change the environment variable for 'administrator'.
Is there a setting that lets a user change his own environment variables?  I shouldn't
need privileges to change my OWN environment variables!  Makes me wonder if any of this
stuff had been thought out beforehard, or we have a security-confirmation-as-pixie-dust
approach here.

(Getting all of Vista installed was the Installer Scenario From Hell, and now that I have
it up, the only reason I would ever use it is because I have clients who need Vista
support.  It is not an operating system suitable for everyday use!)
					joe
Joseph M. Newcomer [MVP]
email: newcomer@flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
0
newcomer (15975)
6/8/2007 7:57:37 PM
vc.mfc 33608 articles. 0 followers. Follow

27 Replies
800 Views

Similar Articles

[PageSpeed] 9

"Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
news:d7cj63l709jops1l9b8cve9gsrcn41hsqi@4ax.com...
> It must be run as administrator, which requires an administrator password. 
> What I'd like
> to do is set myself up to run as a normal user, but with the privileges of 
> running as
> administrator whenever I want to with only the simple confirmation box 
> (not the need to
> type in a name and password each time).  Any possibility Vista supports 
> something like
> this?
>

Set your Vista account to be an Administrator account (and not a Limited 
account).  Then whenever Admin priviledges are required  (that would 
normally darken the screen and ask for an Admin password), the screen will 
still darken, but you only have to click the Continue button and not type in 
a password.

Or else disable UAC and have it go back to the WinXP way where no additional 
steps are required to run anything as true Admin.


-- David 


0
dc2983 (3206)
6/9/2007 1:32:40 AM
OK.  But this will let me normally run with the lower privileges of an ordinary user most
of the time, then?  I'm still struggling with all this privilege stuff, but I want to be
testing in a "normal" user environment most of the time.  So I really want the extra
step---I've found that I don't need it *all* that often, so I'm trying to create a
realistic test environment, but when I need it, I don't want to have to give the password.
So I'll do as you suggest.
				thanks
					joe

On Fri, 8 Jun 2007 18:32:40 -0700, "David Ching" <dc@remove-this.dcsoft.com> wrote:

>"Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
>news:d7cj63l709jops1l9b8cve9gsrcn41hsqi@4ax.com...
>> It must be run as administrator, which requires an administrator password. 
>> What I'd like
>> to do is set myself up to run as a normal user, but with the privileges of 
>> running as
>> administrator whenever I want to with only the simple confirmation box 
>> (not the need to
>> type in a name and password each time).  Any possibility Vista supports 
>> something like
>> this?
>>
>
>Set your Vista account to be an Administrator account (and not a Limited 
>account).  Then whenever Admin priviledges are required  (that would 
>normally darken the screen and ask for an Admin password), the screen will 
>still darken, but you only have to click the Continue button and not type in 
>a password.
>
>Or else disable UAC and have it go back to the WinXP way where no additional 
>steps are required to run anything as true Admin.
>
>
>-- David 
>
Joseph M. Newcomer [MVP]
email: newcomer@flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
0
newcomer (15975)
6/9/2007 4:19:26 AM
"Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
news:reak63lhj9b6crv83kg4ve912hk1b4nras@4ax.com...
> OK.  But this will let me normally run with the lower privileges of an 
> ordinary user most
> of the time, then?

Exactly.  In Vista, there's no difference between an Admin user and a 
Limited user, other than whether you need to provide an Admin password when 
elevation is required or whether you just need to click Continue.


> I'm still struggling with all this privilege stuff, but I want to be
> testing in a "normal" user environment most of the time.  So I really want 
> the extra
> step---I've found that I don't need it *all* that often, so I'm trying to 
> create a
> realistic test environment, but when I need it, I don't want to have to 
> give the password.
> So I'll do as you suggest.

Yeah, this will work perfectly for you.

-- David


0
dc2983 (3206)
6/9/2007 4:34:05 AM
I'm successfully running VS2005 sp1 on vista from a limited user account.

I think only certain obscure debugging functionality actually requires a 
full admin account.

Anthony Wieser
Wieser Software Ltd


"Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
news:d7cj63l709jops1l9b8cve9gsrcn41hsqi@4ax.com...
>I spoke too soon about VS2005 Vista SP1 being more reliable; doing rather 
>trivial
> single-threaded app debugging, I've managed to crash it six times in the 
> last hour.  Each
> time it seems to crash for a different reason, or at least as the 
> consequence of some
> completely different action on my part.
>
> For those who have been using it, however, I've got a couple questions:
>
> It must be run as administrator, which requires an administrator password. 
> What I'd like
> to do is set myself up to run as a normal user, but with the privileges of 
> running as
> administrator whenever I want to with only the simple confirmation box 
> (not the need to
> type in a name and password each time).  Any possibility Vista supports 
> something like
> this?

0
6/9/2007 6:48:53 AM
David Ching wrote:
> "Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
> news:reak63lhj9b6crv83kg4ve912hk1b4nras@4ax.com...
>> OK.  But this will let me normally run with the lower privileges of an 
>> ordinary user most
>> of the time, then?
> 
> Exactly.  In Vista, there's no difference between an Admin user and a 
> Limited user, other than whether you need to provide an Admin password when 
> elevation is required or whether you just need to click Continue.

David:

There is a bit more difference than that. When the standard user 
supplies a password, the elevated process runs in the context of the 
admin user rather than the original standard user. In particular, if the 
process writes to HKCU or the Documents folder, then these writes will 
not be seen by the original user. This is why installation programs that 
require admin rights should never write to HKCU or the Documents folder.

For sophisticated users, I think UAC is a great thing, because it allows 
them to run safely from an admin account. For unsophisticated users, I'm 
not so sure, because they may just find UAC annoying and either turn it 
off or get in the habit of always clicking OK without thinking.

-- 
David Wilkinson
Visual C++ MVP
0
no-reply8010 (1791)
6/9/2007 11:07:03 AM
"David Wilkinson" <no-reply@effisols.com> wrote in message 
news:eFX4t3nqHHA.4280@TK2MSFTNGP05.phx.gbl...
> There is a bit more difference than that. When the standard user supplies 
> a password, the elevated process runs in the context of the admin user 
> rather than the original standard user.

Thanks, I had not known that!


> For sophisticated users, I think UAC is a great thing, because it allows 
> them to run safely from an admin account. For unsophisticated users, I'm 
> not so sure, because they may just find UAC annoying and either turn it 
> off or get in the habit of always clicking OK without thinking.
>

UAC is certainly an imperfect solution that no one should feel very proud 
of.

-- David 


0
dc2983 (3206)
6/9/2007 2:43:07 PM
Actually there is BIG difference. A "limited" process running under 
administrator account can open a handle to an "elevated" process with full 
access rights and screw with it any way it wants - run a remote thread, 
inject code, etc. It's like being on the other side of the fence, but still 
having a key to the gate. So it's just an illusion of protection.

A process running under "true" limited user CANNOT open handle to an 
administrator process. It even cannot send arbitrary windows messages to it.

"David Ching" <dc@remove-this.dcsoft.com> wrote in message 
news:%4qai.7287$u56.6575@newssvr22.news.prodigy.net...
> "Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
> news:reak63lhj9b6crv83kg4ve912hk1b4nras@4ax.com...
>> OK.  But this will let me normally run with the lower privileges of an 
>> ordinary user most
>> of the time, then?
>
> Exactly.  In Vista, there's no difference between an Admin user and a 
> Limited user, other than whether you need to provide an Admin password 
> when elevation is required or whether you just need to click Continue.
>
>
>> I'm still struggling with all this privilege stuff, but I want to be
>> testing in a "normal" user environment most of the time.  So I really 
>> want the extra
>> step---I've found that I don't need it *all* that often, so I'm trying to 
>> create a
>> realistic test environment, but when I need it, I don't want to have to 
>> give the password.
>> So I'll do as you suggest.
>
> Yeah, this will work perfectly for you.
>
> -- David
>
> 


0
alegr (1131)
6/9/2007 6:51:46 PM
"Alexander Grigoriev" <alegr@earthlink.net> wrote in message 
news:%23uYYLjsqHHA.1220@TK2MSFTNGP04.phx.gbl...
> Actually there is BIG difference. A "limited" process running under 
> administrator account can open a handle to an "elevated" process with full 
> access rights and screw with it any way it wants - run a remote thread, 
> inject code, etc. It's like being on the other side of the fence, but 
> still having a key to the gate. So it's just an illusion of protection.
>

I know for a fact that an unelevated process running in an Admin account 
that sets a global keyboard hook (SetWindowsHookEx(WH_KEYBOARD_LL)) does NOT 
get notifications for keystrokes of an elevated process running in the same 
Admin account.  So I would think that if an unelevated process tried to call 
CreateRemoteThread() for an elevated process, it would fail in the same 
manner, but I haven't tried it.

-- David


0
dc2983 (3206)
6/9/2007 8:29:11 PM
"Anthony Wieser" <newsgroups-sansspam@wieser-software.com> wrote in message 
news:e2J4t9mqHHA.5092@TK2MSFTNGP04.phx.gbl...
> "Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
> news:d7cj63l709jops1l9b8cve9gsrcn41hsqi@4ax.com...
>> I spoke too soon about VS2005 Vista SP1 being more reliable; doing rather 
>> trivial single-threaded app debugging, I've managed to crash it six times 
>> in the last hour.
>>
>> It must be run as administrator, which requires an administrator 
>> password.  What I'd like to do is set myself up to run as a normal user, 
>> but with the privileges of running as administrator whenever I want to 
>> with only the simple confirmation box (not the need to type in a name and 
>> password each time).  Any possibility Vista supports something like this?
>
> I'm successfully running VS2005 sp1 on vista from a limited user account.

I'm successfully running VS2005 SP1 with Vista hotfix on Vista without 
privileges, for various lengths of time.  It does start running and runs for 
some random length of time.

> I think only certain obscure debugging functionality actually requires a 
> full admin account.

You mean that if you don't need obscure debugging functionality then 
Microsoft is lying when they put up that prompt recommending use of 
administrative privileges?  I thought it was illegal or immoral to notice 
that Microsoft tells lies like that.

But it doesn't matter.  Debugging or not, when VS2005 SP1 with Vista hotfix 
runs on Vista successfully for some random length of time, it's a good 
thing, and all good things come to an end.

Now, Dr. Newcomer *knows* how to overcome this.  In principle, use Windows 
2000 or Windows XP on the development machine, and use Vista on the target 
machine.  You don't even need a serial link, this is user-mode stuff and you 
can copy the executables across the network.  Well, that's the principle. 
In practice, the development machine has to be Windows XP, because Windows 
2000 isn't Genuine. 

0
ndiamond1 (258)
6/11/2007 12:29:49 AM
Yes, I discovered that even as a limited user I am apparently not able to change my OWN
environment variables, but when I gave the admin password, and changed the "user"
environment variables, it set the administrator environment, not mine.

I think MS screwed this one up royally; the user environment variables are mine and should
be changeable by me.
				joe

On Sat, 09 Jun 2007 14:43:07 GMT, "David Ching" <dc@remove-this.dcsoft.com> wrote:

>"David Wilkinson" <no-reply@effisols.com> wrote in message 
>news:eFX4t3nqHHA.4280@TK2MSFTNGP05.phx.gbl...
>> There is a bit more difference than that. When the standard user supplies 
>> a password, the elevated process runs in the context of the admin user 
>> rather than the original standard user.
>
>Thanks, I had not known that!
>
>
>> For sophisticated users, I think UAC is a great thing, because it allows 
>> them to run safely from an admin account. For unsophisticated users, I'm 
>> not so sure, because they may just find UAC annoying and either turn it 
>> off or get in the habit of always clicking OK without thinking.
>>
>
>UAC is certainly an imperfect solution that no one should feel very proud 
>of.
>
>-- David 
>
Joseph M. Newcomer [MVP]
email: newcomer@flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
0
newcomer (15975)
6/17/2007 5:34:32 PM
ACtually, it is reasonably important to me that under "normal" operating conditions that I
be unable to set hooks or send messages to elevated processes.  Yet I still need to be
able to get privileges when I need them, but not be annoyed by having to type a password
each time.  It sounds like these are incompatible goals.
					joe
On Sat, 9 Jun 2007 11:51:46 -0700, "Alexander Grigoriev" <alegr@earthlink.net> wrote:

>Actually there is BIG difference. A "limited" process running under 
>administrator account can open a handle to an "elevated" process with full 
>access rights and screw with it any way it wants - run a remote thread, 
>inject code, etc. It's like being on the other side of the fence, but still 
>having a key to the gate. So it's just an illusion of protection.
>
>A process running under "true" limited user CANNOT open handle to an 
>administrator process. It even cannot send arbitrary windows messages to it.
>
>"David Ching" <dc@remove-this.dcsoft.com> wrote in message 
>news:%4qai.7287$u56.6575@newssvr22.news.prodigy.net...
>> "Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
>> news:reak63lhj9b6crv83kg4ve912hk1b4nras@4ax.com...
>>> OK.  But this will let me normally run with the lower privileges of an 
>>> ordinary user most
>>> of the time, then?
>>
>> Exactly.  In Vista, there's no difference between an Admin user and a 
>> Limited user, other than whether you need to provide an Admin password 
>> when elevation is required or whether you just need to click Continue.
>>
>>
>>> I'm still struggling with all this privilege stuff, but I want to be
>>> testing in a "normal" user environment most of the time.  So I really 
>>> want the extra
>>> step---I've found that I don't need it *all* that often, so I'm trying to 
>>> create a
>>> realistic test environment, but when I need it, I don't want to have to 
>>> give the password.
>>> So I'll do as you suggest.
>>
>> Yeah, this will work perfectly for you.
>>
>> -- David
>>
>> 
>
Joseph M. Newcomer [MVP]
email: newcomer@flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
0
newcomer (15975)
6/17/2007 5:36:10 PM
The problem is that I need to develop under Vista, because that is also a requirement of
the customer.  The customer specifically ruled out cross-platform development, and I can't
go into the reasons due to NDA, but it's part of the contract, unfortunately.
						joe

On Mon, 11 Jun 2007 09:29:49 +0900, "Norman Diamond" <ndiamond@community.nospam> wrote:

>"Anthony Wieser" <newsgroups-sansspam@wieser-software.com> wrote in message 
>news:e2J4t9mqHHA.5092@TK2MSFTNGP04.phx.gbl...
>> "Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
>> news:d7cj63l709jops1l9b8cve9gsrcn41hsqi@4ax.com...
>>> I spoke too soon about VS2005 Vista SP1 being more reliable; doing rather 
>>> trivial single-threaded app debugging, I've managed to crash it six times 
>>> in the last hour.
>>>
>>> It must be run as administrator, which requires an administrator 
>>> password.  What I'd like to do is set myself up to run as a normal user, 
>>> but with the privileges of running as administrator whenever I want to 
>>> with only the simple confirmation box (not the need to type in a name and 
>>> password each time).  Any possibility Vista supports something like this?
>>
>> I'm successfully running VS2005 sp1 on vista from a limited user account.
>
>I'm successfully running VS2005 SP1 with Vista hotfix on Vista without 
>privileges, for various lengths of time.  It does start running and runs for 
>some random length of time.
>
>> I think only certain obscure debugging functionality actually requires a 
>> full admin account.
>
>You mean that if you don't need obscure debugging functionality then 
>Microsoft is lying when they put up that prompt recommending use of 
>administrative privileges?  I thought it was illegal or immoral to notice 
>that Microsoft tells lies like that.
>
>But it doesn't matter.  Debugging or not, when VS2005 SP1 with Vista hotfix 
>runs on Vista successfully for some random length of time, it's a good 
>thing, and all good things come to an end.
>
>Now, Dr. Newcomer *knows* how to overcome this.  In principle, use Windows 
>2000 or Windows XP on the development machine, and use Vista on the target 
>machine.  You don't even need a serial link, this is user-mode stuff and you 
>can copy the executables across the network.  Well, that's the principle. 
>In practice, the development machine has to be Windows XP, because Windows 
>2000 isn't Genuine. 
Joseph M. Newcomer [MVP]
email: newcomer@flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
0
newcomer (15975)
6/17/2007 5:38:07 PM
"Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
news:76sa735dfhre15c27imnich4aena0erps7@4ax.com...
> ACtually, it is reasonably important to me that under "normal" operating 
> conditions that I
> be unable to set hooks or send messages to elevated processes.  Yet I 
> still need to be
> able to get privileges when I need them, but not be annoyed by having to 
> type a password
> each time.  It sounds like these are incompatible goals.

I don't know what the problem is.  Under "normal" conditions, you WON'T be 
able to set hooks or send messages to elevated processes.  The only way to 
do so is to first elevate your process.  For an Admin account, all you have 
to do is click OK when the screen darkens, not type in a password.  What 
about this situation do you not like?

-- David


0
dc2983 (3206)
6/17/2007 9:34:49 PM
This question was based on the earlier reply in this thread:

>Actually there is BIG difference. A "limited" process running under 
>administrator account can open a handle to an "elevated" process with full 
>access rights and screw with it any way it wants - run a remote thread, 
>inject code, etc. It's like being on the other side of the fence, but still 
>having a key to the gate. So it's just an illusion of protection.
>
>A process running under "true" limited user CANNOT open handle to an 
>administrator process. It even cannot send arbitrary windows messages to it.

This suggests that if I make myself an administrator account (add my account to the
administrator group) then I would NOT be subjected to the limitations of my current
account.  I want code that runs under my login account to have all the llimitations of an
ordinary user (including to being able to set hooks, etc.), but if I run a program that
wants privileges (as specified in its manifest) then it will prompt me, and I can simply
click one mouse button to get them, so I can do the things I need to do without massive
hassle while still getting a credible representation of what end users will normally see.
					joe

On Sun, 17 Jun 2007 14:34:49 -0700, "David Ching" <dc@remove-this.dcsoft.com> wrote:

>"Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
>news:76sa735dfhre15c27imnich4aena0erps7@4ax.com...
>> ACtually, it is reasonably important to me that under "normal" operating 
>> conditions that I
>> be unable to set hooks or send messages to elevated processes.  Yet I 
>> still need to be
>> able to get privileges when I need them, but not be annoyed by having to 
>> type a password
>> each time.  It sounds like these are incompatible goals.
>
>I don't know what the problem is.  Under "normal" conditions, you WON'T be 
>able to set hooks or send messages to elevated processes.  The only way to 
>do so is to first elevate your process.  For an Admin account, all you have 
>to do is click OK when the screen darkens, not type in a password.  What 
>about this situation do you not like?
>
>-- David
>
Joseph M. Newcomer [MVP]
email: newcomer@flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
0
newcomer (15975)
6/18/2007 3:32:58 PM
How about you change your account type to admin to install VS2005, so the 
correct profile gets updated when you install VS2005, and change it when you 
find you really need admin privileges, but then revert back to limited when 
you don't...

Anthony Wieser
Wieser Software Ltd

> This suggests that if I make myself an administrator account (add my 
> account to the
> administrator group) then I would NOT be subjected to the limitations of 
> my current
> account.  I want code that runs under my login account to have all the 
> llimitations of an
> ordinary user (including to being able to set hooks, etc.), but if I run a 
> program that
> wants privileges (as specified in its manifest) then it will prompt me, 
> and I can simply
> click one mouse button to get them, so I can do the things I need to do 
> without massive
> hassle while still getting a credible representation of what end users 
> will normally see.
> joe

0
6/18/2007 3:54:33 PM
Yeah, that is easy for C++ programmers to say.  Try debugging and ASP.NET 
application on Vista without running VS 2005 as an administrator... I find 
it annoying to have to remember to do that every time I am working in one 
environment as opposed to another and so far I haven't been able to figure 
out a way to run "As administrator" all the time so I always have to right 
click and select the item.  I guess I could turn off UAC, but that would 
make me run differently than my users and I'm sure I'd discover all kinds of 
things that would be wrong with that approach as soon as people started 
testing my release builds :o)

Tom

"Anthony Wieser" <newsgroups-sansspam@wieser-software.com> wrote in message 
news:eoZxmEcsHHA.5008@TK2MSFTNGP03.phx.gbl...
> How about you change your account type to admin to install VS2005, so the 
> correct profile gets updated when you install VS2005, and change it when 
> you find you really need admin privileges, but then revert back to limited 
> when you don't...

0
tom.nospam (3240)
6/18/2007 4:34:02 PM
I see.

I guess that's Software as a Service for you!

Tony

"Tom Serface" <tom.nospam@camaswood.com> wrote in message 
news:89FB685D-CF02-4EBF-B7F8-81E4A74F85C9@microsoft.com...
> Yeah, that is easy for C++ programmers to say.  Try debugging and ASP.NET 
> application on Vista without running VS 2005 as an administrator... I find 
> it annoying to have to remember to do that every time I am working in one 
> environment as opposed to another and so far I haven't been able to figure 
> out a way to run "As administrator" all the time so I always have to right 
> click and select the item.  I guess I could turn off UAC, but that would 
> make me run differently than my users and I'm sure I'd discover all kinds 
> of things that would be wrong with that approach as soon as people started 
> testing my release builds :o)
>
> Tom
>
> "Anthony Wieser" <newsgroups-sansspam@wieser-software.com> wrote in 
> message news:eoZxmEcsHHA.5008@TK2MSFTNGP03.phx.gbl...
>> How about you change your account type to admin to install VS2005, so the 
>> correct profile gets updated when you install VS2005, and change it when 
>> you find you really need admin privileges, but then revert back to 
>> limited when you don't...
> 

0
6/18/2007 4:42:12 PM
"Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
news:g59d73luv7ul8a21lpqio7fsgnsr1j4rhq@4ax.com...
> This question was based on the earlier reply in this thread:
>
>>Actually there is BIG difference. A "limited" process running under
>>administrator account can open a handle to an "elevated" process with full
>>access rights and screw with it any way it wants - run a remote thread,
>>inject code, etc. It's like being on the other side of the fence, but 
>>still
>>having a key to the gate. So it's just an illusion of protection.
>>
>>A process running under "true" limited user CANNOT open handle to an
>>administrator process. It even cannot send arbitrary windows messages to 
>>it.
>
> This suggests that if I make myself an administrator account (add my 
> account to the
> administrator group) then I would NOT be subjected to the limitations of 
> my current
> account.  I want code that runs under my login account to have all the 
> llimitations of an
> ordinary user (including to being able to set hooks, etc.), but if I run a 
> program that
> wants privileges (as specified in its manifest) then it will prompt me, 
> and I can simply
> click one mouse button to get them, so I can do the things I need to do 
> without massive
> hassle while still getting a credible representation of what end users 
> will normally see.
> joe
>

Yes, and I pointed out that the assertion you quoted is simply wrong, in my 
experience.  SetWindowsHookEx() does install a global hook, but you will see 
your DLL does *not* get injected into elevated processes, if the injector is 
not elevated.

-- David 


0
dc2983 (3206)
6/18/2007 8:37:26 PM
Because installing VS2005 has nothing to do with my problem.  I want to run "limited" in a
context where I will be prompted if I need to elevate privilege, but I want the prompt to
be reasonably unobtrusive.  Unfortunately, it keeps prompting me for a password, which is
deeply offensive, since there is exactly one user on my machine, and that is me.  
					joe

On Mon, 18 Jun 2007 16:54:33 +0100, "Anthony Wieser"
<newsgroups-sansspam@wieser-software.com> wrote:

>How about you change your account type to admin to install VS2005, so the 
>correct profile gets updated when you install VS2005, and change it when you 
>find you really need admin privileges, but then revert back to limited when 
>you don't...
>
>Anthony Wieser
>Wieser Software Ltd
>
>> This suggests that if I make myself an administrator account (add my 
>> account to the
>> administrator group) then I would NOT be subjected to the limitations of 
>> my current
>> account.  I want code that runs under my login account to have all the 
>> llimitations of an
>> ordinary user (including to being able to set hooks, etc.), but if I run a 
>> program that
>> wants privileges (as specified in its manifest) then it will prompt me, 
>> and I can simply
>> click one mouse button to get them, so I can do the things I need to do 
>> without massive
>> hassle while still getting a credible representation of what end users 
>> will normally see.
>> joe
Joseph M. Newcomer [MVP]
email: newcomer@flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
0
newcomer (15975)
6/19/2007 2:36:42 AM
Which is exactly the rationale I'm applying.  I don't want to deliver a product that fails
in the field once deployed because it ran fine for me as admin, but won't work for anyone
else.

What I want to do is twofold:
	Never, ever have to explicitly run a program "as administrator" if I always want 
		run it as administrator; double-clicking the icon will ask me if I want
		to elevate, and I will click "continue" or "yes" or "ok" or whatever
		is required
	Never, ever have to supply a password in response to a privilege elevation prompt
				joe

On Mon, 18 Jun 2007 09:34:02 -0700, "Tom Serface" <tom.nospam@camaswood.com> wrote:

>Yeah, that is easy for C++ programmers to say.  Try debugging and ASP.NET 
>application on Vista without running VS 2005 as an administrator... I find 
>it annoying to have to remember to do that every time I am working in one 
>environment as opposed to another and so far I haven't been able to figure 
>out a way to run "As administrator" all the time so I always have to right 
>click and select the item.  I guess I could turn off UAC, but that would 
>make me run differently than my users and I'm sure I'd discover all kinds of 
>things that would be wrong with that approach as soon as people started 
>testing my release builds :o)
>
>Tom
>
>"Anthony Wieser" <newsgroups-sansspam@wieser-software.com> wrote in message 
>news:eoZxmEcsHHA.5008@TK2MSFTNGP03.phx.gbl...
>> How about you change your account type to admin to install VS2005, so the 
>> correct profile gets updated when you install VS2005, and change it when 
>> you find you really need admin privileges, but then revert back to limited 
>> when you don't...
Joseph M. Newcomer [MVP]
email: newcomer@flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
0
newcomer (15975)
6/19/2007 2:39:18 AM
That's what I was trying to determine.  Was it correct or not?  If it is not correct, then
my solution is simple, as you suggest.
			joe
On Mon, 18 Jun 2007 13:37:26 -0700, "David Ching" <dc@remove-this.dcsoft.com> wrote:

>"Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
>news:g59d73luv7ul8a21lpqio7fsgnsr1j4rhq@4ax.com...
>> This question was based on the earlier reply in this thread:
>>
>>>Actually there is BIG difference. A "limited" process running under
>>>administrator account can open a handle to an "elevated" process with full
>>>access rights and screw with it any way it wants - run a remote thread,
>>>inject code, etc. It's like being on the other side of the fence, but 
>>>still
>>>having a key to the gate. So it's just an illusion of protection.
>>>
>>>A process running under "true" limited user CANNOT open handle to an
>>>administrator process. It even cannot send arbitrary windows messages to 
>>>it.
>>
>> This suggests that if I make myself an administrator account (add my 
>> account to the
>> administrator group) then I would NOT be subjected to the limitations of 
>> my current
>> account.  I want code that runs under my login account to have all the 
>> llimitations of an
>> ordinary user (including to being able to set hooks, etc.), but if I run a 
>> program that
>> wants privileges (as specified in its manifest) then it will prompt me, 
>> and I can simply
>> click one mouse button to get them, so I can do the things I need to do 
>> without massive
>> hassle while still getting a credible representation of what end users 
>> will normally see.
>> joe
>>
>
>Yes, and I pointed out that the assertion you quoted is simply wrong, in my 
>experience.  SetWindowsHookEx() does install a global hook, but you will see 
>your DLL does *not* get injected into elevated processes, if the injector is 
>not elevated.
>
>-- David 
>
Joseph M. Newcomer [MVP]
email: newcomer@flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
0
newcomer (15975)
6/19/2007 2:40:24 AM
"Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
news:lfge731i9ir7396lr1308kk07b13970e25@4ax.com...
> That's what I was trying to determine.  Was it correct or not?  If it is 
> not correct, then
> my solution is simple, as you suggest.

I don't know why you don't take my word for it, regarding the 
SetWindowsHook.  I've tried it, and it works exactly I described.  If you 
want to try the other API's like VirtualAlloc, CreateRemoteThread, etc. then 
try it using the SendMessageRemote() function that I offered before, and I 
believe you tried on other OS's.

Myself, I'm not worried about it.  I have my Admin account, have UAC 
enabled, and that's what I program in.  My main dev machine is Vista running 
exactly this.

-- David


0
dc2983 (3206)
6/19/2007 6:11:16 AM
"Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
news:cage73tj26cvekaikuokodvhn3gkag6niq@4ax.com...
> Which is exactly the rationale I'm applying.  I don't want to deliver a 
> product that fails
> in the field once deployed because it ran fine for me as admin, but won't 
> work for anyone
> else.
>
> What I want to do is twofold:
> Never, ever have to explicitly run a program "as administrator" if I 
> always want
> run it as administrator; double-clicking the icon will ask me if I want
> to elevate, and I will click "continue" or "yes" or "ok" or whatever
> is required
> Never, ever have to supply a password in response to a privilege elevation 
> prompt


Right-click the shortcut (e.g. to DevEnv.exe) and click on Properties. 
Click the Shortcut tab.  Then click the Advanced button.  Check "Run as 
administrator."  Now everytime you click the shortcut, it will elevate 
automatically.

An Admin account doesn't prompt for a password to elevate.

If running in an Admin account is suspect, then create another account 
called Limited and try your program there before delivering it.  That's what 
I do and it works great.

-- David 


0
dc2983 (3206)
6/19/2007 6:16:14 AM
Yep.  There is a problem with MFC and it's attempt to write the icon 
information to the registry, but at least it doesn't assert if it can't do 
it so if users install and run at least once as an administrator it will 
work from that point on.  However, very few other things in my programs ever 
need any specific privileges beyond accessing the user's files.

Tom

"Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
news:cage73tj26cvekaikuokodvhn3gkag6niq@4ax.com...
> Which is exactly the rationale I'm applying.  I don't want to deliver a 
> product that fails
> in the field once deployed because it ran fine for me as admin, but won't 
> work for anyone
> else.
>
> What I want to do is twofold:
> Never, ever have to explicitly run a program "as administrator" if I 
> always want
> run it as administrator; double-clicking the icon will ask me if I want
> to elevate, and I will click "continue" or "yes" or "ok" or whatever
> is required
> Never, ever have to supply a password in response to a privilege elevation 
> prompt
> joe

0
tom.nospam (3240)
6/19/2007 6:16:58 AM
Hey David,

Thanks for the tip... YES!!! It works.  I knew there must be a way to do it 
and I just never found this dialog yet.  I really appreciate your help.

:o)

Tom

"David Ching" <dc@remove-this.dcsoft.com> wrote in message 
news:OwKdi.20427$C96.11956@newssvr23.news.prodigy.net...
>
> Right-click the shortcut (e.g. to DevEnv.exe) and click on Properties. 
> Click the Shortcut tab.  Then click the Advanced button.  Check "Run as 
> administrator."  Now everytime you click the shortcut, it will elevate 
> automatically.
>
> An Admin account doesn't prompt for a password to elevate.
>
> If running in an Admin account is suspect, then create another account 
> called Limited and try your program there before delivering it.  That's 
> what I do and it works great.
>
> -- David
> 

0
tom.nospam (3240)
6/19/2007 1:10:10 PM
"Tom Serface" <tom.nospam@camaswood.com> wrote in message 
news:78269D18-2395-4CA9-A585-DBADDC8D147F@microsoft.com...
> Hey David,
>
> Thanks for the tip... YES!!! It works.  I knew there must be a way to do 
> it and I just never found this dialog yet.  I really appreciate your help.
>
> :o)
>

Sure, glad it works!  Thanks also for saying thanks.  Not enough of that 
going around!  :-)

-- David


0
dc2983 (3206)
6/19/2007 2:40:50 PM
"Joseph M. Newcomer" <newcomer@flounder.com> wrote in message 
news:cage73tj26cvekaikuokodvhn3gkag6niq@4ax.com...
> Which is exactly the rationale I'm applying.  I don't want to deliver a 
> product that fails
> in the field once deployed because it ran fine for me as admin, but won't 
> work for anyone
> else.
>
> What I want to do is twofold:
> Never, ever have to explicitly run a program "as administrator" if I 
> always want
> run it as administrator; double-clicking the icon will ask me if I want
> to elevate, and I will click "continue" or "yes" or "ok" or whatever
> is required
> Never, ever have to supply a password in response to a privilege elevation 
> prompt
> joe
>

The rationale for privilege elevation password prompt is that otherwise any 
malicious program would be able to do that by API means.


0
alegr (1131)
6/21/2007 4:19:10 AM
Reply:

Similar Artilces:

Exchange Migration Issue
Hello All, I have multiple copies of email in my user email accounts after migration. I used Exchange Migration Tool to Migrate email accounts from Exchange 2000 to Exchange 2003. Since we did not switch over to the new server right away , there were 2 days of emails still pending to be imported so I used the Migration tool again to migrate emails filtered based on date, but it seems that exchange migration has migrated all emails again, and now users have 2 to 3 copies of each email. Is there a way to remove the duplicate copies ? if so how can I go about doing that? Any pointer...

Issues with Select statement doing 'simple' math
Hello, I have tried numerous solutions to what should be a simple issue, but I have had no success. I am trying to gather some simple math values from a single table, and I cannot create the proper select statement. The below query works and provides the correct values: SELECT TOP (100) PERCENT MAX(DistCode) AS DistCode, MAX(DistName) AS DistName, MAX(CustServRep) AS CustServRep, COUNT(DistCode) AS AllOrders FROM dbo.[TABLE OrderHistory] AS OH WHERE (M2K_Timestamp >= CONVERT(DATETIME, '2010-03-01 00:00:00', 102)) AND (M2K_Timestamp < CONVERT(DATETIME, '...

Information Store Issue
Event ID: 1101 Source: MSExchange Private Type: Error Description: Error 0xfffffbd3 occurred on message 1- EB1F8B1 during a background cleanup This message appeared many times before the Exchange IS service stopped responding. The article Q293836 seems to describe the same problem. But our user.dmp file is 1.5GB in size. How can I examine the content in this user.dmp file? How do I know if I it's suitable to apply the hotfix recommended in the article? Hi Chang, Please install http://support.microsoft.com/?id=841765 -- Niclas Holmkvist Microsoft Exchange Support --- This p...

WMP 11 uses 700+MB of memory (vista)
WMP 11 uses over 700MB of memory when I try to start it (memory usage from the task manager). I either have to end the task or restart my computer because it locks everything up. Not sure how I can uninstall/reinstall WMP11 since Microsoft isn't making it easy for me. Anyone know how I can fix this problem, thanks. How many songs are there in your library? If you rebuild the library, by following the instructions at http://zachd.com/pss/pss.html#medialibrary for WMP 11 on Vista, does that help? Note that rebuilding the library will make you lose all play counts, and possibl...

DAO Recordset Issue
The overall objective is to sort a recordset by clicking a command button at the top of the column. The following code is my coding effort and I can't even get past the basics. The strSQL creates the correct recordset (30 records) when I plug it into the SQL query window but it returns 30 identical copies of the first record once it gets to the rst object. Can anyone shed some light as to what is going on. Thanks Private Sub cmdSortYOB_Click() Dim X As Integer Dim strSQL As String Dim intCount As Integer Dim rst As DAO.Recordset Dim rss As DAO.Recordset strSQL = "select *...

Migrating MFC application to Vista
Hi, I have an MFC application running on Win 2K and XP. I need to migrate it to Vista. A quick google didn't turn up any useful links. If anyone has any links/tips/ steps involved, please let me know. TIA, SD SD wrote: > I have an MFC application running on Win 2K and XP. I > need to migrate it to Vista. > A quick google didn't turn up any useful links. If anyone > has any links/tips/ steps involved, please let me know. Here's usefull series of articles: "Making Your Application a Windows Vista Application: The Top Ten Things to Do" http://msdn.microsof...

2nd try on assembly issue
I posted back on 4/30, but got crickets. So, I hope it's OK to bump this in hopes of help. We are having an issue where we post an Assmebly and it shows updated qty for the FG and the components, but the Assembly Entry remains. The odd thing about it is that one of the components now had a red 'O' at the far right of the component item field. I can't find any info on this 'O', though. So, my guess is this posting issue (which has happened on two assmeblies in the last two days) is somehow related to this 'O' character. Also, when we posted the trx agai...

Sync Issues After Exchange 2010 Upgrade
Hi all Anyone suggest remedy for sync issues between Outlook2003/2007 and Exchange 2010 please? We run Outlook in cached mode so that users have access to emails on their laptops when not connected to the network or Internet. After our 2010 Exchange upgrade, a sync issue is reported whenever communication with Exchange is broken/restored (closing and re-opening Outlook prompts this). It may be related - some users have reported eratic behaviour when deleting emails - usually it works fine - sometimes the item simply doesn't delete - sometimes the message "Unknown...

Max. no. of characters in a message box line is less in Vista when compared with XP
Hi, I have noticed in Vista, the maximum no. of characters which could be displayed in a messagebox line is 85 characters where in XP it was 131 characters. Following is a summary when compared this with OSes, OS - Max. no. of characters per messagebox line. XP - 131 Vista, Windows 7 - 85 Windows2008 Server x32 and x64 - 81 Following is a code in VB to run in Vista simulate the problem which spans into 3 lines, where it was expected in 2 lines. MsgBox ("**Maximum number of characters per messagebox line in Windows Vista is 85 characters.**"+CHR(13)+CHR(10)+"...

Upgrading to 8.0
We are planning on upgrading from 6.0 to 8.0 We have four issues that we need some help on. (We are not using Manufacturing) 1. How do you deplete inventory from one site? 2. How do you expense the transfer of raw material inventory to the end user departments department? 3. How do other customers handle a raw material and finished good inventory using Great Plains? 4. If we have three inventory classes, can we lock out certain users from accessing items different inventory classes? Thank you. 1. How do you deplete inventory -- Do you mean you want to get all the On Hand qu...

Not a Vista Question, but...
I have used news forums such as this for years - dating all the way back to Windows 95. I have recently noticed that my favorite Microsoft Word -- and other software specific forums -- are no longer being supported by Microsoft. They contained some brilliant MVP professionals. Has this talent disbanded altogether, or have they re-grouped elsewhere under another banner? Thanks in advance. Gordon Biggar Houston, Texas Microsoft is in the process of killing off its newsgroups. They will = all be killed by October 1 of this year. Its alternative is a web-based = forum ...

Vista Ultimate 64 and Outlook 2003 Rules
I recentlly installed Office Pro 2003 w/Outlook on a new Windows Vista Ultimate laptop. I imported my mail/rules/etc. from my XP machine. The rules fail now fail to move mail from the inbox (from certain addresses) to different folders. I can move them manually. This is a home network with no Exchange server involved. I am suspecting that it is some kind of a permissions problem. My ID is on the admin list. I can't figure this one out. Any help would be appreciated. Also, I'm unable to choose an different Office Assistant. I'm stuck with that darn cat! Thanks, Tex...

System-wide repaint issue
Hello, I am experiencing a spontaneous system-wide repaint, particularly when performing a slow paint job. Every visible window on the screen recieves a WM_PAINT message; even the icons on the desktop are repainted. I know that a call to Invalidate or RedrawWindow with a NULL window handle will cause this, but I have been unable to find this occuring within our code. I know that WM_PAINT is also automatically sent when a window is resized, but the window is not recieving WM_SIZE when this occurs. Any ideas what else might cause a system-wide repaint? Thanks, -dp Any chance you're doin...

Customization Issue
I added a couple fields (not custom) to the account form . . . then removed them. Now, those field names are showing up in the fields dropdown box in "Advanced Find". How can I remove them from there? -- Brandon Smith Presentations Direct - "Document Finishing Solutions" http://www.presentationsdirect.com You cannot remove them from the fields dropdown box in Advanced Find. All fields, whether they appear on a form or not, are listed for a particular object. If you check out the list, you will find there are a whole lot of fields that are in that dropdown, s...

Synch issue--never really gets going
I get the message upon starting that the synch feature is not going to work because the data on msn is different than the data in M05. So far, so good. I then continue to the choice that rejects the data on msn in favor of the data in M05. I wait a day. And guess what. I get the same message time after time. I use the M05 as the underlyng standard for my data so I simply want to wipe out whatever data I have on MSN and allow the M05 program to do its thing. The goal is tobe able to access, from a different computer, the data that M05 places there. Seems very broken from this end. Ha an...

Outlook 2007 shared mailbox
Hi all, I haven an issue here I really don't haven an answer to. We've upgraded a department here from Office 2003 to 2007. Ever since we are having issues managing a shared mailbox. The users from that vertain department want to use the function categories with colors in the inbox of that shared mailbox. Now the issue is only the last person that loggs on to that shared mailbox by having it added in the outlook folder view (via the advanced properties) can change the color category on any item in the inbox. If you open the email in the shared mailbox inbox then anybody can ch...

google chrome issue
Checked my running processes, I have one chrome window open with 10 tabs open. My computer reports 14 instances of chrome.exe running totalling around each one using between 30-100mb of memory. Whats up with that? On Jan 13, 8:22=A0pm, "flamer die.s...@hotmail.com" <die.s...@hotmail.com> wrote: > Checked my running processes, I have one chrome window open with 10 > tabs open. My computer reports 14 instances of chrome.exe running > totalling around each one using between 30-100mb of memory. > > Whats up with that? That sounds about right for what ...

Latest Windows Vista Update stops Outlook 2007 from working, Please help
Whenever the latest Windows Vista update is installed on my computer, Outlook 2007 doesn't work. It doesn't send and receive emails and when I click on 'New Email' I get an error message which says: "The messaging interface has returned an unknown error. If the problem persists, restart Outlook." The only way I can use Outlook is to use System Restore to 'undo' the last Windows update. But then it is constantly trying to force me to install the new update and I have to keep stopping it from uploading. This has wasted hours of my time. What can I do please? T...

Does anybody know of a bluck email issue using MSCRM ??
Hi, I have had one of our people come back from a conference where they got speaking to somebody who is using MS CRM and has been for some time, they told him that they have hit a problem with sending large numbers of E Mail from the web client with E Mails not getting sent but the system reporting them as sent. This is supposed to be a "Known" bug but I can't find any info regarding this, I need to address this with my marketing people as they plan to us MS CRM for customer communications and they are suffering a lack of confidence in the product regarding this ???? An...

Re Stocking Issues
From: "Stephen Zwarts" <stephen.zwarts@immix.co.za> Subject: Reoreder problems. Date: 06 November 2006 05:18 PM Anybody's help would be appreciated. I have a client that based on reorder information places transfer everyday. She uses the HQ 330 worksheet and bases this on re-order information option in HQ. Now I am getting the following. An item with an on hand Quantity in her WAREHOUSE of 7 which is the same as at HQ. She has 6 stores. It places the first store correctly, in the second store it place the incorrect order and in the third store does not even order. Fi...

RPC over HTTP connection issues
I have configured my exchange 2003 server for RPC over HTTP access according to microsoft's instructions and it worked sporadically for a couple of days and now it dosen't connect at all. Before I put anymore time into trying to resolve this issue can someone please answer this question: Must all machines be Win2003, meaning that all GC’s, DC’s and the RPC over HTTP proxy must be Win2003 in order for RPC over HTTP to work? I'm currntly running exchange 2003 on a Win2003 member server in a Win2000 domain. Please help, Eddie Yes. All Domain Controllers that Exchange talks...

Excel Memory Saving Issues
Whenever updating one of our budget files (which is attached to consolidation files), it will ask me if I want to "save changes"? (yes or no) I will click on yes and a box says "not enought memory (with a box to click okay)" It will then say unable to save external link values and it appears to be going ahead and saving the file. Is there anyway to have enough memory? Should I be concerned with data integrity? Any information would be greatly appreciated. Hi Robert, If you are trying to save to a removable medium and Excel won't let you then consider your...

CRM mail issues #2
A CRM client has been having a sporadic issue with sending emails from CRM. Every so often they will receive a message that an email has bounced. Usually it pertains to relaying was denied. Relaying denied. IP name possibly forged [70.89.46.173] They also seem to be having the same issues when sending emails from CRM that they go directly to the recipients SPAM folder in outlook. Any thoughts on this? Thanks, -Rick M. ...

vista black screen with mouse arrow only
I boot up with cd and do a Starup Repair but it stll gives me black screen with the mouse arrow. The details of the repair is # of root causes = 1 and all the error codes are 0x0 The last sentence it says Root causes found:- Boot status indicate that the OS booted successfully Reading throiugh this forum I also do a scannow at c:>sfc /scannow but it gives me a message that "Windows Resource Protection could not perform the requested operation" Just wonder what can I do next to get my vista going as it is still giving me the black screen with the mouse arrow. ...

OMA access issues
I am trying to get OMA working from a Samsung A530 cell phone. When I try to access my OMA site, I get the following error in the Event Log: Unable to connect to the global catalog server. To fix this problem, verify that network connectivity exists between this server and the global catalog servers. Also, verify that the global catalog servers are working properly. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. I know that the global catalog is working. Running the netdiag and dcdiag return with all tests passed. Can anyone help me with t...