dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
 ·Comcast
| [XP Home] Accessing Program From Guest Account?
Is there a way to get this software to run without administrative privileges?
I'm trying to enable this on my son's account. I am the administrator.
--
Prevent Malware |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
edit:
May 9th, @10:06PM
| Did you try (from an administrator account) putting a shortcut to the program in the "All Users" or your son's limited account start menu folder?
edit: added info |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to dolphins
He's trying to run it from a Limited account or specifically from a 'Guest' account? They're not quite the exact same thing.
And some software does in fact require Admin. privileges to execute, though that should be noted in any documentation.
So you may want to check the 'readme' file for that program, or whatever other documentation there is available. |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
edit:
May 10th, @12:41AM
| Just checked the FAQ at DataPilot's website and it does need to write to the registry.
Is there a way to just allow any 'one program' full read/write capabilities from a guest account? From what I've read this is not possible.
--
Prevent Malware |
|
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
 ·Verizon Online DSL
| quote:
Is there a way to just allow any 'one program' full read/write capabilities from a guest account?
The security model for Windows is User based. The priviliges permitted in any individual circumstance is based on what is called a token. Tokens are issued to Users, not programs.
In the case of registry writes, the effective permissions contained in the token for a registry write would have two controlling security principles:
1. The NTRIGHT SeCreatePermanent; which is the access control on creating or modifying any operating system object that persists;
2. Individual registry permissions. By default, only members of the Groups SYSTEM, and Administrators, have sufficient permissions to do a registry write.
Taking these two together, you could proceed as follows:
1. As an Administrator-type user, download something like "Process Monitor", by Microsoft/Sysinternals. Start the monitor.
2. Start your target software. Perform whatever program action that needs to make a registry write. Use Process Monitor to identify the specific registry keys.
3. Open regedit and navigate to the registry key(s) of interest. Right click, Permissions, and grant full permissions to the group 'Everyone' (or 'Users' under XP Home).
You have now taken care of the first issue in the token -- the Guest user did not have to create the permanent object. The Administrator already did it for them. You have taken care of the second permission issue by granting to Everyone (which includes the Group Guest) the permissions to write to the registry keys needed by the program.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
|
JRosenfeld
join:2005-06-06
UK | reply to dolphins
In the run as box, instead of checking current user, check 'the following user' and select a user account with admin rights (you'll need to know the password) |
|
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| Except that he would have to pass the Adminsitrator's username and password to this Guest user. And this would have to be done multiple times during the Game play.
At least make the user a Restricted Account instead of using the Guest Account.
The answer is likely No. This was true under XP for many Games as well. While you could make a UAC exception on the PE files of the Game, the registry access would be far trickier.
You have to in that case use Process Monitor by Sysinternals (or a similar application) and track what keys and/or values are being modified. Then grant permissions to those registry keys to "Everyone" with full rights.
This can be very tedious to do even once. With multiple games it can be extrememly annoying. Consider in the alternative using Microsoft's free "SteadyState" to essentially "sandbox" certain profiles: »www.microsoft.com/windows/produc···ult.mspx
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| reply to JRosenfeld
said by JRosenfeld  :In the run as box, instead of checking current user, check 'the following user' and select a user account with admin rights (you'll need to know the password) Tried that already but it still doesn't work in guest account.
--
Prevent Malware |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| reply to bcastner
said by bcastner :Except that he would have to pass the Adminsitrator's username and password to this Guest user. And this would have to be done multiple times during the Game play. At least make the user a Restricted Account instead of using the Guest Account. The answer is likely No. This was true under XP for many Games as well. While you could make a UAC exception on the PE files of the Game, the registry access would be far trickier. You have to in that case use Process Monitor by Sysinternals (or a similar application) and track what keys and/or values are being modified. Then grant permissions to those registry keys to "Everyone" with full rights. This can be very tedious to do even once. With multiple games it can be extrememly annoying. Consider in the alternative using Microsoft's free "SteadyState" to essentially "sandbox" certain profiles: » www.microsoft.com/windows/produc···ult.mspx Thought about your analogy and came to the conclusion that it's time for my son to buy his own computer or delete some crap off my old laptop so he can install this software on it.
Thanks for answering my question.
--
Prevent Malware |
|
