UAC Whitelisting and the Application Compatibility Toolkit

UAC has some good and bad elements. When you are logged on as a standard user, being prompted for alternate credentials when needed is a great thing.

But the detection logic Windows uses to determine when these credentials are needed is sometimes faulty.

For example, UPS WorldShip updates itself pretty often. In Windows XP, allowing a standard user to do this was a simple matter of giving the user MODIFY permission over the UPS program folder.

In Vista and Windows 7 it's not so easy. Windows heuristics detects the update utility - RUNPATCH.EXE - as a file that requires elevated privileges. When it runs, the standard user is prompted for alternate credentials. It doesn't matter that the standard user has all the rights needed for the utility to do its thing.

Other admins would do one of three things, all of which suck:

1. Wait for UPS to make WorldShip logo compliant. Good luck on that one, see you in a few years.
2. Allow the user to run as administrator. Do you always give up so easily?
3. Downgrade the computer to Windows XP. Why don't you just give them an Amiga, you loser?

If these three options did not appeal to you (and they shouldn't) then you probably googled for some way to white list a program from UAC. At first you will see people say, "Well that defeats the purpose of UAC!" Idiots. There is a way and, as usual, Microsoft made it difficult to find.

And no, it is not by including a Side-by-Side Manifest, but you are close. Man, I wasted a lot of time on that dog.

The answer is the Application Compatibility Toolkit. If you follow the instructions I linked above, and choose "NoVirtualization" and "RunAsInvoker" as your fixes, Windows should no longer detect RUNPATCH.EXE as requiring alternate credentials.

I'm Back...

I never would have made it as a writer, though people tell me I'm good at it. As you can see, I've lost the inspiration to blog for a few years. But I'm back.

Why? Because I'm just so good at my job, I need to share what I find with the rest of the world. Also, my memory is shot. I can come back here to find solutions to problems I fixed already. Believe me, it sucks having to research something for the second time.

Power Management and Other Problems of the Non-Administrator

Power management is a real problem for non-administrators on Windows XP, but there are other problems running as user. I was looking up the registry keys needed to allow users to change those power settings when I found this great blog:

The Non-Admin blog - running with least privilege on the desktop

Anyway, here is the power management solution as posted on that blog:

Run Regedit.exe as an administrator
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg
Right-click on the “GlobalPowerPolicy” key and choose “Permissions”.
Click on the “Advanced” button.
Click “Add”.
Type INTERACTIVE and click “Check names”, then OK.
Check the “Set value” and “Create Subkey” checkboxes in the “Allow” column, and click OK, then OK, then OK.
Do the same thing with the “PowerPolicies” key.

Bug in IE Proxy Auto Detect

Looks like there is a bug in the way automatic detection of proxy servers works with Internet Explorer. I've confirmed it on Windows 2003 SP1.

If you have enabled the option in IE to check for revoked server certificates, SSL sites fail. If you manually specify the proxy server, SSL sites work.

It appears the mechanism used for checking if the certificate is revoked can't automatically detect a proxy server. If you turn that option off (which is recommended for performance reasons) then you can live with automatic detection.

Here is some more info on IE proxy auto detect.

Google is Evil

I find it absolutely amazing that Google can turn down the U.S. Government when they are trying to protect their citizens, but will be complicit with the Chinese government when they are trying to repress their's.

Not that I wanted Google to cooperate with our Justice Department. But now what excuse do they have, when they are willing to censor search results for terms like "democracy" for another government?

Google has simply become evil in the search for profit. It sure didn't take long after going public.

Terminal Server and Internet Explorer Enhanced Security Configuration

The key below will get rid of the Internet Explorer Enhanced Security Configuration message when set to 1.

This is useful when you have a Terminal Server and you enable the mode for administrators, but the warning shows up for users anyway.

The problem is caused because the default user account still has some tightened security applied. Most of this can be reversed with group policy, but this setting can't.

You have to open the default user registry hive as a file to edit this setting and have it apply to all new users.

HKEY_USERS\S-1-5-21-1659004503-2049760794-682003330-1107\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IEHardenIENoWarn

REG_DWORD = 1

Post with VBScript Using NTLM, HTTPS

There are many ways to post data to a web site using VBScript. It becomes harder when you must use HTTPS. It gets downright silly when the script must use integrated authentication to the web server as the user running it.

Here are all my attempts to do just that, listing the last one that finally succeeded:

Function post(sText)
  dim http

  'This line sets the client XML object.
  'This method appears to require hard-coded credentials, or it will revert to anonymous.
  'It also needs the host and certificate names to match when using HTTPS.
  ' set http = Createobject("MSXML2.XMLHTTP")

  'This line sets the server XML object.
  'This method appears to require hard-coded credentials, or it will revert to anonymous.
  'It will do HTTPS if the host and certificate names don't match.
  ' set http = Createobject("MSXML2.ServerXMLHTTP")

  'These lines set the server XML object, version 4.
  'This method will pass NTLM credentials when the proxy configuration is set.
  'It also will do HTTPS if the host and certificate names don't match.
  'But most clients don't have MSXML4.
  ' set http = Createobject("MSXML2.ServerXMLHTTP.4.0")
  ' http.setProxy 2, "gkproxy", "gkweb"

  'These lines set the WinHTTPRequest object.
  'This method will pass NTLM credentials when the proxy configuration is set.
  'It also will do HTTPS if the host and certificate names don't match.
  'And most clients support it!
  set http = CreateObject("WinHttp.WinHttpRequest.5.1")
  http.SetAutoLogonPolicy 0

  http.Open "POST", "https://host/default.spx", false
  http.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
  http.send sText
  post = http.responseText
  Set http = nothing
End Function


Remove Add/Modify FTP Locations

I've been locking down a new Terminal Server for Microsoft Office. It's fun playing God. You shall not save files here!

Anyway, I found a feature that could not be disabled with your typical policies. I did not want users trying to save to an FTP site. So I created an ADM file:

CLASS USER

CATEGORY "Microsoft Office 2003"
  KEYNAME "Software\Microsoft\Office\11.0\Common"
  POLICY "Remove 'Add/Modify FTP Locations' when you open or save a file"
    PART "Check to enforce setting on; uncheck to enforce setting off" CHECKBOX
     VALUENAME RemoveFTPLocationsFromLookIn
     VALUEON NUMERIC 1
     VALUEOFF NUMERIC 0
    END PART
  END POLICY
END CATEGORY


Save the text as an .ADM file and import it into your group policy. Be sure to set the filter to view templates that can't be fully managed. This means that the setting controlled by this ADM file is "tattooed" and remains when the policy is removed.

It's in the Mail

You know, it's not so hard to send e-mail from VBScript. I guess I just figured it would be given my experience with Perl and batch files.

All that is needed is Outlook Express. I finally found a good reason to have OE installed by default.

Function SendEMail(sSender, sTo, sSubject, sTextBody, sFrom, sFile, sSMTPServer)
  Dim objEmail
  Set objEmail = CreateObject("CDO.Message")
  objEmail.Sender = sSender
  objEmail.To = sTo
  objEmail.Subject = sSubject
  objEmail.TextBody = sTextBody
  objEmail.From = sFrom
  objEmail.AddAttachment(sFile)
  objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = sSMTPServer
  objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
  objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
  objEmail.Configuration.Fields.Update
  objEmail.Send
End Function


Why Don't You Just Tell Me What File?

I wrote a script and tried to make it easy. You could pick your input file and name your log file using common dialog boxes.

Now I have to re-write the script as a service, but I don't want to forget how to do this:

Option Explicit

'Confirm execution
Dim strScriptName, i
strScriptName = "My Script"
i = MsgBox ("Select an input file.", 1, strScriptName)
If i <> 1 Then
  i = MsgBox ("Script aborted.", 0, strScriptName)
  Wscript.Quit
End If

'Select the input file
Dim objCD, IntCD, strCD
Set ObjCD = CreateObject("UserAccounts.CommonDialog")
ObjCD.Filter = "Text Documents|*.txt|All Files|*.*"
ObjCD.FilterIndex = 1
IntCD = ObjCD.ShowOpen
If IntCD = False Then
  i = MsgBox ("No input file selected. Script aborted.", 0, strScriptName)
  Wscript.Quit
End If
strCD = objCD.FileName

'Select the log file
i = MsgBox ("Now select a log file.", 0, strScriptName)
Dim strLogFile, objLogFile, intLogFile
strLogFile = ObjCD.FileName & ".log"
Set objLogFile = CreateObject("SAFRCFileDlg.FileSave")
objLogFile.FileName = strLogFile
objLogFile.FileType = "Text Document"
intLogFile = objLogFile.OpenFileSaveDlg
If intLogFile Then
  strLogFile = objLogFile.FileName
Else
  i = MsgBox ("No log file selected. Script aborted.", 0, strScriptName)
  Wscript.Quit
End If

i = MsgBox ("Input File: " & strCD, 0, strScriptName)
i = MsgBox ("Output File: " & strLogFile, 0, strScriptName)


It works only on Windows XP, by the way!