|
OK... Here's the issue:
I've been tasked with migrating my company's kiosk music system from Windows 7 to Windows 10. We currently have about 40 machines out on rental.
The machines are not internet-connected, and the kiosk launcher runs in a restricted "standard" user account, and uses Parental Controls and Group Policies to maintain its security. I'm currently rewriting the launcher shell in C#/.NET 4.6.2 following MS current security policy guidelines.
The main music player app and its registration plugin were written (not by me!) nearly 10 years ago for Windows Vista, and needs read/write access to several files in %programfiles% folder and to registry keys in both HKLM and HKCU. We no longer have the original source code, and the company will not authorise a complete rewrite (despite my protestations!).
In Windows 7, I simply disabled UAC across the entire system, and set the music player app and its registration plugin "Run As Administrator" for all accounts. That has worked for us for 7 years now, and caused us no security issues, due to the machines being "locked down" in so many other ways.
With the advent of Windows 10, "Run As Administrator" results in the user being prompted for an administrator password every time the music player is started. I've failed completely to disable UAC on the standard restricted user account. Here's all the suggestions which haven't worked:
1) Drop the UAC slider to the bottom in the main Administrator account. This disables UAC on all Admin accounts, but not on standard ones.
2) Change "EnableLUA" to zero in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. Same result as 1)
3) Create a shortcut to the music player EXE including the administrator password... Basically Aaaaaaargh! That would risk exposing the machine's administrator password and break our other security.
4) Create a task in Task Scheduler to run the app with administrator permissions. This is impractical because the machine administrator password has to be written into the task. All 40 machines have unique passwords, and there is no "automatic" way of writing that into the task. The systems need to be upgradeable with a sysprep'd clone. It also risks exposing the admin password to "local hackers" same as 3).
5) Write the "Run As Administrator" along with the password into the kiosk launcher shell prior to compilation. Gets around the chance of exposing the password, but I'd need to recompile the launcher for each machine, because they all have unique passwords.
It has been suggested that there may be extra Group Policy settings available to disable UAC completely in the Enterprise edition of Windows 10, but nobody seems to be able to confirm that, and in any case I'd be unlikely to get my company to fork out for 40 copies of Enterprise!!!
I can't believe that no one has yet found a way to completely disable UAC in Windows 10, but googling the issue has produced no workaround which is usable for our systems.
PLEASE... Has anyone managed to crack this issue yet? I'm sure I'm not the only person in need of a "fix" for this.
Thanks.
|
|
|
|
|
|
Thanks for your reply, Richard, and apologies for taking so long to reply. Unfortunately I didn't get a notification.
Unfortunately, the "Do not store password" option probably won't work, because it will then request an admin password whenever the app is started.
I'll have a look through the other links you've supplied. It looks like quite a steep learning curve, but I guess nothing worth doing was ever "easy"! 
It amazes me that no one has found a way to totally disable UAC in Windows 10 yet. It seems to be something that a lot of users need to do in order to provide backward compatibility for "badly written" old apps. It's all very well Microsoft trying to push us towards better security practices, and I agree that we need eventually to rewrite some of those dodgy old apps, but I don't know any company which can afford to ditch 15 years of R&D and go back to the drawing board in the few months we're being given, especially with the Intel gen7 processors refusing to install any older OS!
|
|
|
|
|
djdynamix wrote: Unfortunately, the "Do not store password" option probably won't work, because it will then request an admin password whenever the app is started.
It probably won't. It just runs the task as the administrator, but without elevated access to network resources. 
If you select the checkbox labeled Do not store password , Task Scheduler will not store the credentials supplied on the local computer, but will discard them after properly authenticating the user. When required to run the task, the Task Scheduler service will use the "Service-for-User" (S4U) extensions to the Kerberos authentication protocol to retrieve the user's token.
When using S4U the ability of the service to use the security context of the account is constrained. In particular, the service can only use the security context to access local resources.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Thanks again Richard. I appreciate your help. I've now solved the problem.
What I did was to download the Compatibility Assistant from MSDN, and created and installed a .sdb compatibility shim, with the setting "Run As Invoker".
Everything now works exactly as it did under Windows 7.
Thanks again.
Ian
|
|
|
|
|
No. 6) app.manifest
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<!-- UAC Manifest Options
If you want to change the Windows User Account Control level replace the
requestedExecutionLevel node with one of the following.
<pre>
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
<requestedExecutionLevel level="highestAvailable" uiAccess="false" />
Specifying requestedExecutionLevel node will disable file and registry virtualization.
If you want to utilize File and Registry Virtualization for backward
compatibility then delete the requestedExecutionLevel node.
-->
<requestedExecutionLevel level="requireAdministrator"
uiAccess="false" />
</requestedPrivileges>
</security>
"(I) am amazed to see myself here rather than there ... now rather than then".
― Blaise Pascal
|
|
|
|
|
Thank you for your response, but I was not able to use an app manifest as I had no access to the source code. I've now solved the problem. Please refer to my response to Richard Deeming's reply if you'd like to know how I did it. Thanks again.
|
|
|
|
|
Anyone out there with some experience on network file transfers with Windows?
On my Windows Xp, Windows 7, Windows 10 machines I have scripts that build release folders for Windows CE and Windows Embedded Compact 7. In the past, I stayed on my local VM - Windows Xp, and all was well. Due to progress, I have to push files from my Windows Xp VM to either a shared drive on the desktop (same machine), a network drive or a new Windows 10 laptop.
The folders are shared between machines, so I expect I could copy and paste, or run a DOS script. But every transfer drops important OS files - like hive files for the registry.
I have a work around - zip up the dir, copy to where it needs to go, and expand, but really?
Edit: so, thinking I would work around things, I zipped up my release folders on Xp, coped the zip file to my Win7 machine and then pulled it to my Windows 10 laptop that will do the final build. No registry files.
It's all on local machines
Is there a setting I don't know about?
SFMS
Charlie Gilley
<italic>Stuck in a dysfunctional matrix from which I must escape...
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
modified 16-Mar-17 23:22pm.
|
|
|
|
|
Damn you Microsoft, damn you to whatever hell you choose, and I hope its hot. With windows 10 you add a new "hide protected operating system files" down underneath where it has always been?
Screw damnation, I have a 2x4 I want to apply to some heads.... ffs
Charlie Gilley
<italic>Stuck in a dysfunctional matrix from which I must escape...
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
Hmmm,
You do realize that this is how Windows Explorer has worked for over 25 years right? I am fairly certain that this was a typical PEBCAK error[^].
Best Wishes,
-David Delaune
|
|
|
|
|
A code signing application I have developed can be downloaded for free using this link. It allows code signing using a .pfx certificate file with minimum hassle. Hope you enjoy it. Comments and suggestions are always welcome.
- Michael Haephrati מיכאל האפרתי
|
|
|
|
|
It may be free and simple, but does not run as is... It has dependencies (like MFC) not found on simple installation... You may want to pack it and post here: Free Tools Discussion Boards[^]
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
Dependencies? Strange. I compiled it with MFC as a static library.
- Michael Haephrati מיכאל האפרתי
|
|
|
|
|
On clean installation I have "The program can't start because mfc120u.dll is missing...", on other computers it works smoothly...
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
I can fix that. No problem
- Michael Haephrati מיכאל האפרתי
|
|
|
|
|
Then you should post this in Free Tools, or write an article about it.
|
|
|
|
|
Done that already
- Michael Haephrati מיכאל האפרתי
|
|
|
|
|
How can I convert audio file (any format, wav , m4a, mp3) to flac format with c#
Is there any nuget package I found this package FLAC.WindowsRuntime
But how can I used to convert to flac format ??
modified 7-Sep-16 5:25am.
|
|
|
|
|
I had DVDvideosoft audio converter. It can convert mp3 and wav files to flac files.
|
|
|
|
|
Hello there. I am thinking to avail this free Windows 10 upgrade offer from Microsoft. I am running Windows 8.1 with all these softwares, development IDEs and database servers installed on my machine.
Question: If I upgrade to Windows 10, how many problems should I expect to run into? Will I be able to run all the existing developed software without any major manual setting?
Thanks.
|
|
|
|
|
Assuming you have a good backup then you should be fine after the upgrade. I upgraded one Windows 7 system and one Windows 8.1 system, and both worked without any problems after the upgrade.
|
|
|
|
|
If you are running all of that stuff on your machine first thing you have to make sure is creating a recovery point or setting up the backup for your data and files. Windows 10 is installing like an addition to your current system, Windows 8.1 and it's not rewriting whole system data from the scratch.
|
|
|
|
|
I think you will not have any problems. I updated my windows from 8 to 10. The first time a year ago Windows 10 was working very bad and I have hung the computer and went back to a previous version of Windows. After half a year, I decided to update Windows to version 10 again. And now it works fine and I'm very happy. of course up to you.
|
|
|
|
|
Take a backup, then do the upgrade. Process will tell you what you need to re-install.
Secondly, having tried Windows 10 since its early days I am among those who recommend performing a clean install is the best way to upgrade your systems, just to your curiosity, Microsoft happens to allow you to use your product keys that you got with Windows 7 and 8, 8.1. The edition of Windows 10 is considered based on the key's edition.
So, in my opinion, performing a clean install is one of the best ways to upgrade machine. 
Quote: Will I be able to run all the existing developed software without any major manual setting?
I run all sorts of software from development, to virtualization, to graphics, to animation and all the way to games. Yes they work pretty well. Is question is about one specific software, check their documentation for supported platforms.
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
you will be able to run the existing developed software even though your windows will most probably need some type of protection just in case it will download any infectious things like diseases that will make your laptop or tablet play up.
thanks for asking
chloe  
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
