Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#305321 - 19/12/2007 21:47 UAC Elevation in Vista
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
Anyone know anything about the subject of elevating past UAC in Vista?

Yeah, I should ask my coworkers, except... I don't work at the Evil Empire any more, I'm now at a place called NetMotion Wireless. Anyhow...

I've got a situation where a bug repros on one vista machine but not on another vista machine. We think we've got them configured pretty similarly, but they behave differently one crucial way that we *must* nail down in order to prevent a bug in our software.

I am going to attach two pictures of elevation prompts, one that I will consider "bad" and one that I will consider "good". I'll attach them and then continue my question in another post...


Attachments
bad.JPG

Description: This one is Bad. This is the one we don't want to see.

good.JPG

Description: This one is good. This is what we'd like to see every time.


_________________________
Tony Fabris

Top
#305322 - 19/12/2007 21:54 Re: UAC Elevation in Vista [Re: tfabris]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
On the machine I'm testing this on, I get the "Bad" one when I try to elevate CMD.EXE, but I get the "Good" one when I try to right click on My Computer and hit "Manage".

I can also make the "Good" one appear every time if I log into the computer as a user in the local user's group as opposed to a user in the Doman Users group. But we want the "good" behavior every time. And anyway, I've got another machine here that gets the "good" behavior every time, regardless of whether it's a domain user or a local user.

See, the problem with the "BAD" box is this: You can get past it by entering cheap credentials. Credentials of just a joe-user-guy. It returns, making the calling application think that the guy entered proper admininstrator credentials. But he didn't.

I can even fool Windows itself with this one. If I try to elevate "Command Prompt", and I get the "Bad" Box, and I enter joe-user credential instead of admin credentials, IT LETS ME, and it even says "Admininstrator" at the top of the box as if I'd really elevated. But I haven't, and I find that out the hard way when I try to do anything administrator-like from within that box, it keeps giving me "access denied" errors.

The "good" box is different. It won't let you past it unless you truly enter some admininstrator credentials. When you come out of that box, if you didn't really and truly elevate, you get an error message saying "this requires elevation <OK>" and whatever called it, fails out. As it should.

Does anyone have any idea what governs which of the two boxes is the one that's going to appear?
_________________________
Tony Fabris

Top
#305324 - 19/12/2007 22:29 Re: UAC Elevation in Vista [Re: tfabris]
rubennyc
member

Registered: 27/01/2006
Posts: 142
Loc: New Jersey, USA
I have nothing helpful to offer. I just come here to express my utter disdain for UAC. It is a pox on humanity and a powerful ally in the battle against productive computing.

Top
#305327 - 20/12/2007 00:58 Re: UAC Elevation in Vista [Re: tfabris]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
I'm sure you've checked this, but I would suspect computer membership in the domain. Has the computer bee joined to the domain properly? Maybe try removing it and re-adding?
_________________________
Bitt Faulk

Top
#305332 - 20/12/2007 03:28 Re: UAC Elevation in Vista [Re: wfaulk]
gbeer
carpal tunnel

Registered: 17/12/2000
Posts: 2665
Loc: Manteca, California
I think the difference is that the logged in users have different accounts. Admins get a different prompt than restricted users.

Compare the account types/permissions of the logged in user of each machine.
_________________________
Glenn

Top
#305351 - 20/12/2007 14:35 Re: UAC Elevation in Vista [Re: wfaulk]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
 Quote:
I would suspect computer membership in the domain.

That's a good thought. The computer is definitely a member of the domain, and it can communicate with the domain controller because (with proper elevation) I can execute commands that require domain membership, such as NET LOCALGROUP groupname domain\user /ADD and they work.

However, the machine is a VM image which gets restored from a standard VMWare restore point, and it's very possible that the domain membership goes a bit wonky in those cases. I'll try refreshing its domain membership and see if that fixes it.
_________________________
Tony Fabris

Top
#305352 - 20/12/2007 14:38 Re: UAC Elevation in Vista [Re: gbeer]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
 Quote:
Admins get a different prompt than restricted users.


Admins get no login box at all. Admins get a "Continue" button and that's all. So that's not it.

The users are (as far as I can tell anyway) identical in terms of their permissions. In both cases, they are members of the "Domain Users" group only.
_________________________
Tony Fabris

Top
#305356 - 20/12/2007 15:21 Re: UAC Elevation in Vista [Re: tfabris]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
 Originally Posted By: tfabris
I'll try refreshing its domain membership and see if that fixes it.


Nope. Joined it to a whole new domain and back again, same results with that user....
_________________________
Tony Fabris

Top
#305357 - 20/12/2007 15:32 Re: UAC Elevation in Vista [Re: tfabris]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
The more I mess with this, the more it looks like some kind of strange quirk with that particular user account and profile.

The user account was once an administrator of that machine, and was later removed from the administrator's group. Perhaps that is the reason it's behaving that way.
_________________________
Tony Fabris

Top