Full Control to Users programmatically

[jimmuh]

A-cotton-pickin'-men! (Amen, with feeling) I'm a systems admin and
productions application support specialist for a large printing firm. I have
been threatening the people who vend bindery production software with a
Louisville Slugger for YEARS. The idiots keep on storing any damned thing
they want any damned where they want and then try to blame Microsoft (or me,
if they don't value their lives) when their CRAPware fails because I make
the end users live with restricted user permissions.

I'm so tired of waging this little war that I'm about to throw in the
towell. I should just give everyone local admin and let 'em have at it so
that management could see how long their network will last under the
circumstances the software vendors are trying to create. Heh. The only two
malware detections we ever had on this network came from the vendors
technical field reps sticking infected CDs written on their notebook's
burners into machines on the network. We weren't infected, but we were
notified. Of course the same morons also tried plugging their notebooks INTO
THE NETWORK WITHOUT PERMISSION after they were notified that their CDs were
infected.

These same geniuses write their software from such a perversely
self-centered point of view that it often simply disables other important
software or system functions. They seem to think that any computer on which
their junkware is installed must be devoted SOLELY to running the junkware.
They seem genuinely puzzled when anyone takes exception to that point of
view.

All I can say to Microsoft, regarding UAC and the better (but not yet
perfect) security model in Vista -- it's about time! Now, if you'd just grow
a pair and turn off the ability to disable UAC...

 

[jimmuh]

Yes, indeed! I responded in kind to Jimmy Brush and wished to record my
approval of your message, too. "Programmers" take note. Users who have any
sophistication at all in matters of system behavior and security can tell
the difference between programmers who know what they're doing and all of
the slop-shot artists. If you think you own an system directory or anything
which lies below it in the file structure -- think again! That belongs to
the OS and to the user who uses the OS, and it is NOT up to you to decide to
screw with security settings there! (or any danged where else, for that
matter)

 

[DanS]

microsoft has made the decision that your computer is no longer yours
so your little rant looks really silly in light of the above ~VERY
WELL DOCUMENTED~ articles. So blow it out your bilge pipes there
mister mvp brown or whoever you are.

If anything, the class action lawsuits are just beginning to brew so
please stay posted for further developments. I thought it was my
computer and not theirs but apparently they changed the rules and
forgot to tell everyone which is not fair.

Let's look at this piece-by-piece....

Does the computer belong to you ?.........

Yes, the physical PC hardware does belong to you....you have/had a
receipt for it.

Are they so arrogant that
they think their OS
can do whatever it wants to anyone's computer or
are they just too lazy to lean how to do things properly?

Well it IS their OS. You have never 'owned' any version of a MS OS since
Bill Gates introduced software 'licensing' when MS-DOS was introduced.

You are purchasing the 'privilege' (sic) to use the OS on your own PC
hardware, but you do not 'own' the OS. You have already agreed that MS
still really owns the copy of the OS you are using, and since it is their
property, they can change things in it.

MS Windows is a commercial product, and therefore, as every commercial
product, it goes thru changes in it's product lifetime. It can actually
relate well to a long-life automobile line....there's the initial release
of the model, for a few model years there are some refinements, maybe
some trim changes, option pacakges maybe....little things. Then after 4
or 5 years, there's a new model of 'Whatever', with a 'new' body
style....same name though. Like the change from the late '70s Camaro
style, to the 80's version in '82. Still generally looks like a Camaro,
but a lot of the same parts don't fit. I couldn't use the same maintenace
regimen on the '82 fuel-injected system vs. the '76's carburated engine,
so the procedure must adapt.

Same principle...product design is driven by whatever is 'hot' at the
time. Some may see it as improvements, some not, but very rarely, can a
product be commercially successful if it never undergoes any change ?

While it's true there are commercial products that may haven't changed in
100 years or more, like salt, or beer, any complex product must evolve,
whether perceived good or bad, or it would not be able to exist in the
long-term. Let's see, for the same price, I can buy this new style car,
with options, fuel-injected, air-bags, ABS, etc., or a 1974 AMC Matador
replica, while still being brand new, lacks all newer technology. My
choice would be with the new technology.

(As a note, I am NOT defending MS on this matter, merely pointing out
that there's nothing you can do about it, it's just the basic principles
of marketing.)

They will
potentially alienate their customers at best and possibly set
themselves up for a lawsuit at worst.

Alienate...sure...tick off...yes...but that doesn't matter...at this
juncture anyway, since there is no 'real' alternative for another OS.

Yeah, let's get Grandma to install Linux.....

User's made a choice back in the early '90s at the 'true' start of the
home PC boom, to go with Windows. If IBM would have been successful at
marketing OS/2 and IBM was now the PC OS king, everyone would feel the
same way about them as MS. Windows was the VHS and OS/2 the BetaMax.

The OEM's will continue to push Windows on the cheap PC market, and it
will spread, there's no way to stop it. It all starts at the OEM's....

 

[Ralph]

On Sat, 10 Feb 2007 10:46:32 -0800, "Kerry Brown"


Ha ha ha. That wouldn't normally be so offensive but for this:

http://hairyears.livejournal.com/101843.html

and this:

http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

microsoft has made the decision that your computer is no longer yours so
your little rant looks really silly in light of the above ~VERY WELL
DOCUMENTED~ articles. So blow it out your bilge pipes there mister mvp
brown or whoever you are.

If anything, the class action lawsuits are just beginning to brew so
please stay posted for further developments. I thought it was my
computer and not theirs but apparently they changed the rules and forgot
to tell everyone which is not fair. Are they so arrogant that they
think their OS can do whatever it wants to anyone's computer or are they
just too lazy to lean how to do things properly? They will potentially
alienate their customers at best and possibly set themselves up for a
lawsuit at worst.

I just can't wait until Paul Clement has a go at this. Let's hear
something cogent for a change, mister Paul, please.

"I thought it was my computer and not theirs but apparently they changed the
rules and forgot to tell everyone which is not fair."

Actually Microsoft has been writing the message on the wall in clear glowing
letters for quite some time now. I can say that now, as hind-sight is always
twenty-twenty. Unfortunately most of us either ignored it or didn't want to
believe it.

[I for one, with perhaps far less excuse than anyone in this group, found
myself outside the door asking "Tell me it ain't so Joe" when they killed
VB. Yet in looking back I realize I had a front-row seat at the death bed
when they called for the undertaker. (The fact they never even seeked
medical assistance should have been enough.) So I definitely place myself in
the majority.]

I consult for a company that prides itself on "vendor-independence". Carries
it to a religious dogma. Yet there isn't a single project in the joint that
isn't tied to at least 3 to 5 major subscription or licensing agreements.
Just for grins I sat down one day and taking a project that was easily
within the ability of a small ISV to reproduce, I calculated the amount of
money she would have to pay out for just software/hardware licensing, to
recreate it. I was close to two hundred thousand and still counting. In
comparison the few hundred you pay to have it bundled within a single O/S is
chump-change.

It isn't YOUR computer and it isn't YOUR software. And hasn't been for a
very long time. Read the EULAs, about the only thing you ever had any
"rights to" was when to turn the computer on and when to turn it off.

"If anything, the class action lawsuits are just beginning to brew so please
stay posted for further developments"

Pure wishful thinking. Ain't going to happen. People said the same when they
killed VB - and we all have seen what "further developments" have brought.

It is all being driven by billion-dollar companies, their little blackboxes,
and petty turf wars. Take heart that you will be able to some day boor your
grandchildren with stories about kernal hacks and assembly, much like I boor
my children today with talks about building super-hetrodyne receivers out of
oatmeal boxes. With an equal amount of relevance to their world.

Its over Stefan.

-ralph

 

[Jimmy Brush]

Hello,

You're right about not all MS teams following SPEC in some circumstances, of
course. And they are as much at fault (if not moreso!) than third party
developers not following spec.

As for a common addresses example, you could allow each user to add common
addresses to the "common address list" or remove addresses that they
themsleves added, but not modify addresses that other people have added.
This could be accomplished technically by having a seperate data file for
each user in the per-machine storage area (%allusersprofile%, or
C:\ProgramData in vista).

Sharing data between users on the system is possible using the per-machine
storage area, however, as you mentioned the isolation between user accounts
is enforced. One user's data cannot be modified by another user, unless the
user is an admin and is running an administrative program.

--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Stefan Berglund]

Its over Stefan.

-ralph

Sorry to see you go. Bye.

 

[Schmidt]

You're right about not all MS teams following SPEC
in some circumstances, of course. And they are as
much at fault (if not moreso!) than third party
developers not following spec.

Yep - and my point was, that developers are somewhat
lost nowadays - should they follow MSs-SPECs/Rules/
Recommendations, or are they better advised, to follow
MSs own practice, to protect their (time-intensive)
investments best?

As for a common addresses example, you could allow
each user to add common addresses to the "common
address list" ...

It was just an example for a Common-Writable-File (for
all users). There are many other examples for programs,
wich require write-access on a common used (DB-) File
for all users on a machine.

... however, as you mentioned the isolation between user
accounts is enforced. One user's data cannot be modified
by another user, unless the user is an admin and is running
an administrative program.

And that "kicks out" a whole class of programs (unless they
are not "elevated" somehow), because there are many, many
scenarios, where more than one user wants to change Data
on the same Document- or DB-File.

I'm missing some clear recommendation for this special
case of "Collaborative-Apps".
Where to put those commonly used Data-Files on Vista
(wich need common Write-Access), so that Admin-Rights
for that class of Applications are not required.

Olaf

 

[Jimmy Brush]

If the user wants a document to be collaborative, they will put it in the
Public Documents folder, sine that folder is shared (read/writable) with all
the users on the computer.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Jimmy Brush]

Yep - and my point was, that developers are somewhat
lost nowadays - should they follow MSs-SPECs/Rules/
Recommendations, or are they better advised, to follow
MSs own practice, to protect their (time-intensive)
investments best?

Well,

Since the groups in MS that did NOT follow SPEC now have to hussle and
bussle to get their app IN SPEC to work with Vista, I think the example is
clear: Follow SPEC and your App will be as future-proof as possible. DON'T
follow spec and you're up a creek, just like some groups in MS were.

It may appear to be "time saving" to do whatever works without regard to
SPEC; but, this is only true in the short term, as both MS and the OP found
out.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Schmidt]

... I think the example is clear: Follow SPEC and your App
will be as future-proof as possible...

But that's exactly the problem (from a more general point
of view)...
SPECs, APIs, whole Programming-Languages can be
declared as "depreciated" by MS from one day to the other.

That's why developers have to make difficult decisions
these days.
IMO they are good advised, to look carefully, what MS
is saying they have to or should do and what MS itself is
doing regarding their own apps.

Olaf

 

[Schmidt]

If the user wants a document to be collaborative,
they will put it in the Public Documents folder, sine
that folder is shared (read/writable) with all
the users on the computer.

Just tried exactly this (one or two weeks ago) on XP -
and it was *not* working for the normal/reduced
UserAccounts (works only for the XP-Advanced-Users).

Olaf

 

[Jimmy Brush]

But that's exactly the problem (from a more general point

of view)...
SPECs, APIs, whole Programming-Languages can be
declared as "depreciated" by MS from one day to the other.

True.

However, API's and programming guidelines will never just STOP WORKING one
day, not without plenty of notice and instructions on how to adapt to the
new way.

If programmers had changed their application to work in a least-privilege
enviornment after everyone transitioned from Win9x to Windows NT like
Microsoft's SPEC instructed how to do, they would not be in this bind now
that Vista is out and their applications simply won't work anymore (or will
work poorly/improperly).

You point out that following the spec doesn't guarantee that things won't
change; this is very true. However, it will keep your application working,
until you can adapt to the changes

--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Jimmy Brush]

Here's the security on the public documents in Vista:

C:\Users\Public\Documents>icacls .
.. BUILTIN\AdministratorsI)(OI)(CI)(F)
CREATOR OWNERI)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEMI)(OI)(CI)(F)
NT AUTHORITY\INTERACTIVEI)(OI)(CI)(M,DC)
NT AUTHORITY\SERVICEI)(OI)(CI)(M,DC)
NT AUTHORITY\BATCHI)(OI)(CI)(M,DC)

Everyone has at least modify rights, which is pretty much just shy of full
control.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Dave O.]

Look guys,

It has *never* been acceptable to MODIFY files in Program Files.

Just because it WORKED in earlier version of Window doesn't mean it was
*OK* to do so!

Interesting, I wonder why MS SQL Server stores its database files in
C:\Program Files\Microsoft SQL Server\MSSQL$<instance name>\Data
They change a lot, one tune for the piper and one tune for everybody else!

Regards
Dave O.

 

[Kerry Brown]

Microsoft was as guilty as everyone else in the past, maybe even more so as
they should have been setting an example. The key statement here is "in the
past". Why do you think XP was so easily targeted by malware? Do you want
this to continue in Vista? UAC, virtual registry, and all the other tricks
to allow legacy apps to run would not have been necessary if Microsoft and
everyone else had done things properly to start with. Microsoft took a while
but finally reached this conclusion. They are now enforcing proper
programming. If you come up with hacks to get around this you are only
delaying the inevitable. Eventually your program will break and it will keep
breaking as you pile hack upon hack. It's easier to bite the bullet and fix
it now while the shims exist to help you transition. I can't imagine the
shims will be in the next Windows OS or don't people think that far ahead.
One good thing about all this is that you will learn how to program properly
for secure multiuser OS'. It should be much easier to port your programs to
other OS' which will broaden your market.

 

[Ken Halter]

My VB6 program is installed by setup created in InstallShield 12.
Before Vista everything was working fine.

Ya' know... I've read this entire thread and one glaring point keeps popping
into my head. The *reason* we all have to go through this nightmare is
because of MSs crappy C++ programmers that left security holes *everywhere*.

I see plenty of reference to "this is not your computer, it's the users"
but... why do these users need this security in the first place? Privacy? If
privacy is the concern, there are plenty of ways to ensure privacy. If we're
dealing with this mess because MS has no other way of preventing a virus
from infecting a users files, then... guess what. That user is an idiot
anyway and deserves to have their files wasted. As anyone ever heard the
term "backup"?

I've had a computer since Xmas 1981 and not once... not even close... has a
virus attacked my system. It wasn't because I plugged all of the security
holes... it wasn't because I run using a restricted account. It wasn't dumb
luck either. A little common sense goes a long way.

All of these security nightmares are just "glitter and gold" anyway. As
usual when increased security takes effect, whether it's at an airport, or
on your PC. The only people that suffer are the honest people. The crooks
just find another way in. Just like outlawing guns leaves only crooks with
guns. Only the honest people have to pay. Vista was cracked before it was
ever released. Which means, its entire security mechanism is flawed.

Sure, I'll probably have to deal with the mess, since I'm not a crook... but
I won't like it and find it useless for any real protection. As long as I
work here though, I have full control over security on any PC that runs our
software... which means they'll all be running as Admin.... since they're
not connected to the internet, I doubt very seriously if running as admin
will cause any problems for anyone.

 

[Dave O.]

Microsoft was as guilty as everyone else in the past, maybe even more so
as they should have been setting an example. The key statement here is
"in the past". Why do you think XP was so easily targeted by malware? Do
you want this to continue in Vista? UAC, virtual registry, and all the
other tricks to allow legacy apps to run would not have been necessary if
Microsoft and everyone else had done things properly to start with.
Microsoft took a while but finally reached this conclusion. They are now
enforcing proper programming. If you come up with hacks to get around this
you are only delaying the inevitable. Eventually your program will break
and it will keep breaking as you pile hack upon hack. It's easier to bite
the bullet and fix it now while the shims exist to help you transition. I
can't imagine the shims will be in the next Windows OS or don't people
think that far ahead. One good thing about all this is that you will learn
how to program properly for secure multiuser OS'. It should be much easier
to port your programs to other OS' which will broaden your market.

Sure I can understand MS not getting it right for minor applications and
little tools but SQL Server is a flagship product which does handle some
mission critical information for some users, there is no way that they
should have let it out of the door storing data off the ProgramFiles folder
tree. This is an indication of the poor product testing or the lack of
knowledge of the testers at MS as well as inadequate briefing of developers
at MS who should have known this was or would become a problem.

Regards
Dave O.

 

[Ralph]

Ya' know... I've read this entire thread and one glaring point keeps popping
into my head. The *reason* we all have to go through this nightmare is
because of MSs crappy C++ programmers that left security holes *everywhere*.

I see plenty of reference to "this is not your computer, it's the users"
but... why do these users need this security in the first place? Privacy? If
privacy is the concern, there are plenty of ways to ensure privacy. If we're
dealing with this mess because MS has no other way of preventing a virus
from infecting a users files, then... guess what. That user is an idiot
anyway and deserves to have their files wasted. As anyone ever heard the
term "backup"?

I've had a computer since Xmas 1981 and not once... not even close... has a
virus attacked my system. It wasn't because I plugged all of the security
holes... it wasn't because I run using a restricted account. It wasn't dumb
luck either. A little common sense goes a long way.

All of these security nightmares are just "glitter and gold" anyway. As
usual when increased security takes effect, whether it's at an airport, or
on your PC. The only people that suffer are the honest people. The crooks
just find another way in. Just like outlawing guns leaves only crooks with
guns. Only the honest people have to pay. Vista was cracked before it was
ever released. Which means, its entire security mechanism is flawed.

Sure, I'll probably have to deal with the mess, since I'm not a crook... but
I won't like it and find it useless for any real protection. As long as I
work here though, I have full control over security on any PC that runs our
software... which means they'll all be running as Admin.... since they're
not connected to the internet, I doubt very seriously if running as admin
will cause any problems for anyone.

You will get little argument from me. All good points. Except for your
allusion to "MSs crappy C++ programmers that left security holes
*everywhere*."

Don't forget VB is written in C and ASM. ASM is just as prone to security
holes as any other language that allows you to be creative with 'addresses'.
VB classic has no built in immunity either. In fact a VB program is easily
compromised thru its reliance on COM. (I know, I know - another one of those
damn C-things. <g>)

And don't think it is just MS. Linix systems, in spite of all the hype, are
far more vulnerable than Windows. Think about it - they publish the source
code! An attacker doesn't even have to re-engineer it!

[You would have enjoyed the fun we all had for awhile with Java runtimes.
Talk about excellent slow moving targets. <g>]

Hell there are "holes" everywhere. If you want to blame anyone - blame the
original TCP/IP programmers - who never gave 'security' even a passing
thought.
Hell we 'ALL' have been writing bad code.

-ralph

 

[Paul Clement]

¤ > Look guys,
¤ >
¤ > It has *never* been acceptable to MODIFY files in Program Files.
¤ >
¤ > Just because it WORKED in earlier version of Window doesn't mean it was
¤ *OK*
¤ > to do so!
¤ >
¤
¤ We all know Microsoft's party line. What Microsoft
¤ decides is "OK" is not particularly relevant here. They
¤ designed a product. They sell it. Now people writing
¤ software need to decide the best way to deal with it.
¤
¤ You know perfectly well that Program Files has always
¤ been where most software worked out of until recently.
¤ (After all, what point would there be to VB's App.Path
¤ property if nothing there could be accessed? And very
¤ few people other than corporate lackeys on workstations
¤ run XP as anything other than admin.
¤
¤ It's not as simple as just "going along with the plan".
¤ Even if you think that Microsoft's general plan makes
¤ sense, it's only geared toward corporate users. Home
¤ and small office users want functionality...they don't want
¤ frivolous warnings...and they usually don't want settings
¤ changing between users. So the challenge is to work
¤ out the simplest way to seamlessly allow people to run
¤ software that way, as unrestricted for all users.
¤
¤ I think that everyone wants to try to do that in a
¤ standard way that makes it easy for users, but the
¤ options in Vista for all-user-accessible software seem
¤ to come down to either cutting the security in Program
¤ Files or moving everything to All Users App Data. There
¤ doesn't seem to be an option that's in accord with what
¤ MS officially defines as "OK".
¤

Make up your mind. If you want to provide your application with free reign over the system then
disable UAC. Otherwise follow the rules that are implemented in a secure environment and play in
your own sandbox.


Paul
~~~~
Microsoft MVP (Visual Basic)

 

[Paul Clement]

¤
¤ ¤ > Look guys,
¤ >
¤ > It has *never* been acceptable to MODIFY files in Program Files.
¤ >
¤ > Just because it WORKED in earlier version of Window doesn't mean it was
¤ > *OK* to do so!
¤
¤ Interesting, I wonder why MS SQL Server stores its database files in
¤ C:\Program Files\Microsoft SQL Server\MSSQL$<instance name>\Data
¤ They change a lot, one tune for the piper and one tune for everybody else!

Nope. SQL Server operates under a service which has sufficient permissions to access the file store.
It is middle-ware that has its own security mechanism, by which the underlying files can be
accessed.


Paul
~~~~
Microsoft MVP (Visual Basic)