Elevated Priv

[Jeff Smyrski]

Is there a way to allow a program / dll to always run
with elevated
privileges. I have a software vendor that has provided
us with programs,
one in particular that is a dll that generates htm code
for a web session.
The way that the program is supposed to work, is that the
user will make a
request to retrieve an archived/scanned document from a
database. The
interface for that function is controlled in a dll loaded
to the
Windows\System32 folder. The dll, goes fetches the
image, and then converts
the image to an HTM web page. The problem is that the
dll is doing all of
this work in the System32 folder, which unless you are a
power user locally,
or higher, you can not create in the system32 folder.
Until they fix the
bug (which by the way does not happen in windows 2000 or
NT, why I don't
know) but until they fix the bug, I need to have a
workaround for this
problem without giving all of my users Power User rights
locally. They log
into a domain, that restricts many things on the user's
workstation
including the installation of software, and by default XP
limits the
permissions for users, to only read to the system32
folder. The dll is
basically using the system32 folder as a temp folder, and
the htm document
is discarded after the inquiry has been executed. The
file names are also
random in that they are always prefaced with a 32 digit
string.htm

Is there a way to allow only that dll to execute whenever
it is called with
elevated privileges, or is there another way to make this
work, that perhaps
I have not thought of...

Thanks.

Jeff Smyrski

 

[William Wang[MSFT]]

Hi Jeff,

To allow users to create files in the
C:\Windows\System32 folder, you can grant the
necessary NTFS permissions to the users or the groups
that the users belong to.

First, disable Simple File Sharing by following these
steps:

1. Click "Start", and then click "My Computer".

2. On the "Tools" menu, click "Folder Options", and
then click the "View" tab.

3. In the "Advanced Settings" section, click to clear
the "Use simple file sharing (Recommended)" check box.

4. Click "OK".

Second, grant the proper permissions to the users or
groups.

1. Logon as an account which has administrative
privileges.

2. Right-click the System32 folder and click
Properties.

3. Click the Secure tab.

4. Click the Add button and then add all the users
who want to use the program or the groups the users
belong to. Give them the Full control permission. You
can also add the Everyone group and give it the Full
control permission.

If anything is unclear, please don't hesitate to let
us know.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties,
and confers no rights.
--------------------

 

[Jeff Smyrski]

I understand that this is an option, although if I am going to let users
have full control of the System32 folder, I may as well just make them
administrators. My question was more specific that user rights to a folder.
It was directed to being able to allow one program, no matter who runs it,
to force it to run with elevated privileges so that the program can do what
it was written to do. It would be like trusting a certain
application...this method would preserve the security of the system folder
and would keep users from destroying the integrity of at least the local
machine or others machines that they can log onto. The user group in
question are my everyday domain users.

Surely there must be another way that I can allow this program/dll to run
with higher privileges without risking the integrity of the network or at
the very least the local computer. Could this be done with a policy in
active directory.

Jeff