Signed On As Administrator, but Denied Access

[Guest]

Downloaded APC Power Chute update for VISTA. Wanted to save this into
Program Files - Denied Access as administrator. Well, guess what, I am the
ADMINISTRATOR! I could not save this update anywhere except PUBLIC folder.
Why is this? Who has the right to administrator action when I'm signed on as
the sole administrator of this account? This is very irritating.

 

[Guest]

I'm having the same problem. I can't mofiy files in the Program Files
directory or my root (C:\) drive. I am an administrator. Why can't I modify
files?

 

[Jimmy Brush]

Hello,

In Windows Vista, even though you are an administrator, the programs that
run on your computer are not allowed to use your administrator power unless:

1- They prompt you for permission
2- You explicitly give them permission (right-click, run as administrator)

The files in Program Files and your root C drive are not writiable by
non-administrative programs because the files in these areas affect every
user and the entire system.

Allowing unpriviliged programs write access to these areas would allow them
to overwrite/replace well-known programs or system-wide configuration data
used by windows or well-known programs, which is unacceptable for a program
that does not prompt.

The easiest way to accomplish what you are doing is to save the file to some
place in your user profile (such as documents), and then using windows
explorer, move that file to program files. This will end up prompting you
for permission and then allowing things to work.

Alternatively, you can run the program that is doing the downloading "as
administrator" by right-clicking it and clicking Run As Administrator, and
this will allow it to save to this area, but the solution above is better.

--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Guest]

Thanks Jimmy. I did exactly that, save and then move. However, it is
frustrating to be an 'administrator' but not have administrator powers to
work with my own system as I see fit, not as MS determines how it should be
run! I'm not into programming, I'm HR, and need to be able to make
corrections etc. to things within my 'control'. This is not possible with
the new "ask your administrator", safety and security that MS has imposed
upon us. I realize that registry etc. are proprietery, and that I need not
be able to access these, and accept that. But being unable to save to a
folder within the Program Files is just not acceptable! My time and effort
are worth just as much, and I don't need to spend it working around something
that hinders MY ability to do MY job.

Red

 

[Jimmy Brush]

Microsoft is not "determining how you use your computer" at all.

There is *nothing* you are blocked from doing now; an administrator has as
much power to do things as they did in Windows XP.

The only difference is that *you* now have control over which programs can
use *your* administrator power.

I understand that you are having issues because of this change because you
are using older programs that do not know how to ask for your permission;
however, these issues will go away as programs are made that work with
Windows Vista, and the fix for these programs is really simple (right-click
them and click run as administrator for short-term; for long term,
right-click, click properties, click compatability tab, and tell it to
always run as administrator).

The best advice I can give is that if you are getting errors such as "access
denied" or "you have to be an administrator to do this", it is because the
program you are using is not designed for Windows Vista, and needs to use
your administrator power in order to be able to do what it needs to do, but
doesn't know how to ask you for your permission.

In order to allow it to do what it wants to do, right-click it, and click
Run As Administrator; just be aware that this will give that program *full
access* to your computer, so be sure you trust the program with such access
before doing it.

This security feature in Windows Vista gives you the following assurances:

* Programs that run on your computer can *ONLY* have full access to your
computer with *YOUR* knowledge/permission; programs that don't need or don't
ask for full access to your computer, don't get it

* You are notified EVERY TIME a program requiring full access to your
computer starts; this protects you from programs loading trusted, system
components and using them against you ("Hey, I didn't start format.exe...
what is it doing running?")

These are good things


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Guest]

Well, I guess, as the English PHD stated in a lecture, "Conjecture is a
symantic, and all the world talks in symantics. So I conjecture that this
symantic is not compatible with your symantic and therefore the conjecture of
a converstation is simply not symantic enough to be compatible."
Now. I am still totally confused as to why I have to have administrator
powers in order to save a program in a specific file folder. That is my
basic question. And if not allowing me to save a program that is VISTA
specific - as is the one I was attempting to save - is a security measure to
protect VISTA, then it would be somewhat of a forgone conclusion, in my
humble estimation, that MS is indeed, 'determining how I utilize my computer.'
But, all that aside, your original answer was sufficiently specific, and
allowed me to manage the problem that I was having. I thank you for your
help.

ativar

 

[Guest]

Mr. Brush,

I totally understand the reasoning for the new permissions design and
personally think it's a great idea. The user is the most dangerous part of
the system!
I do have a question. One of our programs uses an add in application that
creates a virtual lock, simulating a VPN connection. This install is
automatic and does not prompt for permission. Vista blocks this installation.
There isn't a way to save this to a system because it does not give the
chance. The "guys in the sky" are working on upgrading the program; however,
that could take up to two months (usually more). In the mean time the guys
out in the field are helpless. Which means money out of pockets. Being the IT
GOTO, I feel the heat from both directions.Is there a work around?

 

[Jimmy Brush]

Well, I guess, as the English PHD stated in a lecture, "Conjecture is a
symantic, and all the world talks in symantics. So I conjecture that this
symantic is not compatible with your symantic and therefore the conjecture
of
a converstation is simply not symantic enough to be compatible."

*blank stare*

Now. I am still totally confused as to why I have to have administrator
powers in order to save a program in a specific file folder. That is my
basic question.

You *have* admin power. You can save anywhere you want. But, you have to
tells Windows that you want the program you are using to *use* this power,
if it doesn't ask for it.

And if not allowing me> to save a program that is VISTA
specific - as is the one I was attempting to save - is a security measure
to
protect VISTA,

LOL, it is not a security measure to protect Vista. .. it is a security
measure to protect *you*. From the program that you are using to do the
download (i.e. perform an administrative action).

Vista doesn't know you want that program to be able to have full control
over your computer ... because it is too old to know how to ask for it. So
you have to let vista know that you want it to be able to use your admin
power.

The reason certain folders are restricted in this way is because it contains
sensitive files that, if modified, could be used to take over your computer.

UAC protects you from programs that would modify these areas without your
knowledge or consent.

UAC prompts are not somehow controlling you or keeping you from doing
things... UAC does nothing of the sort. UAC protects you from the programs
that run on your computer, and puts you in control over them by 1) telling
you when a program runs that wants full access to your computer and 2)
giving you a chance to stop such programs from running. That is the only
thing that is going on .

You seem to be really driving at "what is the difference between what is a
restricted/administrator action and what isn't", and pointing to the fact
that Microsoft has defined this seperation, and thus is round-aboutly in
control of your computer.

While it is true that Microsoft has defined the line between administrative
vs. non-administrative, this gives them NO control whatsoever over your
computer because you have the SOLE and EXPLICIT control over how programs
cross this line via the UAC prompt and the run-as-admin tool. Microsoft has
no control over what programs you choose to allow to cross this line - you
have the sole power to determine this.

If Microsoft wanted to control what you did on your computer, they would not
prompt you at all or give you the power to run programs with admin power.
You would simply be told what you are and are not allowed to do. .

<snip>


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Jimmy Brush]

Hello,

Mr. Brush,

I totally understand the reasoning for the new permissions design and
personally think it's a great idea. The user is the most dangerous part of
the system!

UAC is designed to empower the administrative user, not control them...

I do have a question. One of our programs uses an add in application that
creates a virtual lock, simulating a VPN connection. This install is
automatic and does not prompt for permission. Vista blocks this
installation.
There isn't a way to save this to a system because it does not give the
chance. The "guys in the sky" are working on upgrading the program;
however,
that could take up to two months (usually more). In the mean time the guys
out in the field are helpless. Which means money out of pockets. Being the
IT
GOTO, I feel the heat from both directions.Is there a work around?

How is the install automatic?

The easiest solution, assuming "the people in the fields" are installing the
software by hand and not by automated means, would be to have the IT
technicians run whatever .exe that does the updating "as administrator" (by
right-clicking it and clicking run as administrator).

For example, if the update is done inside of Internet Explorer, then run IE
as admin.

I really cannot offer any other solutions without knowing more about how the
install works (how is it being deployed? is it MSI? etc)

--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Guest]

There is nothing to right click. When the user punches in his/her password
the bowser loads the secure page. The program automatically loads the first
time the page is opened on the system. There is nothing to click or view
before it loads. It's almost scripted the same as an activeX control with the
execption of it being an actual program.

 

[Jimmy Brush]

Is the user logged in as an administrator?

If so, you can set the browser (I'm assuming your program is started from
the browser) to run via task scheduler with highest privilege, which will
make it have admin privs when it starts up. This is as opposed to however it
is starting automatically now.

This will not work correctly if the user is not an admin.

A better temporary solution would be to create a manifest for your
application and deploy it with your application, that will make it ask for
admin permission from the user whenever it starts.

The IT people could create this manifest themselves if the app is already
deployed.

A manifest file takes the following name, and must be in the same location
as the file it goes with:

yourprogram.exe.manifest

(where yourprogram.exe is the filename of the program the manifest is for).

The manifest file would contain the following data to have it always prompt
for admin permission:




<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">

<assemblyIdentity
version="5.1.0.0"
processorArchitecture="x86"
name="PROJECTNAMEHERE"
type="win32"
/>
<description>Unknown</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="requireAdministrator"
uiAccess="false"
/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>






--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Jimmy Brush]

I should add,

Since you mentioned that the program is downloaded automatically from the
browser... if you know for certain what the program executable will be named
and where it will be stored when the browser downloads it, the manifest file
can be created for that file and put in that location before the program is
downloaded.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Paul Randall]

... I understand that you are having issues because of this change because
you are using older programs that do not know how to ask for your
permission; however, these issues will go away as programs are made that
work with Windows Vista, and the fix for these programs is really simple
(right-click them and click run as administrator for short-term; for long
term, right-click, click properties, click compatability tab, and tell it
to always run as administrator).

How would I do this for VBScripts which must be run by CScript?
I'm running Microsoft's WMIDiag.vbs, and some of the WMI namespaces belong
to a user who was deleted as part of the initial boot process of a
preinstalled Vista Home Basic system (I think). Output of WMIDiag gives me
errors like:
(1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has been REMOVED!

-Paul Randall

 

[Jimmy Brush]

Hello,

I replied to your original thread, but apparently it didn't propogate to the
nntp server for some reason ...

Programs that don't prompt (like cscript in this case) receive a filtered
version of the user's administrator token, which in effect gives that
program only standard user rights. I believe this is what is causing your
errors.

You need to start cscript with admin power. To do this, open a command
prompt that you have run-as-administrator'd, and then run cscript with the
propper arguments to start your script. This will cause cscript to run with
the full administrator token, and it should work correctly.

More info on UAC:

http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d91033.mspx
http://technet.microsoft.com/en-us/windowsvista/aa905108.aspx
http://blogs.msdn.com/uac/

Here's my original message:

Hello,

This is due to the new security feature of Windows Vista that Tom referred
to (UAC).

He explained how to turn it off, but he didn't explain what it does, what
benefits it gives you, or how to do what you were trying to do with UAC
turned on .

Quick solution: Right-click command prompt, click run as administrator, then
start your vbs script, and it will work fine.

Now on to the explanation of what's going on ...

Very simply, UAC draws a line on your computer between administrative
programs and non-administrative programs.

UAC then enforces a single rule: Programs must have your permission in order
to have administrative power.

This gives you the following benefits:

- Programs that don't need admin power, don't have it (why give someone the
keys to your car if they will never drive it)

- Any program that wants full control over your computer must ask you for
permission, or you must explicitly start it with admin power by
right-clicking it and clicking Run As Administrator

Specifically, this protects you from programs that:

- Would try to perform administrative operations without your knowledge or
consent

- Would try to be sneaky and start an administrative program without your
knowledge/consent to bypass restrictions ("Hey I didn't start format.exe, I
don't want it to run!")

- Would try to abuse/exploit a currently running administrative program in
order to take control over your computer

So, here's how to successfully use Vista when logged in as an administrator
with UAC turned on:

Just remember that if you are starting a program or performing an action and
it doesn't prompt, then it will not have administrative control over your
computer.

- When running command-line programs: You will need to run administrative
command-line programs from an administrative command prompt (right-click
command prompt and click Run As Administrator)

- When running a Vista-compatible program: You don't have to do anything
special, these programs will prompt you automatically if they want admin
access to your computer

- When running old programs not designed for Vista: If these programs needs
admin access to your computer, right-click them and click Run As
Administrator. If you use it a lot, right-click the program, click
properties, click compatability, and put a check next to always run as
administrator. This will cause the program to automatically prompt every
time it is run.

Turning off UAC takes this extra control away from you and makes things work
like Windows XP, where any program that happens to run on your computer can
do anything it wants to your computer.

Also, turning off UAC disables Internet Explorer protected mode, because it
uses UAC's seperation-of-privilege in order to work.

--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Guest]

Great advice if the option to always run as adminstrator was available to
check - its greyed out even though I'm the administartor. Whats the work
around in this case ?

 

[Jimmy Brush]

If you are not referring to a shortcut, make a shortcut to the program and
follow the steps below:

Otherwise (it is a shortcut), follow these steps:

- Right-click the shortcut
- Click Properties
- Click "Advanced..." button
- Check "Run as administrator"
- Click OK
- Click OK


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Guest]

This reply is completely arrogant. A person is locked out of their home and
you tell them about the importance of security. Vista is a bad joke in my
opinion. I just installed software I wrote and minutes later I find I cannot
uninstall it.

g

 

[Kenard Booker]

I bought a laptop with vista basic on it used it for about a week. Now it
tells me access denied to my hard drive. Can't save anything and can't
delete anything. Any help?

 

[sholland]

I have a similar problem.

I am trying to install an anti-virus/anti-spyware that Rutgers requires
on my daughters toshiba laptop.

The downloaded app that does the install tries to save a file to
C:\Windows\TMP directory, this fails because this directory has
been marked as read only. The app does not give a choice on
where to write this file.

I use the file manager to get to the directory, select it and do a properties
on it. I says it is read only, I turn off read only and apply.

I go back and look at it and lo and behold, it is read only again.
Vista does not want to allow this directory to allow writing although
I am told this directory should be writable.

My daughter also tells me she was in the file manager and may have accidently
move a file - doesn't know what it was.

Is there any file system integrity checker in vista (like scf in xp) or
anything
else that will solve my problem?

Scott Holland
(e-mail address removed) (better)
(e-mail address removed)

 

[Ronnie Vernon MVP]

Scott

Have you tried right clicking the installation file and selecting the 'Run
as administrator' option? This will usually fix the problem.