VikasAgr

While testing my application through Standard User Analyzer tool on Windows Server 2003 platform, I got these following errors(stop code mentioned):

1) Access was restricted to trusted user only.

RemoveDirectoryA: Directory (\Device\HarddiskVolume1\Program Files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32) only grants requested 'DELETE' to 'NT SERVICE\TrustedInstaller, NT AUTHORITY\SYSTEM, BUILTIN\Administrators'


StopCode: 0x331B

2) The application called a Writeprofile API with LUA issue

Ini: WritePrivateProfileStringA called with Ini file 'C:\Program Files\InstallShield Installation Information\{75D956F1-EF1D-4917-A082-1B97ABBF3DF1}\setup.ini', Section 'Startup', Key 'AllUsers'

StopCode: 0x3328

3) The application performed a hard application check Called CheckTokenMembership against trusted entity 'BUILTIN\Administrators' (present)

StopCode:0x3326

4) Requested a security-relevant privilege Privs: Requested SeAuditPrivilege (the "Generate security audits" privilege) with NtAdjustPrivilegesToken successfully

StopCode:0x330F

5)The application was denied access to an object. OpenFileMappingW: Section (Global\RotHintTable) is denied 'SECTION_MAP_READ' access with error 0x5.

StopCode: 0x332D

These are the errors which I contardict number of times in the same application , all having some other key or API as its victim.

I had also read some previous posts on the same problems , but then too I m not satisfied with the discussion held there.(http://forums.microsoft.com/MSDN/ShowPost.aspx PostID=1035667&SiteID=1) I want to know the solution of WRP issue other than redesigning of the application......and that too how that a developer can perform

Thanks for the help in advance.

Vikas




Re: Application Compatibility for Windows Vista SUA Errors on certain Application(C++ based)

Oliver Lundt - MSFT

Are you monitoring your setup.exe or your installed app with SUA

I assume the latter, but want to make sure.

SUA is designed to log potential Standard User violations for UAC. So not everything is a WRP issue and everything logged is necessarily "bad".

Regarding #1, #2
I think you will find this a a UAC issue not WRP because it involves Program Files. I say this because the way to check files/folders for WRP is:
http://msdn.microsoft.com/library/default.asp url=/library/en-us/dnlong/html/AppComp.asp
Explorer to check permissions on the file.

  • Open the folder that contains the file whose properties you want to see.
  • Right-click the file whose properties you want to see, and then click Properties.
  • Keys that are WRP will show Trusted Installer with Full Control. SYSTEM, Administrators, and Users will have Read permissions only.

I think you will notice that Admin will have write or full permissions to these locations. If so then it¡¯s UAC not WRP.

Regarding #3) This is totally allowed and not an issue. A hard check for admin rights is allowed and would not get caught as an issue from any instructions I¡¯ve seen.

Regarding #4) Also seems like UAC issue because it¡¯s looking at the ACLs. It also looks like it was able to complete successfully

Regarding #5) This is the only one that makes me think WRP issue because of the traditional WRP message of ¡°Denied Access¡± However in researching this more, openfilemapping calls Createprocess I think the process it¡¯s trying to call is requiring Admin permissions. It was really this quote from MSDN that convinced me that this is UAC: ¡°Starting with Windows Server 2003, Windows XP SP2 and Windows 2000 Server SP4, the creation of a file-mapping object (using CreateFileMapping) from a session other than session zero is a privileged operation.¡±

Also Programatically you can use the SfcIsKeyProtected API to check for WRP, but I think all these listed here are either UAC or can be ignored(#3 for example)

To deal with the UAC issues you will either need to elevate your app, use other resources that are for standard user access, or redesign the app interact with other processes that are elevated. This is why I asked my very first question.... If you used SUA with your setup.exe then you are already elevated and thes issues shouldn't be an issue. If you are running into this with your installed application then you will need modify your app so it can run in a standard user context.

Post back if you have more questions on this.






Re: Application Compatibility for Windows Vista SUA Errors on certain Application(C++ based)

VikasAgr

Hi Oliver!!

I agree that most of the issues are of UAC , but I m using SUA on my setup.exe with elavated option on ,then too SUA is listing these issues. You have mentioned about using some other resources to deal with UAC issue , please provide some detail information on that.

About redesiging the application , where one has to make changes to escape from the issues of UAC , please provide information on this too.

Vikas.






Re: Application Compatibility for Windows Vista SUA Errors on certain Application(C++ based)

Oliver Lundt - MSFT

Your setup.exe is elevated and that is one way to mitigate UAC issues. It's not a good idea to elevate your process unless it really needs to. However a setup.exe will need to because anywhere it installs to will require admin privileges most likely. Although elevated you will still get see the UAC issues in SUA. SUA doesn't really look at your process elevation, but just looks at what it's accessing and if admin permissions would be required.

Based on these logs I don't think you need to redesign your setup.exe unless it is crashing You only need to worry about WRP for your setup.exe. For your main application you need to worry about WRP and UAC for your application. The reason for this is setup.exe runs as admin and admin isn't a standard user that will have a problem with user access control. On the other hand the installed application runs as standard user and will have problems with user access control.

To detect WRP errors for your setup.exe it's best to use appverifier, follow the instructions on this forum posting and look at the example form postings on how to evaluate the logs: http://forums.microsoft.com/MSDN/ShowPost.aspx PostID=1024986&SiteID=1

For examples on how to design your installed application for UAC try the application compatibility cookbook.

Sorry about the bolding. I pasted from word and for some reason, it pasted as bold and the editor isn't letting me remove it. I'm to lazy to fight it today :)






Re: Application Compatibility for Windows Vista SUA Errors on certain Application(C++ based)

VikasAgr

Hi Oliver!!!

Best Wishes for the New Year ahead.

I got your reply , but still not sure how to remove UAC errors completely as I had already tried on running my application as an administrator and using the manifest file too. Can you please provide me some steps to deal with it.

I m also getting this new issue , please detail me about this also.

Isuue is

1) Object opened created in restricted namespace.

CreateFileMappingW: Section 'Global\Cor_Private_IPCBlock_5712' is in restricted namespace (Global\)

stopcode : 0x3306.

Thanks,

Vikas






Re: Application Compatibility for Windows Vista SUA Errors on certain Application(C++ based)

Keith Hill

I'm seeing the same issue when running SUA on a .NET console app except that the IPCBlock is 2660 and I get warnings for a Global\Cor_Public_IPCBlock_2660 also.