6

Not as stupid as it sounds ;)

I have a third party app that I have no source for. Official support is for XP and higher - but higher only with UAC off. Which I do not want.

Now, I know the programmers and they are willing to make a change if it is not too much work and I can tell them WHAT Needs to be done.

I know that the app, which starts multiple executables, does not get network connection when I start it without elevated priviledges - but it seems no port that is open is in the loer range (as per netstat -b

Is there any guideline on trying to find out WHY an app needs elevated priviledges? THe applicaiton is business critical - and this currently subverts secutiry as users must be local admins. If anyone has an idea - once I find the reason I am sure I can get the vendor implement a change.

MDMoore313
  • 5,531
  • 6
  • 34
  • 73
TomTom
  • 50,857
  • 7
  • 52
  • 134
  • I wonder if the SO folks would know quicker? Can the programmers not step through/debug the app and look for when the app gets a deny as a standard user? – TheCleaner Feb 05 '14 at 14:03
  • The problem is that I dont ahve source, so I am totally looking at it from an admin point. This is a totaly user level app, so it MUST be something trivial like a port number or something like that. Not even sure. SO may be an idea, but they will assume control over the app. – TomTom Feb 05 '14 at 14:11
  • 1
    I was stating you said you know the 3rd party app's programmers, so I'm wondering why they can't debug on their end and say why the app needs elevated rights. The SO part was to see if they had any tools up their sleeves that could run in conjunction with the app running like an SDK tool that would show what calls the app was making and when it failed as a normal user...possibly? – TheCleaner Feb 05 '14 at 14:18
  • @TheCleaner: Absolutely. The fact they need an end user to tell them what their app requires to play nice with a modern OS doesn't exactly inspire confidence in the quality of the product. – Sven Feb 05 '14 at 14:59
  • @SvW Let me be diplomatic once and say that those assumptions have more points that are backing them up. But things are as they are and that is THE business critical application for more than half of the people working for me and I just want to try to get that solved. If it were to me I would take a FIX interface into their backend any day and write my own frontend. – TomTom Feb 05 '14 at 15:06
  • 1
    Elevated privileges could be required if the application has to write in some protected locations, such as `Program Files` or `Windows` folder, or `[HKLM]` registry key. Maybe this tool could help you to figure out what the app actually does when it runs : http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx – krisFR Feb 05 '14 at 16:38
  • File and registry virtualisation should mean that trying to write protected locations shouldn't be a game-ender - http://msdn.microsoft.com/en-us/library/windows/desktop/aa965884%28v=vs.85%29.aspx – BlueCompute Feb 05 '14 at 16:43

2 Answers2

6

As per one of the comments, your best bet is likely to be using Sysinternals' Process Monitor to see what is being tried and failing due UAC.

Download Process Monitor from http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Run process monitor, run your borked, obsolete, badly coded app, go to process monitor > filter > if Process Name is <borkedapp> then Include and if Result is Success then Exclude which should give you a mere few thousand entries to scan for the bit that is failing.

Alternatively there is a tool linked below (I have not tried it) that will help you compare process monitor traces so you can take a trace running as standard user and another running elevated and compare them.

http://forum.sysinternals.com/tool-for-comparing-procmon-traces_topic28870.html

https://github.com/patraulea/LogDiff

BlueCompute
  • 2,924
  • 2
  • 18
  • 28
5

tIn addition to Blue's answer, there are tools for migrating applications to Windows 7. Even though your app says it's Windows 7 compatible, running it through this ringer would tell you what is needed for your app to correctly function with UAC on. You may even be able to create a 'shim' which modifies certain settings when your app runs. I believe the tool is called the Standard User Analyzer http://technet.microsoft.com/en-us/library/cc766021(v=ws.10).aspx.

I'll also add that a lot of the times the elevated privileges can be avoided by granting the appropriate permissions, i.e., giving the user modify rights to the C:\Program Files\ folder and subfolders.

MDMoore313
  • 5,531
  • 6
  • 34
  • 73