working with windows 7 UAC

[jftuga]

I have a program what works great in our locked down exam rooms running under XP. We are upgrading to Windows 7 and I need help with UAC. Disabling UAC is not really an option.

(1) The program first checks to see if it is admin via IsAdmin(). If so, it will ask you if you want to launch task manager, command prompt, and explorer. After these are lauched, the program (now running as admin) ends and it never installs any hotkeys.

(2) If not running as admin then install two hotkeys, wait forever for one of them to be pressed.

• Hotkey #1 displays Computer, User, IP Address, etc. No admin required.
• Hotkey #2 asks you for an admin username and password. It will then:

• Execute itself as admin and thus hit the branch listed in (1)
• RunAs( $u, @ComputerName, $p, 1, @AutoItExe, "c:\windows" )

With Windows 7 the program does not run as expected. If I use #RequireAdmin any where in the script, it will ask for UAC username and password (when running as a normal user). If I don't use #RequireAdmin, then the RunAs does not operate as expected. It appears as though the IsAdmin() function is returning false.

How can I fix this? I have attached the script.

Thanks,

-John

[BigDod]

How can I fix this? I have attached the script.

Where is the script?

[AdamUL]

Have a look at this (8. Facts on UAC), this and this All of them will give you the info you need to get your script working. I had a similar issue with a script, and I was able to get it to work. Look at the _IsAdministrator function in the first thread, and if you need to re-execute the script multiple times, set the Registry value ConsentPromptBehaviorAdmin to 0 to prevent UAC Popups. Then set it back to the previous value at the end of the script.

Until I can see the script, there is nothing much else I can help you with.

Adam

[KaFu]

Ah, all three links refer to my posts, that's nice to see , seems like I've become kind of an UAC expert around here ...

[Melba23]

KaFu,

seems like I've become kind of an UAC expert around here

And you are very welcome to be the UAC expert.

From now on we shall point all users posting UAC questions in your direction! Have fun!

M23

[jftuga]

I thought I had attached it to my first post. Here it is.

Also, I will be reading over the links previously posted.

-John

Admin_Popup_v4.au3

Edited February 13, 2012 by jftuga

[AdamUL]

I edited you script, check to see if this works for you.

expandcollapse popup

#cs

Admin_Popup
Show computer information or launch shell when hotkey is pressed
-John Taylor
May-24-2005 (version 1)
Nov-08-2007 (version 2)
May-12-2010 (version 3) [1] commented out GP / regedit functionality   [2] updated RunAs() for AutoIt v3.3.4.0
Jul-28-2010 added crtl-alt-A to start Admin Tools
Feb-10-2012 update for Windows 7 UAC

#ce

If Not StringRegExp(@OSVersion, "_(XP|200(0|3))") And _IsAdministrator() And Not IsAdmin() Then ;Windows Vista+
If ShellExecute(@ScriptFullPath, "", "", "runas") Then
        Exit
    Else
        MsgBox(16 + 262144, "ERROR!", "Script did not get elevated privileges, and cannot run.")
Exit
EndIf
EndIf

#include <GUICONSTANTS.au3>
#include <EditConstants.au3>

#NoTrayIcon
;; #RequireAdmin

Opt("GUIOnEventMode", 1)
Opt("MustDeclareVars", 1)
;~ Opt ("RunErrorsFatal", 0 )

Global $Info_Title = "System Info v4"
Global $Shell_Title = "Run Admin Tools"
Global $UsernameID
Global $PasswordID
Global $Shell_Win
Global $_In_Shell = 0

Global $reg_entry[10][3]
Global $reg_entry_last = 2

$reg_entry[0][0] = "HKCUSoftwarePoliciesMicrosoftWindowsSystem"
$reg_entry[0][1] = "DisableCMD"
$reg_entry[0][2] = ""

$reg_entry[1][0] = "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem"
$reg_entry[1][1] = "DisableTaskMgr"
$reg_entry[1][2] = ""

$reg_entry[2][0] = "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem"
$reg_entry[2][1] = "DisableRegistryTools"
$reg_entry[2][2] = ""

;; These do not work, unless you reboot the machine; therefore, making them useless...
;;
;; Prevent access to drives from My Computer
;$reg_entry[3][0] = "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer"
;$reg_entry[3][1] = "NoViewOnDrive"
;$reg_entry[3][2] = ""             ;0x03ffffff means restrict all drives

; Hide these specified drives from My Computer
;$reg_entry[4][0] = "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer"
;$reg_entry[4][1] = "NoDrives"
;$reg_entry[4][2] = ""             ;0x03ffffff means restrict all drives


HotKeySet("^!~", "OnInfo") ; control alt ~
HotKeySet("^!A", "OnAdminTools") ; control alt A   (not lowercase A)
HotKeySet("+^!{TAB}", "OnAdminTools") ; shift control alt tab

;MsgBox(0,"isadmin()", isadmin())
If IsAdmin() Then
;MsgBox(0,"Info", "isadmin if stmt")
AdminTools()
Exit
EndIf

WaitForever()

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Func _ReduceMemory($i_PID = -1)
If $i_PID <> -1 Then
Local $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $i_PID)
Local $ai_Return = DllCall("psapi.dll", 'int', 'EmptyWorkingSet', 'long', $ai_Handle[0])
DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $ai_Handle[0])
Else
Local $ai_Return = DllCall("psapi.dll", 'int', 'EmptyWorkingSet', 'long', -1)
EndIf
Return $ai_Return[0]
EndFunc   ;==>_ReduceMemory

Func WaitForever()
_ReduceMemory()
While 1
Sleep(500)
WEnd
EndFunc   ;==>WaitForever

Func OnAdminTools()
Local $SubmitID
$_In_Shell = 1

$Shell_Win = GUICreate($Shell_Title, 270, 150)
GUISetState()

GUICtrlCreateLabel("Username:", 10, 30)
$UsernameID = GUICtrlCreateInput("AdminAcct", 65, 30, 120)

GUICtrlCreateLabel("Password:", 10, 60)
$PasswordID = GUICtrlCreateInput("", 65, 60, 120, -1, $ES_PASSWORD)

$SubmitID = GUICtrlCreateButton("OK", 10, 90, 60)
GUICtrlSetOnEvent($SubmitID, "OnSubmit")

GUISetOnEvent($GUI_EVENT_CLOSE, "OnExit")
ControlFocus($Shell_Title, "", $PasswordID)

_ReduceMemory()
While 1 = $_In_Shell
Sleep(1000)
WEnd
EndFunc   ;==>OnAdminTools
#cs
func UnlockPermissions()
local $i, $val, $rv
local $reg_val = 0

for $i=0 to $reg_entry_last
;MsgBox(0,"Dbg", $reg_entry[$i][0] & @CRLF & $reg_entry[$i][1])
$val = -2
$reg_entry[$i][2] = -4
$val = RegRead($reg_entry[$i][0], $reg_entry[$i][1])
$rv = @error
if 0 <> @error then
; error reading reg key
; do not change [$i][2] so that it will not try to get used in LockPermissions()
;MsgBox(0,"error", "RegRead()" &@CRLF& $rv)
continueloop
endif

if StringInstr($reg_entry[$i][0], "Explorer", 0 ) > 0 then
;MsgBox(0,"Explorer", "Match " &$reg_entry[$i][1] )
$reg_val = 3; where 3 = restrict A & B drives only
endif

if $val > -1 then
;MsgBox(0,"val", $val &@CRLF& $reg_val)
$rv = RegWrite($reg_entry[$i][0], $reg_entry[$i][1], "REG_DWORD", $reg_val)
;MsgBox(0,"Unlock()", "RegWrite rv: " & $rv)
if 1 == $rv then
$reg_entry[$i][2] = $val
endif
endif
next
endfunc

func LockPermissions()
local $i

for $i=0 to $reg_entry_last
if -4 <> $reg_entry[$i][2] then
RegWrite($reg_entry[$i][0], $reg_entry[$i][1], "REG_DWORD", $reg_entry[$i][2])
$reg_entry[$i][2] = ""
endif
next
endfunc
#ce

Func RunPrograms()
Local $tmp = ""
Local $wait = 125
Sleep($wait)

;MsgBox(0,"Dbg", "In RunPrograms()")

Run(@ComSpec, "C:")
Sleep($wait)

Run(@SystemDir & "taskmgr.exe")
Sleep($wait)

;Run(@WindowsDir & "regedit.exe")
;sleep($wait)

;$tmp = @SystemDir & "gpedit.msc"
;Run(@ComSpec & " /c " & $tmp, "")
;sleep($wait)

;$tmp = @SystemDir & "sysdm.cpl"
;Run(@ComSpec & " /c " & $tmp, "")
;sleep($wait)

;$tmp = @SystemDir & "rundll32.exe SHELL32.DLL, SHHelpShortcuts_RunDLL PrintersFolder"
;Run(@ComSpec & " /c " & $tmp, "", @SW_MINIMIZE )
;sleep($wait)

$tmp = "C:WINDOWSexplorer.exe C:"
Run(@ComSpec & " /c " & $tmp)
Sleep($wait)

; System Properties
Run("C:\Windows\System32\control.exe sysdm.cpl", "C:\Windows\System32\")
Sleep($wait)

; Desktop Properties: Screen Saver, Display Resolution, etc.
Run("C:\Windows\System32\control.exe desk.cpl", "C:\Windows\System32\")
Sleep($wait)

; Crazy hack to run: explorer.exe c:
Run("C:\Windows\System32\control.exe ncpa.cpl", "C:\Windows\System32\")
Sleep($wait)

; Internet Explorer
$tmp = '"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/'
Run($tmp)
Sleep($wait)
EndFunc   ;==>RunPrograms

Func AdminTools()
Local $rv
;MsgBox(0,"Dbg","In AdminTools()")
;UnlockPermissions()
$rv = MsgBox(4, 'Admin Tools', 'Do you want to run the Admin Tools?')
If $rv == 6 Then
RunPrograms()
EndIf
;LockPermissions()
OnExit()
EndFunc   ;==>AdminTools

Func OnExit()
$_In_Shell = 0
;MsgBox(0,"Debug","starting OnExit()")
GUIDelete($Shell_Win)
_ReduceMemory()
EndFunc   ;==>OnExit

Func OnInfo()
Local $data[25]
Local $i = 0
Local $output = ""

$data[1] = "Computer name: " & @ComputerName
$data[2] = "User name: " & @UserName
$data[3] = "Logon server: " & @LogonServer
$data[4] = "---------------------------------------"
$data[5] = "1st IP: " & @IPAddress1
$data[6] = "2nd IP: " & @IPAddress2
$data[7] = "---------------------------------------"
$data[8] = "OS: " & @OSVersion & "  " & @OSServicePack
$data[9] = "Desktop: " & @DesktopWidth & "x" & @DesktopHeight & " @ " & @DesktopDepth & "bpp"
$data[10] = "AutoIt version: " & @AutoItVersion

For $i = 1 To 10
$output = $output & $data[$i] & @CR
Next

MsgBox(0, $Info_Title, $output, 14)
_ReduceMemory()
EndFunc   ;==>OnInfo

Func OnSubmit()
;MsgBox(0,"Info", "In OnSubmit()")
Local $u, $p, $rv
$u = GUICtrlRead($UsernameID)
$p = GUICtrlRead($PasswordID)

;MsgBox(0,"OnSubmit()", $u & @TAB & $p & @TAB & @AutoItExe)
$rv = RunAs($u, @ComputerName, $p, 1, @AutoItExe, "c:windows")
;MsgBox(0, $rv, @Error & " " & @AutoItExe)

_ReduceMemory()
OnExit()
EndFunc   ;==>OnSubmit

; end of script

; trancexx
; http://www.autoitscript.com/forum/topic/...as-admin/page__view__findpost_
Func _IsAdministrator($sUser = @UserName, $sCompName = ".")
    Local $aCall = DllCall("netapi32.dll", "long", "NetUserGetInfo", "wstr", $sCompName, "wstr", $sUser, "dword", 1, "ptr*", 0)
    If @error Or $aCall[0] Then Return SetError(1, 0, False)
    Local $fPrivAdmin = DllStructGetData(DllStructCreate("ptr;ptr;dword;dword;ptr;ptr;dword;ptr", $aCall[4]), 4) = 2
    DllCall("netapi32.dll", "long", "NetApiBufferFree", "ptr", $aCall[4])
    Return $fPrivAdmin
EndFunc   ;==>_IsAdministrator

There is one issue, the _IsAdministrator function only work for local admin accounts discretely listed, not in AD Security Groups. On our PCs, we use AD Security Groups, so it shows False for me, but my user account is in a security group that is in the local Administrators Group.

Adam

[Blue_Drache]

Why not just #requireadmin and be done with it?

[AdamUL]

If you read the OP, he wanted non admins to be able to run it, as well as admins.

Adam