5

I have an application I support which requires permission to read and write to the Registry and also create files on disk and CD-ROM.

I would like to run the computers using a limited user so nothing else can be installed or written to the Registry without my knowledge but without having Windows asking for a password everytime the program needs Registry access.

Can I set up a limited user, such that a program or a folder has permission to do anything it wants to do? I trust this program completely as I know the people who coded it.

Doktoro Reichard
  • 5,440
GMWKAM
  • 51

3 Answers3

4

Permissions are normally assigned to user accounts or groups. As such, the standard way to accomplish this is to assign permissions to the relevant registry keys and folders (and ensure that the relevant policy configuration isn't preventing users from writing to CD).

CD permissions may be particularly sticky if they're not working and everything appears configured. If you're using UDF CDs (also called packet written CDs) you may experience issues. Support for that is a bit flaky, IMX, even though that's how drag & drop burning works under Win7. Nero BurnRights used to be a program that would handle that, but that should only be necessary on Windows 2000 since, by default, standard users in Windows XP and later have permission to write to removable media. It really depends on how the program is trying to write to the CD.

The only alternative to this is to use Microsoft's toolkit for making applications that aren't well-behaved with modern OS security continue to function: The Application Compatibility Toolkit. This will allow you to make an older application behave as though it were running with higher privileges than the user would normally have, but it's very complicated and (if my coworker can be believed) very painful to set up. You're essentially configuring a shim program that runs between the application and the OS, and it has to know everything that the program was going to be doing. You should only consider this option if you have a lot of time and a very deep need and you cannot use NTFS and registry permissions to accomplish the same thing.

Bacon Bits
  • 6,615
3

Use sysinternals ProcMon.exe to find the registry hierarchies and filesystem hierarchies it needs to work. Then set the relevant registry and NTFS permissions to give least privilege to the limited user.

When the set of least privileges is found for this app to work, make sure your buddy "programmers" narrow their footprint in the code itself. That way, a new version would run as a limited user without exposing yoyr atrack surface.

rjt
  • 1,016
-3

If a "limited user" can do something that requires administrative privileges, then the account is not limited. You contradict yourself. No one can have their cake and eat it too.

kreemoweet
  • 4,663
  • -1. The question is asking for the Windows equivalent of creating a setuid program. – Scott - Слава Україні Jul 12 '14 at 01:59
  • @Scott it does not really need setuid equivalent, the user would need to added to the cdrom group though. – rjt Jul 12 '14 at 06:11
  • Kreemoweet, he is not asking for that nor is it needed. He needs to find the least set of privileges that allow the program to work. – rjt Jul 12 '14 at 06:14
  • The question says, “I have an application … which requires (access) to the Registry and also …”, and, “I would like to run the computers using a limited user so nothing else can be installed or written to the Registry without my knowledge …”, and, “Can I set up a limited user, such that *a program* … has permission to do anything it wants to do?” (emphasis added). So, he might settle for a solution that requires giving the users sufficient privilege to run the program, but he *wants* to give the users no Registry access, and give the power/permission only to his program. – Scott - Слава Україні Jul 13 '14 at 00:27