Permitting a specific exe to run in standard user mode.

I hope that there is a way that this can be achieved...

New vista home premium pc. Me as administrator, son (4 yrs old) as
standard user.

One of his games (Mr Men) needed my password to install it (which is
fine) but still requires my password every time he runs it. A major
major pain.

There is a specific executable that needs approval.

How can I set the permissions on this executable so that it will run
under a standard user?

If not are there any workarounds?

Thanks in advance

Phil Roberts

Hello Phil,
Try creating a shortcut to the Game.
Then right-click the shortcut and choose properties.
Choose the shortcut tab and then the Advanced Button
Try selecting the run as administrator option.
Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
|>Date: Sat, 17 Feb 2007 22:11:26 +0000
|>From: Philip Roberts <pjr@keane_getridofthisbit_roberts_andthisbit.co.uk>
|>User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
|>MIME-Version: 1.0
|>Subject: Permitting a specific exe to run in standard user mode.
|>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
|>Content-Transfer-Encoding: 7bit
|>Message-ID: <#aHGSCuUHHA.192@TK2MSFTNGP04.phx.gbl>
|>Newsgroups: microsoft.public.windows.vista.security
|>NNTP-Posting-Host: keaneroberts.demon.co.uk 83.104.171.225
|>Lines: 1
|>Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
|>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.vista.security:1863
|>X-Tomcat-NG: microsoft.public.windows.vista.security
|>
|>I hope that there is a way that this can be achieved...
|>
|>New vista home premium pc. Me as administrator, son (4 yrs old) as
|>standard user.
|>
|>One of his games (Mr Men) needed my password to install it (which is
|>fine) but still requires my password every time he runs it. A major
|>major pain.
|>
|>There is a specific executable that needs approval.
|>
|>How can I set the permissions on this executable so that it will run
|>under a standard user?
|>
|>If not are there any workarounds?
|>
|>Thanks in advance
|>
|>Phil Roberts
|>

"Philip Roberts" <pjr@keane_getridofthisbit_roberts_andthisbit.co.uk> wrote

>I hope that there is a way that this can be achieved...
>
> New vista home premium pc. Me as administrator, son (4 yrs old) as
> standard user.
>
> One of his games (Mr Men) needed my password to install it (which is fine)
> but still requires my password every time he runs it. A major major pain.
>
> There is a specific executable that needs approval.
>
> How can I set the permissions on this executable so that it will run under
> a standard user?

The game is not coded properly for Vista. It is asking to run in an
administrator context, hence the request for elevation. From the standard
user account that means supplying an account name and password. Were you to
run it from your administrator account it would still ask for permission for
the elevation. There is no way around this. The options are supply the
account name and password, turn off UAC (not a good idea) or see if the
program author has a new, Vista aware version.

--
Rock [MS-MVP User/Shell]

Thanks for the info

The game (an educational title for 4 to 6 year olds) probably isn't even
coded properly for XP.

The chances of the publisher doing an update are less than zero.

So as I understand it, in the real world, my only options are:

1. Upgrade my 4 year old to an administrator account and teach him a
password (different to mine) then he can authorise the prgrammme (and
anything else he wants)
2. Leave things as they are and type a password in every few minutes
when he wants to change from program a to program b. - A right royal
pain in the backside and not good for stress levels in the family.
3. Disable UAC - impact is probably same as 1 above in terms of security
but gets rid of the annoying prompts.

I understand the concept of UAC but question whether sufficient
usability testing was done for the impact on legacy programs which are
huge in the (cash short) educational sector.

If any MVP's have an influence on what happens in Service Pack 1, please
try to get a workaround for this issue - It has to be safer for
specific applications to be authorised to 'run silently' (even if there
are an appropriately large number of hoops to jump through to enable
this) than to drive the users to disable UAC.

Regards

Phil

Rock wrote:
> "Philip Roberts" <pjr@keane_getridofthisbit_roberts_andthisbit.co.uk> wrote
>
>> I hope that there is a way that this can be achieved...
>>
>> New vista home premium pc. Me as administrator, son (4 yrs old) as
>> standard user.
>>
>> One of his games (Mr Men) needed my password to install it (which is
>> fine) but still requires my password every time he runs it. A major
>> major pain.
>>
>> There is a specific executable that needs approval.
>>
>> How can I set the permissions on this executable so that it will run
>> under a standard user?
>
> The game is not coded properly for Vista. It is asking to run in an
> administrator context, hence the request for elevation. From the
> standard user account that means supplying an account name and
> password. Were you to run it from your administrator account it would
> still ask for permission for the elevation. There is no way around
> this. The options are supply the account name and password, turn off
> UAC (not a good idea) or see if the program author has a new, Vista
> aware version.
>

Thanks for the idea, it part works.

When I am logged in as an administrator I get prompted to say I've run
the program before and I trust it - which is fine.

When I run the program as my son I get the "an unidentified program
wants access to your computer" message and have to enter an
administrator password to continue.

Does anyone know a way of making this program 'idenitified'?

Regards

Phil



Darrell Gorter[MSFT] wrote:
> Hello Phil,
> Try creating a shortcut to the Game.
> Then right-click the shortcut and choose properties.
> Choose the shortcut tab and then the Advanced Button
> Try selecting the run as administrator option.
> Thanks,
> Darrell Gorter[MSFT]
>
> This posting is provided "AS IS" with no warranties, and confers no rights
> --------------------
> |>Date: Sat, 17 Feb 2007 22:11:26 +0000
> |>From: Philip Roberts <pjr@keane_getridofthisbit_roberts_andthisbit.co.uk>
> |>User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
> |>MIME-Version: 1.0
> |>Subject: Permitting a specific exe to run in standard user mode.
> |>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> |>Content-Transfer-Encoding: 7bit
> |>Message-ID: <#aHGSCuUHHA.192@TK2MSFTNGP04.phx.gbl>
> |>Newsgroups: microsoft.public.windows.vista.security
> |>NNTP-Posting-Host: keaneroberts.demon.co.uk 83.104.171.225
> |>Lines: 1
> |>Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
> |>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.vista.security:1863
> |>X-Tomcat-NG: microsoft.public.windows.vista.security
> |>
> |>I hope that there is a way that this can be achieved...
> |>
> |>New vista home premium pc. Me as administrator, son (4 yrs old) as
> |>standard user.
> |>
> |>One of his games (Mr Men) needed my password to install it (which is
> |>fine) but still requires my password every time he runs it. A major
> |>major pain.
> |>
> |>There is a specific executable that needs approval.
> |>
> |>How can I set the permissions on this executable so that it will run
> |>under a standard user?
> |>
> |>If not are there any workarounds?
> |>
> |>Thanks in advance
> |>
> |>Phil Roberts
> |>
>

"Philip Roberts" wrote

Responses inline.

> Thanks for the info
>
> The game (an educational title for 4 to 6 year olds) probably isn't even
> coded properly for XP.
>
> The chances of the publisher doing an update are less than zero.
>
> So as I understand it, in the real world, my only options are:
>
> 1. Upgrade my 4 year old to an administrator account and teach him a
> password (different to mine) then he can authorise the prgrammme (and
> anything else he wants)

If he's running in an admin account then once logged in no password is
needed for elevation, just click ok at the elevation request. Of course if
he's conditioned to do that then any malware that tries to run and triggers
this prompt will likely get permission as well.

An admin account is running as a standard user. The difference is when
elevation is requested from an admin account it just takes clicking on Ok,
from a standard user account the user has to specify an admin level account
name and give the password.

> 2. Leave things as they are and type a password in every few minutes when
> he wants to change from program a to program b. - A right royal pain in
> the backside and not good for stress levels in the family.

> 3. Disable UAC - impact is probably same as 1 above in terms of security
> but gets rid of the annoying prompts.

It's worse, becaues then permission is not needed for elevation. Any
nasties can do what they want. As said above an admin account still runs as
a standard user.

> I understand the concept of UAC but question whether sufficient usability
> testing was done for the impact on legacy programs which are huge in the
> (cash short) educational sector.

A huge amount of testing was done on this and during the Beta program many
changes were made to reduce the number of UAC prompts.

> If any MVP's have an influence on what happens in Service Pack 1, please
> try to get a workaround for this issue - It has to be safer for specific
> applications to be authorised to 'run silently' (even if there are an
> appropriately large number of hoops to jump through to enable this) than
> to drive the users to disable UAC.

I have to chuckle here. MVP's don't have any particular influence on MS OS
development. It was the combined input of the thousands of Beta testers
during the TechBeta that resulted in the changes that were made to UAC
reducing the # of promts. It's unknown what changes might be made in SP1.

> Rock wrote:
>> "Philip Roberts" <pjr@keane_getridofthisbit_roberts_andthisbit.co.uk>
>> wrote
>>
>>> I hope that there is a way that this can be achieved...
>>>
>>> New vista home premium pc. Me as administrator, son (4 yrs old) as
>>> standard user.
>>>
>>> One of his games (Mr Men) needed my password to install it (which is
>>> fine) but still requires my password every time he runs it. A major
>>> major pain.
>>>
>>> There is a specific executable that needs approval.
>>>
>>> How can I set the permissions on this executable so that it will run
>>> under a standard user?
>>
>> The game is not coded properly for Vista. It is asking to run in an
>> administrator context, hence the request for elevation. From the
>> standard user account that means supplying an account name and password.
>> Were you to run it from your administrator account it would still ask for
>> permission for the elevation. There is no way around this. The options
>> are supply the account name and password, turn off UAC (not a good idea)
>> or see if the program author has a new, Vista aware version.

--
Rock [MS-MVP User/Shell]

What about setting up a computer for his use that doesn't have internet
access, is set up in XP and runs his games. Image the system, then he can
do all the damage he wants and you restore the image as needed.

"Philip Roberts" <pjr@keane_getridofthisbit_roberts_andthisbit.co.uk> wrote
> Thanks for the info
>
> The game (an educational title for 4 to 6 year olds) probably isn't even
> coded properly for XP.
>
> The chances of the publisher doing an update are less than zero.
>
> So as I understand it, in the real world, my only options are:
>
> 1. Upgrade my 4 year old to an administrator account and teach him a
> password (different to mine) then he can authorise the prgrammme (and
> anything else he wants)
> 2. Leave things as they are and type a password in every few minutes when
> he wants to change from program a to program b. - A right royal pain in
> the backside and not good for stress levels in the family.
> 3. Disable UAC - impact is probably same as 1 above in terms of security
> but gets rid of the annoying prompts.
>
> I understand the concept of UAC but question whether sufficient usability
> testing was done for the impact on legacy programs which are huge in the
> (cash short) educational sector.
>
> If any MVP's have an influence on what happens in Service Pack 1, please
> try to get a workaround for this issue - It has to be safer for specific
> applications to be authorised to 'run silently' (even if there are an
> appropriately large number of hoops to jump through to enable this) than
> to drive the users to disable UAC.
>
> Regards
>
> Phil
>
> Rock wrote:
>> "Philip Roberts" <pjr@keane_getridofthisbit_roberts_andthisbit.co.uk>
>> wrote
>>
>>> I hope that there is a way that this can be achieved...
>>>
>>> New vista home premium pc. Me as administrator, son (4 yrs old) as
>>> standard user.
>>>
>>> One of his games (Mr Men) needed my password to install it (which is
>>> fine) but still requires my password every time he runs it. A major
>>> major pain.
>>>
>>> There is a specific executable that needs approval.
>>>
>>> How can I set the permissions on this executable so that it will run
>>> under a standard user?
>>
>> The game is not coded properly for Vista. It is asking to run in an
>> administrator context, hence the request for elevation. From the
>> standard user account that means supplying an account name and password.
>> Were you to run it from your administrator account it would still ask for
>> permission for the elevation. There is no way around this. The options
>> are supply the account name and password, turn off UAC (not a good idea)
>> or see if the program author has a new, Vista aware version.

--
Rock [MS-MVP User/Shell]

Thanks

My best option is making him an Admin then

Regards

Phil
Rock wrote:
> "Philip Roberts" wrote
>
> Responses inline.
>
>> Thanks for the info
>>
>> The game (an educational title for 4 to 6 year olds) probably isn't
>> even coded properly for XP.
>>
>> The chances of the publisher doing an update are less than zero.
>>
>> So as I understand it, in the real world, my only options are:
>>
>> 1. Upgrade my 4 year old to an administrator account and teach him a
>> password (different to mine) then he can authorise the prgrammme (and
>> anything else he wants)
>
> If he's running in an admin account then once logged in no password is
> needed for elevation, just click ok at the elevation request. Of course
> if he's conditioned to do that then any malware that tries to run and
> triggers this prompt will likely get permission as well.
>
> An admin account is running as a standard user. The difference is when
> elevation is requested from an admin account it just takes clicking on
> Ok, from a standard user account the user has to specify an admin level
> account name and give the password.
>
>> 2. Leave things as they are and type a password in every few minutes
>> when he wants to change from program a to program b. - A right royal
>> pain in the backside and not good for stress levels in the family.
>
>> 3. Disable UAC - impact is probably same as 1 above in terms of
>> security but gets rid of the annoying prompts.
>
> It's worse, becaues then permission is not needed for elevation. Any
> nasties can do what they want. As said above an admin account still
> runs as a standard user.
>
>> I understand the concept of UAC but question whether sufficient
>> usability testing was done for the impact on legacy programs which are
>> huge in the (cash short) educational sector.
>
> A huge amount of testing was done on this and during the Beta program
> many changes were made to reduce the number of UAC prompts.
>
>> If any MVP's have an influence on what happens in Service Pack 1,
>> please try to get a workaround for this issue - It has to be safer for
>> specific applications to be authorised to 'run silently' (even if
>> there are an appropriately large number of hoops to jump through to
>> enable this) than to drive the users to disable UAC.
>
> I have to chuckle here. MVP's don't have any particular influence on MS
> OS development. It was the combined input of the thousands of Beta
> testers during the TechBeta that resulted in the changes that were made
> to UAC reducing the # of promts. It's unknown what changes might be
> made in SP1.
>
>> Rock wrote:
>>> "Philip Roberts" <pjr@keane_getridofthisbit_roberts_andthisbit.co.uk>
>>> wrote
>>>
>>>> I hope that there is a way that this can be achieved...
>>>>
>>>> New vista home premium pc. Me as administrator, son (4 yrs old) as
>>>> standard user.
>>>>
>>>> One of his games (Mr Men) needed my password to install it (which is
>>>> fine) but still requires my password every time he runs it. A major
>>>> major pain.
>>>>
>>>> There is a specific executable that needs approval.
>>>>
>>>> How can I set the permissions on this executable so that it will run
>>>> under a standard user?
>>>
>>> The game is not coded properly for Vista. It is asking to run in an
>>> administrator context, hence the request for elevation. From the
>>> standard user account that means supplying an account name and
>>> password. Were you to run it from your administrator account it would
>>> still ask for permission for the elevation. There is no way around
>>> this. The options are supply the account name and password, turn off
>>> UAC (not a good idea) or see if the program author has a new, Vista
>>> aware version.
>

Good idea, thanks. It is close to the solution that I intend to implement.

Our internet connection runs through a hardware firewall appliance that
I will configure to allow access to the bbc (so that he can get to the
cbeebies site and nowhere else) - I can disable the restriction
periodically to get any updates etc.

Then I can make his account an administrator and he can authorise his
own games.

Imaging the machine is a good idea, once he has admin rights he could
potentially do other things and I may have to do a restore from time to
time.

Regards

Phil

BTW - if anyone has small kids and hasn't visited the cbeebies website
at the bbc I can higly recommend it.






Rock wrote:
> What about setting up a computer for his use that doesn't have internet
> access, is set up in XP and runs his games. Image the system, then he
> can do all the damage he wants and you restore the image as needed.
>
> "Philip Roberts" <pjr@keane_getridofthisbit_roberts_andthisbit.co.uk> wrote
>> Thanks for the info
>>
>> The game (an educational title for 4 to 6 year olds) probably isn't
>> even coded properly for XP.
>>
>> The chances of the publisher doing an update are less than zero.
>>
>> So as I understand it, in the real world, my only options are:
>>
>> 1. Upgrade my 4 year old to an administrator account and teach him a
>> password (different to mine) then he can authorise the prgrammme (and
>> anything else he wants)
>> 2. Leave things as they are and type a password in every few minutes
>> when he wants to change from program a to program b. - A right royal
>> pain in the backside and not good for stress levels in the family.
>> 3. Disable UAC - impact is probably same as 1 above in terms of
>> security but gets rid of the annoying prompts.
>>
>> I understand the concept of UAC but question whether sufficient
>> usability testing was done for the impact on legacy programs which are
>> huge in the (cash short) educational sector.
>>
>> If any MVP's have an influence on what happens in Service Pack 1,
>> please try to get a workaround for this issue - It has to be safer for
>> specific applications to be authorised to 'run silently' (even if
>> there are an appropriately large number of hoops to jump through to
>> enable this) than to drive the users to disable UAC.
>>
>> Regards
>>
>> Phil
>>
>> Rock wrote:
>>> "Philip Roberts" <pjr@keane_getridofthisbit_roberts_andthisbit.co.uk>
>>> wrote
>>>
>>>> I hope that there is a way that this can be achieved...
>>>>
>>>> New vista home premium pc. Me as administrator, son (4 yrs old) as
>>>> standard user.
>>>>
>>>> One of his games (Mr Men) needed my password to install it (which is
>>>> fine) but still requires my password every time he runs it. A major
>>>> major pain.
>>>>
>>>> There is a specific executable that needs approval.
>>>>
>>>> How can I set the permissions on this executable so that it will run
>>>> under a standard user?
>>>
>>> The game is not coded properly for Vista. It is asking to run in an
>>> administrator context, hence the request for elevation. From the
>>> standard user account that means supplying an account name and
>>> password. Were you to run it from your administrator account it would
>>> still ask for permission for the elevation. There is no way around
>>> this. The options are supply the account name and password, turn off
>>> UAC (not a good idea) or see if the program author has a new, Vista
>>> aware version.
>

On Sun, 18 Feb 2007 08:44:47 +0000, Philip Roberts

>The game (an educational title for 4 to 6 year olds) probably isn't even
>coded properly for XP.

When was it written?

>I understand the concept of UAC but question whether sufficient
>usability testing was done for the impact on legacy programs which are
>huge in the (cash short) educational sector.

Most of the thrust of UAC is to live with legacy-written apps.

>If any MVP's have an influence on what happens in Service Pack 1, please
>try to get a workaround for this issue - It has to be safer for
>specific applications to be authorised to 'run silently' (even if there
>are an appropriately large number of hoops to jump through to enable
>this) than to drive the users to disable UAC.

I don't think so. We've had 5 years of XP, where it was manifestlyy
obvious to programmers that they should write software to work without
needing admin rights, and most of 'em stayed fast asleep at the wheel.

Vista's bending over backwards to cater for these apps, but I think
it's time badly-written apps got Darwin'd off the platform. I think
Vista's currently as far bent for pre-XP-mentality app writing as it
is going to get, and if anything I expect SP1 may tighten things
further, especially if compromises made for such apps get exploited by
malware. Any app that is written since 2003 for 4 year olds that
needs admin rights is long overdue for the thresher.



>--------------- ---- --- -- - - - -
Saws are too hard to use.
Be easier to use!
>--------------- ---- --- -- - - - -