A
Ash
Hi All,
We have an application that writes to Windows registry and
some files. Both of these (that is, registry and files)
require the software to impersonate as a highly privileged
user (i.e. Adminstrator) to write to them.
However, with the addition of "Impersonate a client after
authentication" (SeImpersonatePrivilege) user right in
Windows 2000 SP4, the software may not be able to
impersonate if it is running under a normal user account.
This can be a real hassale as Administrators would need to
change policies during installation to allow software to
run under normal user account.
A solution to this problem could be to have a service
running in the background, which would spawn a thread that
allows the software to write to registry/files through
this thread. As a service can run with higher privileges,
writing to registry/files would not be a problem. HOWEVER,
communication between this thread and the rest of software
is a complicated one as they will be two different
processes that need to communicate to each other. Is there
a solution to this problem? I am thinking that the service
could be written in .NET and the rest of software can act
as COM client. Is there an easier way of doing this?
Apart from using a service, in general, is there any other
way to impersonate without requiring administrators to
modify user policies?
Any help would be greatly appreciated.
Thanks,
Ash
We have an application that writes to Windows registry and
some files. Both of these (that is, registry and files)
require the software to impersonate as a highly privileged
user (i.e. Adminstrator) to write to them.
However, with the addition of "Impersonate a client after
authentication" (SeImpersonatePrivilege) user right in
Windows 2000 SP4, the software may not be able to
impersonate if it is running under a normal user account.
This can be a real hassale as Administrators would need to
change policies during installation to allow software to
run under normal user account.
A solution to this problem could be to have a service
running in the background, which would spawn a thread that
allows the software to write to registry/files through
this thread. As a service can run with higher privileges,
writing to registry/files would not be a problem. HOWEVER,
communication between this thread and the rest of software
is a complicated one as they will be two different
processes that need to communicate to each other. Is there
a solution to this problem? I am thinking that the service
could be written in .NET and the rest of software can act
as COM client. Is there an easier way of doing this?
Apart from using a service, in general, is there any other
way to impersonate without requiring administrators to
modify user policies?
Any help would be greatly appreciated.
Thanks,
Ash