Josh's Windows Weblog » How to succeed at running Windows Vista with UAP enabled on 5270

How to succeed at running Windows Vista with UAP enabled on 5270

Ok, so yesterday I vented a little bit of my frustration with people disabling UAP, but I think some of the reason that so many people are disabling it is because they simply don’t know how to accomplish some of the things that they used to be able to do in Windows XP.

 

So today, I am going to cover some ways that you can accomplish some of those everyday tasks, and hopefully those of you that have turned UAP off will give it another go.

 

 

Application installations

So the first thing that you will probably hit when setting up a new Windows Vista computer is that you want to install an application. Unless you have manually changed it, the built in Administrator account is still there and has no password. During the build process (setting up the machine and installing applications) you probably should sign on with that. Afterwards, when you want to install or upgrade an application, most applications will provide you with a consent dialog to allow the install to proceed and for the most part these work. In fact, if they don’t work, you should submit a bug because Microsoft is trying to automatically identify most installers and prompt for elevation when they try to start. If the install does not succeed (like Visual Studio 2005) then there are several ways to attempt the install. 

 

Running an elevated command prompt

One of the easiest ways to perform installs without logging off is to elevate a command prompt to your full admin token. (See Jerry’s UAC token post for more info). There are several ways to do this.

 

1.)    Click and browse to Start | All Programs | Accessories. Right click on the Command Prompt and select “Run Elevated”. If you are running as a Protected Admin (an account that is in the Administrators group) it should simply ask you to permit or deny this. That dialog box is also known as ConsentUI. If you are running as a regular user (or LUA user) then you’ll get a dialog asking for full credentials. Note: The advantage to this one over the next option is that it will accept a blank password. Which is what the built in administrator account is set to by default.

2.)    Click Start and type cmd.exe in the “Start Search” box. This will launch a cmd.exe window.  Type “Runas /u:[domain or machine\user] cmd.exe”.  This will launch a second command window with a full admin token.

 

Start your installation from the resulting command prompt. If neither of those are successful at installing your application, then try logging on with the built in administrator account.  This account is special and does not have the UAP restrictions.

 

Running as the built in administrator

Some application installers are so poorly written that they need to be installed by the actual built in administrator account.  This is not the account you created during setup, that account is a “protected admin”, but the built in administrator account.  This account is named “administrator” and unless you changed it the password is blank.  Not the word blank, but as in it does not have a value.

 

1.)    At the logon screen replace the user with “Administrator” and leave the password field blank (unless you changed it). Press enter. Install application.  Log off and back on with your normal account.

 

If you find an application that fits into this category then be sure to bug it as you shouldn’t need to do this.

 

Common Admin Tasks

 

Ok, so application installs are only part of the battle. The real test of being able to live with UAP enabled is to be able to do all the functions you commonly perform during your work day with minimal disruption. Most people will find that they can work fine with the non-admin token after their computer is setup initially.

 

The Administrative tools and Control panel applets tend to be the most used in day to day administration. So let’s look at a couple of way to elevate these tools.

 

Elevating from the start menu

 

Probably the easiest way to elevate something that you run repeatedly is to change the properties on the shortcut that launches the program, or to create a new one for the program and tell it to “Run as administrator” (this is a checkbox on the compatibility tab of the shortcut properties dialog – near the bottom).

           

Right click on the shortcut you wish to elevate.  Select Properties. From the Compatibility tab check the Run as administrator check box.

 

For one time operations or things that you don’t want to always be elevated you can simply do this by:

 

Right clicking the program or menu item and selecting the “Run Elevated” or “Run As” option. 

 

Some of the Control panel applets now have support for right clicking them and running with alternate credentials, but not all.  If for example you wanted to launch the Windows Update control panel applet with alternate credentials you would not be able to do so using this method.

 

Elevating Admin tools from a command prompt

First we need to get an elevated command prompt. We already covered how to elevate a command prompt, so I won’t cover that again.  If you missed it look above.  Now from that elevated command prompt you can do just about anything. (Once you know how.)

 

Control panel applets are probably the most common things that you will need to elevate so let’s start with them. The key to launching control panel applets is as simple as knowing the name for the CPL.  Below are just some of the control panel applets.  For a full list you can do a dir at windows\system32 for “*.cpl”

 

Common Control Panel applets

System Properties – sysdm.cpl

Windows Firewall – firewall.cpl

Network Connections – ncpa.cpl

Add Hardware Wizard – hdwwiz.cpl

Power Options – powercfg.cpl

Security Center – wscui.cpl

 

To start these from a command prompt just enter in the CPL file name (like firewall.cpl; windows knows how to execute CPL files).

 

The second most common action is probably MMC snap-ins or MSC’s.  The key to launching any of these is to launch MMC.exe from the elevated command prompt first. Now, with MMC elevated you will be able to launch any of the snap-ins from within it by selecting File | Add/ Remove Snap-in.

 

 

Hopefully these small tips are enough to get you started down the road of using a Windows Vista machine with UAC/UAP enabled.  If you run into something that these do not cover let me know…

Posted Dec 23 2005, 05:36 PM by Josh Phillips
Filed under: ,
Did you enjoy this article? If yes, then subscribe to our RSS 2.0 feed

Comments

baliktad wrote re: How to succeed at running Windows Vista with UAP enabled on 5270
on 12-28-2005 5:18 PM
All I want to know is why. Why should I leave UAP/UAC/LUA on in Windows Vista? Windows XP has a very clear, defined security model where the following is always true:

user = user
admin = admin

Vista with its bizarre elevation and demotion of privileges just smells to me like another layer of obfuscation. If software engineering has taught us anything, it's that complex designs tend to break easily. Try running as a limited user on XP (cf. Aaron Margosis' blog for helpful hints). It can be done with minimum effort. So why should I add an additional layer of complexity upon this clearly defined, functional user privilege model?
Josh Phillips wrote re: How to succeed at running Windows Vista with UAP enabled on 5270
on 12-28-2005 6:33 PM
There is a really good reason for it, and that is application compatability. There is a lot of software on the market that can not and will not run as a limited user.

Windows Vista would have a very poor adoption rate if MS were to ship an OS that most of the software on the market wouldn't run on.

And so to make it more secure and to allow things to continue to run they have come up with UAC.

baliktad wrote re: How to succeed at running Windows Vista with UAP enabled on 5270
on 01-03-2006 1:12 AM
I'm not convinced. Poorly written applications are just that, and it's not the OS's job to cover for them. Run your 'LUA-incompatible' app as a limited user on XP. Regmon and filemon will identify nearly everything that's failing (hint: most stuff works just fine as is), and necessary permissions can be adjusted accordingly. Microsoft would do better to invest efforts into clearly identifying those failures than decimating the current user privilege model in favor of a complex scaffolding of incomprehensible privilege shifts and object virtualization.
Josh Phillips wrote re: How to succeed at running Windows Vista with UAP enabled on 5270
on 01-03-2006 10:12 AM
The problem is that that there is no finacial incentive for software vendors to revist old code and update it to be LUA compliant. So who is going to update the code? users don't want to have to pay for a new version either, because they just spent a bunch on a new OS. It is a tough problem, and they are doing what they can to make it succeed.
DennisQ wrote re: How to succeed at running Windows Vista with UAP enabled on 5270
on 01-08-2006 9:34 PM
How do you login as the actual "Administrator" account if you don't have the machine on a domain? I don't get a user/password field on the login screen, just the user accounts present on the machine.
Josh Phillips wrote re: How to succeed at running Windows Vista with UAP enabled on 5270
on 01-09-2006 7:22 AM
Dennis,

Please post your support question our forums under Vista Support.

located here

http://windowsconnected.com/forums/55/ShowForum.aspx


Windows is a registered trademark of Microsoft Corporation.
Powered by Community Server (Non-Commercial Edition), by Telligent Systems Themed By nb development