How can VS2010 setup continue as an elevated admin after reboot?

Prev: How can VS2010 setup continue as an elevated admin after reboot?
Next: How to assign right to an user?

From: Stefan Kuhr on 22 Apr 2010 07:02

---

Hello everyone

On 4/22/2010 1:04 PM, Jon Potter wrote:
> It must be that. The only other way would be via some sort of whitelist
> and surely Microsoft wouldn't be that stupid?!
>
> "Leo Davidson" <leonudeldavidson(a)googlemail.com> wrote in message
> news:513875d2-a2df-465c-89e7-4a05116e09aa(a)r18g2000yqd.googlegroups.com...
>> On Apr 22, 9:40 am, Stefan Kuhr <kustt...(a)gmx.li> wrote:
>>> without me ever being presented with an elevation prompt, IIRC. It looks
>>> almost as if the elevated install survived the reboot (which is
>>> technically not possible, of course). How does that work?
>>
>> Scheduled Tasks can launch elevated without triggering a UAC prompt
>> (you need admin rights to create such a task), so maybe the first half
>> of the installer schedules the second half to run at the next login.
>>
>> I have not checked that that is what it does, but I think it's one way
>> it could work.
>

Maybe someone else is reading this and is just about to install VS2010
and can tell us if there is such a scheduled task right before the
reboot occurs.

--
S

From: Jonathan de Boyne Pollard on 24 Apr 2010 09:07

---

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<blockquote cite="mid:OVYM$Bt4KHA.1924(a)TK2MSFTNGP06.phx.gbl" type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<p>Scheduled Tasks can launch elevated without triggering a UAC
prompt
(you need admin rights to create such a task), so maybe the first
half of the installer schedules the second half to run at the next
login.
</p>
<p>I have not checked that that is what it does, but I think
it's one
way it could work.
</p>
</blockquote>
<p>It must be that. The only other way would be via some sort of�whitelist
and surely Microsoft wouldn't be that stupid?!
</p>
</blockquote>
<p>Untrue.� There's at least one other way for a setup program to
be
invoked ahead of everything else � under the aegis of the Local System
account, no less � during system initialization: <a
moz-do-not-send="true"
href="http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/windows-nt-6-boot-process.html#SMSS"><code>SetupExecute</code></a>.�
It's
not really an appropriate environment for an <em>application</em>
setup program to run in, but it's there.� It won't be what's happening
in this case, unless you are seeing the setup program run before you
even log in, but it's one of several ways to do this sort of thing
other than by scheduling tasks.� (-:<br>
</p>
</blockquote>
<p>I assumed it was clear from my description that I logged in after
reboot and that the setup automatically continued as an interactively
logged in administrator user with a token that was <em>not</em> a
restricted token. It was not SYSTEM. Probably I should have described
this more precisely.
</p>
</blockquote>
<p>Actually you didn't say anything at all about logging in.�
Nevertheless: You've missed the "It won't be what's happening
in this case [...] but it's one of several ways to do this sort of
thing
other than by scheduling tasks." part of the sentence.� You've also
missed what M. Potter wrote, above.� Moreover: You seem to have
forgotten that a process launched under the Local System account with
the TCB privilege can do pretty much anything that it likes, including
creating a full (local) administrator token from whole cloth if it
really wanted to.� As I said: There are several ways to do this sort of
thing.<br>
</p>
</body>
</html>

From: Stefan Kuhr on 2 May 2010 11:45

---

Jonathan,

On 4/24/2010 3:07 PM, Jonathan de Boyne Pollard wrote:
>>
>> <snip>
> Actually you didn't say anything at all about logging in. Nevertheless:

That's why I wrote "I assumed it was clear from my description that I
logged in after reboot".



> You've missed the "It won't be what's happening in this case [...] but
> it's one of several ways to do this sort of thing other than by
> scheduling tasks." part of the sentence.

No, I did not at all miss that part, I think I fully understood it. I
did not question it and I did not comment on that. How comes you infer
that I missed that?


> You've also missed what M.
> Potter wrote, above.

No, I did not miss that, I fully understood it. How comes you infer that
I missed that?


> Moreover: You seem to have forgotten that a
> process launched under the Local System account with the TCB privilege
> can do pretty much anything that it likes, including creating a full
> (local) administrator token from whole cloth if it really wanted to. As
> I said: There are several ways to do this sort of thing.
>

No, I have not forgotten that a process running as SYSTEM can do pretty
much everything it wants to. How do you come to the conclusion that I
have forgotten that?

Anyway, I have come to the conclusion that I won't bother anymore
reading newsgroup postings of this certain arrogant style of yours,
welcome to my killfile.

*PLONK*

--
S

First  |  Prev  | 
Pages: 1 2
Prev: How can VS2010 setup continue as an elevated admin after reboot?
Next: How to assign right to an user?