Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


January 2007

Running Legacy Applications as a Least-Privileged User

Use this toolkit to help reduce compatibility problems
From the January 2007 Edition
of Windows IT Pro
Russell Smith
Solutions +
InstantDoc #94241
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Permissions Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

SOLUTION SNAPSHOT
PROBLEM
Running legacy applications while logged on as a least-privileged user
SOLUTION
With tools found in the Windows Application Compatibility Toolkit (ACT), you can configure an application that requires write operations to protected areas of the file system or registry to redirect those operations to the user's profile.
WHAT YOU NEED
Windows XP, ACT 4.1, a sample application (e.g., Maxthon)
DIFFICULTY
2.5 out of 5

Anyone who has ever tried to manage Windows XP desktops in an enterprise environment in which Least-Privileged User Accounts (LUAs) are deployed knows what a challenge it can be. I'm not going to discuss the benefits of running your desktops as limited accounts, but I'll show you a useful technique for overcoming problems related to limited access and legacy application compatibility.

LUA and Compatibility Problems
Legacy applications (and sometimes even new applications) that fail to run under the security model for a least-privileged user can be a huge headache for IT administrators. Often such programs require access to areas of the file system and registry that least-privileged users aren't permitted to modify, causing applications to lose certain functionality or not work at all.

Users have several methods they can use to run legacy applications when logged on as a LUA (e.g., the Runas command). Many are workarounds that require the user to take some additional action or that introduce authentication problems when connecting to networked resources, and are rarely accepted by users. However, you might consider using the following options, which are transparent to the end user:

  • Changing the ACL on the affected files, folders or registry keys
  • Modify the user's security token only for the affected application
  • Use the Application Compatibility Engine to redirect file system or registry writes

The most commonly used method for running legacy applications as a least-privileged user is to modify ACLs on registry keys and files or folders that an application needs to access to be able to run successfully. There are two main drawbacks to this method. First, you need to identify the registry keys, files, and folders that are causing the problem. Even using file and registry access tools, this can be a time consuming job. Second, after you modify the necessary ACL, you potentially leave once-protected areas of the system open to change, which could cause the application to stop working at some point in the future. One case in point is if you need to give users modify access to a particular application directory.

Third-party solutions (such as Winternals Software's Protection Manager and BeyondTrust's Privilege Manager) can provide the ability to modify the user's security token on the fly. When a user launches an application, the token is given administrator privilege to run only that particular process. This is completely transparent to the user. The main disadvantage of using this method is the cost.

XP has a built-in solution for dealing with LUA compatibility problems—the Application Compatibility Engine. Using it in conjunction with the Application Compatibility Toolkit (ACT), you can analyze an application and configure XP to automatically redirect writes in protected areas of the file system and registry to the user's profile.

Configuring Application Fixes
Let's look at a sample legacy application and how to use ACT to make the application run correctly under a LUA account. The example is simple for the purpose of illustrating the process. You can use ACT to solve more complex problems, but the basic steps remain the same.

The application we'll use is Maxthon 1.5, which is a replacement shell for Microsoft Internet Explorer (IE) 6.0 and IE 5.5 that has tabbed browsing, RSS, an ad blocker, and other useful features that make Web browsing a more pleasant experience. Maxthon is available as a free download at http://www.maxthon.com. If you run this application as a LUA user, any preferences or options that you configure are lost when you close it because Maxthon saves preferences in a folder under Program Files, for which a least-privileged user doesn't have Write permission. Maxthon isn't aware of multiple users.

After you download ACT, which you can do at http://www.microsoft.com/downloads/details.aspx?FamilyID=4005DA79-933A-4CC8-BF86-FE2E28B792FD&displaylang= en&Hash=V3N34CF, log on to Windows as an administrator and install ACT. Then install Maxthon, but clear the option for running the program before you click Finish. You want to find out where Maxthon saves all its preferences, so you'll need to let ACT analyze the application the first time that you run it.

Although we're looking for a solution to run Maxthon under LUA, we need to run ACT and analyze Maxthon while logged on as an administrator. To do so, perform these steps:

  1. Launch the Compatibility Administrator program by opening All Programs, Microsoft Application Compatibility Toolkit 4.1, then clicking Tools.
  2. Under Custom Databases, you'll see New Database. Right-click it and rename it to Maxthon, as Figure 1 shows.
  3. Right-click the database again and select Create New, Application Fix. In the Program information dialog box, enter the name of the application, the vendor, and the path to the executable, which in this case is C:\Program Files\Maxthon\Maxthon.exe. Click Next.
  4. Next, you'll see the Compatibility Modes screen, which is where you can choose to solve a LUA problem. For OS mode, select None, then select LUA from the list on the right, as Figure 2 shows. Click Next.
  5. In the Compatibility Fixes screen, scroll through the list of fixes. Make sure that LUARedirectFS and LUARedirectReg are selected and click Next.
  6. The Matching Information screen lets you modify the criteria that the Application Compatibility Engine uses to identify the Maxthon executable. Accept the default values and click Next.
  7. Make sure that Yes, customize these fixes now is selected and click Finish.

Customizing the Application Fix
We now want to let ACT analyze Maxthon as it runs to detect when it writes to protected areas of the OS and automatically customize the fix as necessary. When you click Finish in the previous step, a page opens that gives you the option to monitor the program. Run program to collect data will be the only option available. Click Next. The path to the Maxthon executable will already be entered, so simply click OK. ACT will automatically launch Maxthon.

  1. As Maxthon runs for the first time, follow the Configuration Wizard prompts, then select Options, Maxthon Options.
  2. Go to the General tab to see the available options, which Figure 3 shows. Select the Allow only one instance of Maxthon option, then click OK.
  3. Close Maxthon and select Don't show me the message again in the Exit Maxthon dialog box. Click OK.

Maxthon will then close and you'll be returned to the ACT Exclude File Extensions screen. For this example, we don't want to exclude anything, so make sure that no file extensions are listed and click Next. In the Edit the File Redirection List, which Figure 4 shows, you'll see that ACT has identified all instances of writes to protected files. Select all of them and click Next. ACT will display a summary of the redirects in the Redirection Location screen. Click Finish.

Installing an Application Compatibility Database
From the main Compatibility Administrator window, save the Maxthon database as c:\maxthon.sdb. Then install the database by opening a command line and typing

sdbinst c:\maxthon.sdb

After installing the database, log on as a LUA and clear the Allow only one instance of Maxthon check box under Maxthon Options. Close and restart Maxthon. Check the options to make sure that the application has remembered the setting. You'll see that the redirected configuration files are now stored in the hidden Application Data folder in the least-privileged user's profile.

Next, uninstall the compatibility database to see how Maxthon behaves when the database isn't installed. To uninstall the database, log on as an administrator and type the following command: 

sdbinst -u c:\maxthon.sdb

When you restart Maxthon as a least-privileged user, you'll find that without the compatibility database installed, the application doesn't retain the options you set.

Going Forward
ACT can provide quick and easy solutions to many LUA problems that occur with legacy applications. The user will be unaware of the problem and can run the application without the need for any manual workarounds. Administrators can simplify the process even more by using Group Policy to deploy compatibility databases. In Windows Vista's User Account Control (UAC) Microsoft has further developed the redirection feature to automatically redirect writes to a virtualized space for each user without the need to run ACT. This functionality will help even home users run as least-privileged users.

SOLUTION STEPS
  1. Create an application compatibility database.
  2. Customize an application fix.
  3. Install the database.

End of Article

Reader Comments
"log on to Windows as an administrator and install ACT": Such a simple-sounding instruction. There's no hint that it requires:
- finding, downloading, installing, and updating the Microsoft .NET Framework 1.1;
- finding, downloading and installing the security-hole-ridden MSDE 2000;
- figuring out a way to upgrade MSDE 2000 to Service Pack 4, in an attempt to secure it.

Most of you will find that "log on to Windows as an administrator and install ACT" will require several hundred megabytes of hard disk space and several hours of your time. Is it worth that to find a compatibility solution for one application?

I can hear some of you now: "You can do this once on your desktop PC, you don't have to do it for every application you test". Ah, but that's only if you test applications on your desktop PC. I don't, and I doubt you do either. I test on separate test machines or in virtual machines (VMs), that are reinitialized after every test. So, yes, I do have to do this massive setup for every application I test.

Because of this huge overhead, ACT 4.1, and the forthcoming 5.0, are not useful to most of us. (The new 5.0 version has one advantage: it will use SQL Server Express 2005 instead of MSDE.) I hope Microsoft will rethink this approach, and give us a toolset we can use on the fly. After all, it's "on the fly" that most of us are asked to solve compatibility problems.

SNissen December 27, 2006 (Article Rating: )

"log on to Windows as an administrator and install ACT": Such a simple-sounding instruction. There's no hint that it requires:
- finding, downloading, installing, and updating the Microsoft .NET Framework 1.1;
- finding, downloading and installing the security-hole-ridden MSDE 2000;
- figuring out a way to upgrade MSDE 2000 to Service Pack 4, in an attempt to secure it.

Most of you will find that "log on to Windows as an administrator and install ACT" will require several hundred megabytes of hard disk space and several hours of your time. Is it worth that to find a compatibility solution for one application?

I can hear some of you now: "You can do this once on your desktop PC, you don't have to do it for every application you test". Ah, but that's only if you test applications on your desktop PC. I don't, and I doubt you do either. I test on separate test machines or in virtual machines (VMs), that are reinitialized after every test. So, yes, I do have to do this massive setup for every application I test.

Because of this huge overhead, ACT 4.1, and the forthcoming 5.0, are not useful to most of us. (The new 5.0 version has one advantage: it will use SQL Server Express 2005 instead of MSDE.) I hope Microsoft will rethink this approach, and give us a toolset we can use on the fly. After all, it's "on the fly" that most of us are asked to solve compatibility problems.

SNissen December 27, 2006 (Article Rating: )

"log on to Windows as an administrator and install ACT": Such a simple-sounding instruction. There's no hint that it requires:
- finding, downloading, installing, and updating the Microsoft .NET Framework 1.1;
- finding, downloading and installing the security-hole-ridden MSDE 2000;
- figuring out a way to upgrade MSDE 2000 to Service Pack 4, in an attempt to secure it.

Most of you will find that "log on to Windows as an administrator and install ACT" will require several hundred megabytes of hard disk space and several hours of your time. Is it worth that to find a compatibility solution for one application?

I can hear some of you now: "You can do this once on your desktop PC, you don't have to do it for every application you test". Ah, but that's only if you test applications on your desktop PC. I don't, and I doubt you do either. I test on separate test machines or in virtual machines (VMs), that are reinitialized after every test. So, yes, I do have to do this massive setup for every application I test.

Because of this huge overhead, ACT 4.1, and the forthcoming 5.0, are not useful to most of us. (The new 5.0 version has one advantage: it will use SQL Server Express 2005 instead of MSDE.) I hope Microsoft will rethink this approach, and give us a toolset we can use on the fly. After all, it's "on the fly" that most of us are asked to solve compatibility problems.

SNissen December 27, 2006 (Article Rating: )

Please note that since originally writing this article, Winternal's 'Protection Manager' product is no longer available.
Russell Smith

rms45 January 15, 2007 (Article Rating: )

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 24, 2008

An often irreverent look at some of the week's other news, including a Vista Capable dismissal request, Zune price reductions, Morrow musings, Novell and Microsoft sitting in a tree ... two years later, Yahoo!, IE 6 on Windows Mobile, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...
Windows OSs Whitepapers Why SaaS is the Right Solution for Log Management
Related Events Securely Extend SharePoint to the Extranet

Introduction to Identity Lifecycle Manager "2"

Configuration Manager SP1 and R2 Overview

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Is Your Approach to VMware Server Recovery Outdated?
Is your data protected from server failure? Download this white paper to find the best way to back up, recover, and restore your VMware ESX Server 3.x.

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Ease Your Scripting Pains with the Flexibility of PowerShell!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing