none
Windows 7 "*.cpl" Security Breakdown

    Question

  • Does Microsoft have any Windows 7 documentation on which .cpl's can be launched as Administrator and still have complete Admin functionality. I use elevated CommandLine and PowerShell under Standard User accounts when Remote Assistance is available. My company is moving to Windows 7 and DirectAccess so I will virtually have access to any callers machines. I do not like Remote Desktop'ing into there machine because of it applying user and computer settings and just increase the talk time.

    So my question: Does Microsoft have it documented somewhere which *.cpl will have full Administrator functionality when launching it from an elevated Command-Line or PowerShell prompt? The reason I am wandering is because appwiz.cpl seems to be the only one that cannot. I do not understand why this is because it is not a user specific console.

    Command - Console - Admin Functionality
    hdwwiz.cpl - Device Manager - Yes
    timedate.cpl - Date and Time - Yes
    appwiz.cpl - Programs and Features - No

    The promlem, and yes I know it has been asked, is that you cannot uninstall a program for troubleshooting or just to remove from a machine unless an Administrator is logged in them self. Then if is is a program that can be configured differenly on different user profiles and the user has not logged off before you start your RDP session (this uses the Switch User technology) you cannot uninstall the program until you logoff and they logoff and you log back in as an Administrator...not really efficient.

    I have created a PowerShell script that uses the Invoke-Command and MSIEXEC to uninstalled the program remotely. This is possible only because elevated PowerShell can run the Enable-PSRemoting because Security hasn't yet learned enough about is vulerabilities to allow us to enable it on all of our 20,0000 client machines for just Support purposes.

    So I'm not really worried about it anymore but still wandering if Microsoft has it documented what *.cpl's have fully functional Administrator access when launched from an elevated CommandLine or PowerShell prompt?

    Thanks,

    XK8Geek

    Saturday, March 17, 2012 6:38 PM

Answers

  • Hi Rich,

    Thanks for you speedy response. I am new to working in an enterprise enviroment and with machines that actually use the "awesome-ness" (well sometimes) that is Group Policy which sometimes makes settings not what they seem.

    I did some more research and found http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx that assisted me in determining it was Group Policy related.

    In the Group Policy Policies\Windows Settings\Security Settings\Local Policies\Security Options there 10 UAC that my company has configure that keeps us from being prompted to supply Admin credentials for the actual uninstall of the .msi.

    Thanks again for your response,

    XK8Geek

    Saturday, March 24, 2012 3:36 PM

All replies

  • I have used appwiz.cpl many times launched from an administrative cmd prompt to uninstall software.  I've also used PowerShell remoting and WMI to uninstall remotely as well.  PSExec is another option.  But I do not see why appwiz.cpl is not working when launched from admin cmd prompt for you.

    Rich Prescott | Infrastructure Architect, Windows Engineer and PowerShell blogger | MCITP, MCTS, MCP

    Engineering Efficiency
    @Rich_Prescott
    Windows System Administration tool
    AD User Creation tool

    Saturday, March 17, 2012 6:46 PM
  • Hi Rich,

    Thanks for you speedy response. I am new to working in an enterprise enviroment and with machines that actually use the "awesome-ness" (well sometimes) that is Group Policy which sometimes makes settings not what they seem.

    I did some more research and found http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx that assisted me in determining it was Group Policy related.

    In the Group Policy Policies\Windows Settings\Security Settings\Local Policies\Security Options there 10 UAC that my company has configure that keeps us from being prompted to supply Admin credentials for the actual uninstall of the .msi.

    Thanks again for your response,

    XK8Geek

    Saturday, March 24, 2012 3:36 PM