locked
Program running under UAC prompt hides mapped drives RRS feed

  • Question

  • I have a user on Windows 7 with a non-admin account who runs a program that pops up the UAC. She clicks yes and the program runs. However, since the UAC was involved, it is running with a different token than what she logged into the computer with.

    This means that the program doesn't see her mapped drives when doing a File | Open. She has to navigate to the data folder on the server via Network. Needless to say this is cumbersome and inefficient.

    What can I do so that the program sees her mapped drives? I don't know of a way to get rid of the UAC except to turn off UAC which I do not want to do.


    Jonathan


    Wednesday, July 3, 2013 9:13 PM

All replies

  • Hi,

    This Microsoft article explains this issue.

    Programs may be unable to access some network locations after you turn on User Account Control in Windows Vista or newer operating systems
    http://support.microsoft.com/kb/937624


    Tracy Cai
    TechNet Community Support

    Thursday, July 4, 2013 9:02 AM
  • Hi,

    This Microsoft article explains this issue.

    Programs may be unable to access some network locations after you turn on User Account Control in Windows Vista or newer operating systems
    http://support.microsoft.com/kb/937624


    Tracy Cai
    TechNet Community Support

    Thanks for the link but what that article says I already knew (i.e. the access level tokens and how they affect network access). This user is not an administrative user on her PC. So the problem is not in that situation (which I've run into before). The network drives are mapped using her user account which is what the KB article talks about (I don't know why you'd use another account to map drives anyway).

    So it looks like in my case, the KB article isn't any help. Unless I'm completely misunderstanding something.


    Jonathan

    Friday, July 5, 2013 4:43 PM
  • Hi Jonathan,

    As the KB explained, this is expected. When network shares are mapped, they are linked to the current logon session for the current process access token. This means that, if a user uses the command prompt (Cmd.exe) together with the filtered access token to map a network share, the network share is not mapped for processes that run with the full administrator access token.

    By the way, does this action need elevated permission?


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by tracycai Thursday, July 18, 2013 5:34 AM
    • Unmarked as answer by SmallBizAdmin Thursday, July 18, 2013 1:14 PM
    Wednesday, July 10, 2013 1:51 PM
  • Hi Jonathan,

    As the KB explained, this is expected. When network shares are mapped, they are linked to the current logon session for the current process access token. This means that, if a user uses the command prompt (Cmd.exe) together with the filtered access token to map a network share, the network share is not mapped for processes that run with the full administrator access token.

    By the way, does this action need elevated permission?


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    I understand all about what is going on and why it's happening. What I need to find out is how to get around this.

    As for needing elevated permission, when the program is run, the UAC pops up. You have to click Yes or else you can't run the program. I don't know why the program needs elevated access except that's how its writers coded it. You don't get that when run on XP which is what the user was using. But now that the user has a new PC with Windows 7, the UAC appears when running the program.

    So I need some way to run the program so that it won't run in elevated mode so the user doesn't see inside it the drives mapped at login via GPP.


    Jonathan

    Thursday, July 18, 2013 1:13 PM
  • Hi Jonathan,

    I hope this might help you.

    Running Your App with Administrator Privileges
    There are times that you may need administrator privileges for an application. You may write code that directly interacts with a piece of hardware or an app that sets machine-wide settings in HKLM. When possible, you should design your apps to limit the need for admin privileges to narrow sections of code, or communicate to an application started with full administrator privileges. Aside from MSI-based elevation, there are two ways to create processes with a user's full administrator token. The Application Information Service (AIS) will check during process creation and during the creation of a COM object using the CoCreateAsAdmin moniker to see if the
    binaries require administrator privilege. It is important to note that the elevation occurs at the time of process creation. The process token never has privileges or group membership added during run time, only when it is
    created.

    More information:

    Teach Your Apps To Play Nicely With Windows Vista User Account Control

    http://msdn.microsoft.com/en-us/magazine/cc163486.aspx#S7

    Making Your Application UAC Aware

    http://www.codeproject.com/Articles/17968/Making-Your-Application-UAC-Aware

    Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, December 19, 2013 2:10 PM
  • Aaron, thanks for your reply. It is good information but unfortunately it doesn't really help in my case. I'm not writing any code or applications. The user is running a program that is a commercial program written by their coders, whoever they are. The program apparently runs with elevated privileges and so while inside it, when you save or open a file, you can see only local drives and not any network drives that are mapped by the GPO in the domain she logs into on her PC. This is what I'm trying to find a solution for.


    Jonathan

    Thursday, December 19, 2013 2:17 PM