locked
SHV UAC dev question RRS feed

  • Question

  • I'd like my SHV dll to write log output to a C:\ProgramData folder but I'm running into the UAC file virtualization feature.  In testing, I register the dll from an admin command line using "regsvr32".  The dll can read the log4cplus cfg file from ProgramData but winds up writing to my - the logged in users - virtual folder.  There are no errors in the event log but I do see a UAC-File Virtualization message related to the above redirection.

     

    The SHV architecture is similar to the SDK - a dll containing the Validate() method and an exe for configuration.  The exe seems to be able to write to protected areas (like C:\ProgramData) just fine.

     

    I'm using VS2005 and have included the additional manifest:

     

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

    <assembly xmlns="urnTongue Tiedchemas-microsoft-com:asm.v1" manifestVersion="1.0">

    <assemblyIdentity version="1.0.0.1" type="win32" processorArchitecture="*" name="MyShv.dll"/>

    <description>SHVs-R-Us</description>

    <ms_asmv2:trustInfo xmlns:ms_asmv2="urnTongue Tiedchemas-microsoft-com:asm.v3">

    <ms_asmv2Tongue Tiedecurity>

    <ms_asmv2:requestedPrivileges>

    <ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

    </ms_asmv2:requestedPrivileges>

    </ms_asmv2Tongue Tiedecurity>

    </ms_asmv2:trustInfo>

    </assembly>

     

    Two questions come to mind:

     

    1) is it possible to have a SHV dll write to protected areas (like C:\ProgramData)?

    2) if #1 is possible, what majik is required to make it work?

     

     

    Thursday, February 28, 2008 7:51 PM

Answers

  • Please refer to a similar query at: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1778855&SiteID=1.

    When running the SHV executable, the ACLs on ProgramData apply in the context of user running the executable. If you look at the sdkshv.rgs file in the SDK sample, the "RunAs" setting is configured as "Interactive User" (i.e., the one currently logged in). Please refer to http://msdn.microsoft.com/en-us/library/ms680046(vs.85).aspx for details on this setting.

    So the solution would be to either use a "RunAs" setting with a principal that can write to "%systemdrive%\programdata" directory, or change permissions on the target path so that the "RunAs" User can write to it (by default, programdata directory does not allow writes by "users" group members).


    Thursday, May 15, 2008 11:42 PM
  • spolson - when your SHV is loaded into the dllhost process, and one of your interfaces (specifically one that's attempting to generate log data) is called, what account is being used? Is it an account that you expect to have write access to \Program Files? I'm guessing that the account is Network Service, and that it doesn't have that right by-design.

     

    Is it a hard requirement that you log data to Program Files? From a security best-practice perspective, it's generally recommended that only installers write to that location.

     

     

    Monday, May 19, 2008 3:47 PM
  • It is Network Service. Simply changing RunAs setting in the SdkShv.rgs file to "nt authority\networkservice" will enable you to write to c:\programdata folder.

    Wednesday, May 21, 2008 5:19 AM

All replies

  • Please refer to a similar query at: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1778855&SiteID=1.

    When running the SHV executable, the ACLs on ProgramData apply in the context of user running the executable. If you look at the sdkshv.rgs file in the SDK sample, the "RunAs" setting is configured as "Interactive User" (i.e., the one currently logged in). Please refer to http://msdn.microsoft.com/en-us/library/ms680046(vs.85).aspx for details on this setting.

    So the solution would be to either use a "RunAs" setting with a principal that can write to "%systemdrive%\programdata" directory, or change permissions on the target path so that the "RunAs" User can write to it (by default, programdata directory does not allow writes by "users" group members).


    Thursday, May 15, 2008 11:42 PM
  • Nice try, but I don't think you answered my question <smile>.  My post says that I don't have a problem with the SHV executable component; it's the SHV dll component that has the issue.  The SHV dll is run by dllhost.exe as part of IAS.

    Friday, May 16, 2008 2:29 PM
  • spolson - when your SHV is loaded into the dllhost process, and one of your interfaces (specifically one that's attempting to generate log data) is called, what account is being used? Is it an account that you expect to have write access to \Program Files? I'm guessing that the account is Network Service, and that it doesn't have that right by-design.

     

    Is it a hard requirement that you log data to Program Files? From a security best-practice perspective, it's generally recommended that only installers write to that location.

     

     

    Monday, May 19, 2008 3:47 PM
  • Hi Dan,

     

    I believe it's Network Service (I don't have any control over it).  I was actually trying to write to ProgramData as that seems like the right place but wound up having to write the log to Public.  That's acceptable as this is a network server and not generally open to end users but ProgramData would have been better/cleaner.

    Monday, May 19, 2008 4:27 PM
  • It is Network Service. Simply changing RunAs setting in the SdkShv.rgs file to "nt authority\networkservice" will enable you to write to c:\programdata folder.

    Wednesday, May 21, 2008 5:19 AM