Interop .NET Server and COM client

TheMSsForum.com: The Microsoft Software Forum

Hi All,

We have an application that writes to Windows registry and
some files. Both of these (that is, registry and files)
require the software to impersonate as a highly privileged
user (i.e. Adminstrator) to write to them.

However, with the addition of "Impersonate a client after
authentication" (SeImpersonatePrivilege) user right in
Windows 2000 SP4, the software may not be able to
impersonate if it is running under a normal user account.

This can be a real hassale as Administrators would need to
change policies during installation to allow software to
run under normal user account.

A solution to this problem could be to have a service
running in the background, which would spawn a thread that
allows the software to write to registry/files through
this thread. As a service can run with higher privileges,
writing to registry/files would not be a problem. HOWEVER,
communication between this thread and the rest of software
is a complicated one as they will be two different
processes that need to communicate to each other. Is there
a solution to this problem? I am thinking that the service
could be written in .NET and the rest of software can act
as COM client. Is there an easier way of doing this?

Apart from using a service, in general, is there any other
way to impersonate without requiring administrators to
modify user policies?

Any help would be greatly appreciated.

Thanks,
Ash
Top

Re: Interop .NET Server and COM client by David

David
Fri Oct 24 15:05:12 CDT 2003

During the normal running of your application, you simply shouldn't be
trying to write to files or registry locations that you don't have access
to. Usually a redesign is in order.

At install time, there are other possibilities.

Why do you really want Administrator rights? You don't need them.

David

"Ash" <anonymous@discussions.microsoft.com> wrote in message
news:06b301c3990d$a8b4ed80$a301280a@phx.gbl...
> Hi All,
>
> We have an application that writes to Windows registry and
> some files. Both of these (that is, registry and files)
> require the software to impersonate as a highly privileged
> user (i.e. Adminstrator) to write to them.
>
> However, with the addition of "Impersonate a client after
> authentication" (SeImpersonatePrivilege) user right in
> Windows 2000 SP4, the software may not be able to
> impersonate if it is running under a normal user account.
>
> This can be a real hassale as Administrators would need to
> change policies during installation to allow software to
> run under normal user account.
>
> A solution to this problem could be to have a service
> running in the background, which would spawn a thread that
> allows the software to write to registry/files through
> this thread. As a service can run with higher privileges,
> writing to registry/files would not be a problem. HOWEVER,
> communication between this thread and the rest of software
> is a complicated one as they will be two different
> processes that need to communicate to each other. Is there
> a solution to this problem? I am thinking that the service
> could be written in .NET and the rest of software can act
> as COM client. Is there an easier way of doing this?
>
> Apart from using a service, in general, is there any other
> way to impersonate without requiring administrators to
> modify user policies?
>
> Any help would be greatly appreciated.
>
> Thanks,
> Ash


Top