Z
Z
Zohei2018-10-31 23:04:59
USB
Zohei, 2018-10-31 23:04:59

How to give programs elevated privileges to access usb and hdd under local user?

Hello.
There is specific certified software (there are no analogues, there will be none, the public sector, it is impossible to refuse), which was written under Windows XP and worked remarkably well on it.
Here they bought modern PCs with Windows 10, raised a local network with a Windows Server 2008 R2 domain controller.
Problems began with the fact that the old software only works correctly when run with administrator rights, otherwise this software does not see the memory card, for example, for uploading firmware, or cannot work with hdd, for example, select disk partitions and directories.
Distributing administrator passwords to everyone is fraught. I would like to get away from this once and for all.
I'm guessing two solutions:
1. (Undesirable) Give users local administrator rights.
2. Give elevated privileges to the registry branches associated with USB and HDD. But which ones exactly?
What are your suggestions, gentlemen?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
K
Konstantin Tsvetkov, 2018-11-01
@tsklab

written under Windows XP
Set the program to be compatible with Windows XP.
Then you should make a virtual machine with Windows XP or use a mini-computer.
Note:
Since the last century, I have been using the following in my work: sometimes it is easier to use a separate computer for "specific" software than to fight for its compatibility. For example, a client-bank (as an application, not online) with its crypto-keys, lies a small box with a remote desktop.

R
rPman, 2018-11-01
@rPman

If I still understand about access to firmware, direct access to I/O ports, then the requirement of administrator rights to select partitions and a disk is a fail, you will not be able to correctly restrict the application, since as soon as you give access to disks through the file open window it will be possible to do anything with the file system.
In your case, isolation can be the only solution, ideally - virtual machines. To get started, experiment with sandbox applications like Sandboxie (the latter can be found in fact the same virtual machine, but you don’t need to buy a separate license for the operating system inside the virtual machine)

E
Ezhyg, 2018-11-01
@Ezhyg

Hmm, but just give elevated rights only to the program, isn't it an option?
With the help of third-party utilities I do not suggest, there is a "Task Scheduler"! Create an XML file and paste the following text there, then open the scheduler and import the task, specifying this file:

<?xml version="1.0" encoding="UTF-16" ?> 
- <Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
- <RegistrationInfo>
  <Date>2010-04-25T16:26:08.3858237</Date> 
  <Author>Ezhyg_from_Toster</Author> 
  </RegistrationInfo>
- <Triggers>
- <EventTrigger>
  <Enabled>true</Enabled> 
  <Subscription><QueryList><Query Id="0" Path="Microsoft-Windows-UAC/Operational"><Select Path="Microsoft-Windows-UAC/Operational">*[System[Provider[@Name='Microsoft-Windows-UAC']]]</Select></Query></QueryList></Subscription> 
  </EventTrigger>
  </Triggers>
- <Principals>
- <Principal id="Author">
  <GroupId>S-1-5-32-545</GroupId> 
  <RunLevel>HighestAvailable</RunLevel> 
  </Principal>
  </Principals>
- <Settings>
  <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy> 
  <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> 
  <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> 
  <AllowHardTerminate>false</AllowHardTerminate> 
  <StartWhenAvailable>false</StartWhenAvailable> 
  <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> 
- <IdleSettings>
  <StopOnIdleEnd>true</StopOnIdleEnd> 
  <RestartOnIdle>false</RestartOnIdle> 
  </IdleSettings>
  <AllowStartOnDemand>true</AllowStartOnDemand> 
  <Enabled>true</Enabled> 
  <Hidden>false</Hidden> 
  <RunOnlyIfIdle>false</RunOnlyIfIdle> 
  <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> 
  <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine> 
  <WakeToRun>false</WakeToRun> 
  <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> 
  <Priority>7</Priority> 
  </Settings>
- <Actions Context="Author">
- <Exec>
  <Command>"C:\Program Files\Akelpad\AkelPad.exe"</Command> 
  </Exec>
  </Actions>
  </Task>

Then create a label:
The task name is the file name, but you can rename it when importing.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question