run as a service (UAC and user permissions)

Have a suggestion for "Everything"? Please post it here.
Post Reply
Magritte
Posts: 11
Joined: Wed Nov 18, 2009 5:04 pm

run as a service (UAC and user permissions)

Post by Magritte »

There are a few issues with Vista/Windows 7 in that Everything requires administrator permissions to run, requiring a UAC dialog when loaded.

While it's possible to work around this using the task scheduler, it's an incomplete solution. For instance, when using the Explorer integration to search a folder from the context menu, a UAC prompt will come up.

An additional issue I've noticed is that if you do a search for an executable, then run that executable from the Everything window, it will inherit Everything's user permissions. That is, it will run with administrator privileges, which is probably NOT what you intended. While I realize this isn't a common use scenario, there have been a few times where I've used Everything to track down a seldom used program and then launched from the search results for convenience. This has the possibility of creating an unexpected security hole.

I'd like to see at the minimum a change so that executables are explicitly launched with standard privilege level unless specified otherwise (e.g. a context menu option to run as administrator).

Even better would be for Everything to run as a service rather than as a standard user application. The service would be responsible for the indexing and returning search results, and would only require UAC elevation on first install. The user would then interact with a non-elevated application that functions as a UI client, passing search requests to the service and displaying the results. Since the client runs without elevation, there are no UAC issues or unexpected executable elevations.
therube
Posts: 5056
Joined: Thu Sep 03, 2009 6:48 pm

Re: run as a service (UAC and user permissions)

Post by therube »

Just a little bump.

---

Windows 7 (much like Vista), arg! (OK, maybe it isn't so bad, but them I'm just starting with it.)

There, now that that's out of the way...

So I use Everything to open my apps.
Search for mpui, shows mpui.exe (a gui for mplayer).
Player opens & that's fine.

But, from within Altap (Servant) Salamander (a file manager, much nicer then Windows Explorer), I highlight & drag a bunch of videos from Salamander into MPUI (which should add said files to its' playlist). Yet nothing happens. It acts like it has worked, but nothing shows up in the playlist. Drag & drop simply fails silently.

So I think about this topic.

Instead of opening MPUI from within Everything, I create a shortcut on my desktop. Start MPUI from that shortcut. Drag files from Salamander into MPUI. The file list displays in the playlist as expected.

Invoke an instance of Salamander, Run As Administrator. Open MPUI from within Everything. Select files from Salamander. Drag them into the MPUI window. The file list displays in the the playlist as expected.


So, much like context menus or plugins, 32-bit & 64-bit (generally) don't mesh. A 32-bit context menu item (or plugin) won't be seen from a 64-bot application, & vice versa.

And now, some operations (drag & drop in this instance) started from within a non-elevated process (Salamander in my case) into an elevated process (MPUI by virtue of starting it from within Everything), does not work.

:|
therube
Posts: 5056
Joined: Thu Sep 03, 2009 6:48 pm

Re: run as a service (UAC and user permissions)

Post by therube »

Windows 7.

So the other day I realize I'm running under an Admin account rather then limited.
So to self, in this day & age, that's silly. MS must have things figured out by now, so that a Limited account is workable.
Go to set myself as Limited, but can't.

Why? Because the Administrator account, which was always there by default account in XP, is disabled by default in W7. And you must have at least one Admin account set up (active). So if you are the only user, there is no choice, you must be Admin. Now you could set up another user, setting that account as Admin, or you could enable the Administrator account (like what's the reason not to have it enabled anyway, but that's another question). So I set a different user as Admin, set myself as Limited.

Been running that way for a little while now. A few extra nags, but nothing I can't live with.
Have been using Everything regularly, of course.

Today, I go to drag a file from Everything to SeaMonkey, my browser. It doesn't want to drop. Thinking I did something wrong, try again. Same. And again. Same again.

Realized. Oh, set myself as Limited, so browser is running as Limited, though Everything is running as Admin. Open an elevated command prompt. Drag the same file to the prompt & it works as expect. Yes, that is what the problem is :cry:.

Say to self. Now I know I can open Windows Explorer & drag same file into SeaMonkey. (That is what I've been doing the last number of days. Download with download manager. DM has a button to open Explorer Window focused on the file. Drag file into browser.) Today, happened to close DM, so rather then ferret out file, I just use Everything to get it. And with that I realized the predicament.

Then think, what if I open Windows Explorer from withing Everything. That would be elevated too, no? And that should not work either. I try anyway. And it did work!?

Why?

Why is a (presumably) elevated (opened from Everything) Windows Explorer window able to drag a file into my non-elevated browser window, where Everything is not able to do the same? What makes Windows Explorer special?
Magritte
Posts: 11
Joined: Wed Nov 18, 2009 5:04 pm

Re: run as a service (UAC and user permissions)

Post by Magritte »

I've found that if you open the path in explorer you will get a normal (non-elevated) explorer window. This doesn't seem to be a problem. I'm not a windows developer so this is a wild guess but I'd speculate that Explorer is always running anyway and Everything sends it a message requesting a new window at a specified location. Since the new window is part of an existing process (which is not-elevated) it will inherit the same permissions. If Everything had to load a new Explorer instance than it would probably be elevated.

However, if you do something like double-click an application file or even double-click a document file the (associated) application will be loaded as an elevated process. Eg. Double clicking a .doc file will load an elevated Word instance or double clicking on a .html file will load an elevated explorer/firefox/whatever browser instance. This is something that you'd rather avoid so my advice is use Everything to find the file you're looking for, but never load it directly from within Everything. Instead, right-click to find the file in Explorer then load it from within Explorer.
podzaborom
Posts: 1
Joined: Tue Sep 14, 2010 7:14 pm

Re: run as a service (UAC and user permissions)

Post by podzaborom »

Magritte wrote:While it's possible to work around this using the task scheduler
It's also impossible in my situation. I work under a limited user account and have a different account with administrator privileges and with password (and smart UAC asks me for admin password when required). I've tried various combinations in Task Scheduler, but it's seems impossible to run Everything under another user (even with the password stored) — in almost all cases there is just nothing happens.
I hope that author will make some redesign for better meeting the conditions of multiuser and multiprivileges environments.
Magritte
Posts: 11
Joined: Wed Nov 18, 2009 5:04 pm

Re: run as a service (UAC and user permissions)

Post by Magritte »

podzaborom wrote:
Magritte wrote:While it's possible to work around this using the task scheduler
It's also impossible in my situation. I work under a limited user account and have a different account with administrator privileges and with password (and smart UAC asks me for admin password when required). I've tried various combinations in Task Scheduler, but it's seems impossible to run Everything under another user (even with the password stored) — in almost all cases there is just nothing happens.
I hope that author will make some redesign for better meeting the conditions of multiuser and multiprivileges environments.
Haven't had this issue as I run under a standard (i.e. in Windows 7 Administrator) account. If you haven't tried this, I'd suggest logging in under your administrator account before loading task scheduler and setting up an elevated process ("Run with highest privileges") with the trigger set to "At log on" of your standard account. This should enable Everything to run automatically without prompts when you login in the background and you can call it up using a hotkey or through the notification tray icon. I've not found having Everything run in the background to have any appreciable impact on system performance or stability.

If that doesn't work, I'm out of suggestions...
Magritte
Posts: 11
Joined: Wed Nov 18, 2009 5:04 pm

Re: run as a service (UAC and user permissions)

Post by Magritte »

Glad you got it working.
Post Reply