Technical details for Windows 7 EUR tool

This page is aimed at expert users and IT support staff.

You should read Using the Windows 7 EUR tool before reading this page.


More on "Deciding what to install"

Basic limitations in Windows mean that some kinds of software invariably conflict. One obvious example is any software that tries to indicate status information in Windows Explorer by changing the appearance of file and folder icons. The Tortoise version control packages and virtually all cloud access or virtual drive programs that require administrator rights to install fall into this category. Don't install any of those without consulting your zonal support first. Even if they are happy to allow this now, they will have to tell you that you might need to remove the software later if the University decides to install any such software across the campus.

You should always remember the most basic caveat that goes along with Elevated User Rights. If anything goes wrong, the only recourse may be to rebuild your PC. Your zonal support will only be able to provide very limited help in fixing PCs which have unknown and unsupported software or system configuration changes.


More on "Install a program with normal user rights"

Some software packages will install correctly without using elevated rights. Do try that first. This is available to any user. Whether or not it works depends on the design of the installer. Some installers are correctly designed and just work, some have minor design issues that mean they fail for ordinary users because they produce unnecessary elevation prompts. Some MSIs fail to specify the correct conditions for per user installs.

We've added context menu entries that will set the conditions correctly for per-user installs. That does not mean the installer will work, and it may depend on the user making sensible choices. e.g. if the default installation location for a program is still presented as "Program Files", then this will need to be changed otherwise the install will fail. Installers that understand this will normally choose the user's Application Data folder on the computer. MSIs will use the users UserProgramFiles folder. These files can be found by using the following names:

  • shell:Local AppData
  • shell:UserProgramFiles

Those names (use the complete name including the shell: ) can be used in Explorer, from the Start menu, or in modern Windows file and folder selection dialogs. These shortcuts appear in the context menu for executable files: Run with Only User Rights [is this the correct name?], and Per User Install for MSIs.

(Back to top)


More on "Perform other administrative tasks"

Most Control Panel items cannot be run elevated using this tool. Some of these are available via the Advanced menu (see below). You should also note that there are different routes to get to Control Panel items, some of which prompt for administrative rights, even though your true target doesn't require this. e.g. setting user environment variables. The normal route via advanced system settings requires administrative rights. You have to use the search box in Control Panel to find a link to "Edit environment variables for your account".

The Advanced folder in EUR tools contains links to run other tools for managing the Windows system with elevated rights. It is unlikely that you will need these, and no help will be provided for these, as it assumed that these will only be used by expert users who know what the tools do, and understand the risks involved.

You can attempt to start anything you like with Elevated User Rights by using the extended context menu (hold down the shift key and then right click.) In most cases, this won't be useful, but it might in some cases.

(Back to top)


Oddities

You may find that tools you have used in the past without Elevated User Rights now give an unexpected elevation prompt. e.g. the Event Viewer. Note that in these cases, the prompt defaults to your account, this means that those programs are marked (the technical term that Microsoft uses is "manifested") to require the highest rights available, and the system correctly identifies that your account is marked as having extra rights that are only available with elevation. In practice you don't have any extra rights, so entering your password at this point doesn't do anything except allow the program to run as before. If this is an irritation for you, there is a simple fix that can be applied to any individual program to suppress this pointless prompt. Contact the Service Desk for further information.

You may also notice that if you use a managed system on which you are not given Elevated User Rights, then the context menus won't be present, but the shortcuts to the tools will be, although they obviously won't be useful to you.

(Back to top)


Information for IT support staff

The EUR tool is enabled for members of the (legacy) Power Users local group. Place a user in an Active Directory group called %COMPUTERNAME%-PU to grant them EUR on %COMPUTERNAME%. This group will be made a member of the Power Users by a startup script. The EUR tool generally only works in the Managed Systems OU.

Please see this SysOps wiki page for more on group management: Local Group Management (localgroups.vbs) and this Zone D page for more on the EUR tool: Admin rights for users (Elevated User Rights) (login required)

(Back to top)


Technical notes

Per User installs

MSIs need to be launched with the following properties: ALLUSERS=2  MSIINSTALLPERUSER=1

The context menu uses this string:

"%SystemRoot%\System32\msiexec.exe" /i "%1" %* ALLUSERS=2  MSIINSTALLPERUSER=1

Executables need to use Application Compatibility modes. RunAsInvoker , which is provided automatically by Windows (this stops an application from producing an elevation prompt at startup because it has been marked to do this, or because heuristic detection thinks it is an installer), and ForceAdminAccess, which is only provided as a fix, and is therefore included as a mode by startup script policy. (this intercepts checks that installers make to confirm that administrative rights are available, and replies untruthfully that they are). These modes are applied by a small vbScript that sets the (undocumented) environment variable __COMPAT_LAYER to  "RunAsInvoker ForceAdminAccess" in the process context before launching the program.

Elevated User Rights

We make use of Privilege Authority from ScriptLogic (now called Quest Workspace Privilege Manager), which is installed on the PC. This allows administrators to mark selected programs to run automatically with additional rights.

This consists of two compiled Autoit Scripts. The first checks the user's apparent status, and the target. If all is OK, it creates a confirmation dialog. If the user agrees, control is passed to the second script, which is set to force an elevation prompt, this confirms the users identity, the script then checks for permissions and if the checks succeed, launches the program. The second script is configured to run with inheritable administrative rights by Privilege Authority, so the program launched by that script has administrative rights.

(Back to top)