Sign in to follow this  
Followers 0
RacerBG

Acces denied for Admins?

17 posts in this topic

I don't know when this happened but for some reason if my friend is trying to mount some iso image or even to uninstall a program "acces denied" is shown. He have Admin account but still Windows 7 is refusing some mandatory tasks. What could be the problem?

PS: On my XP machine I haven't got a single problem about Admin rights.

0

Share this post


Link to post
Share on other sites

Aside from "uninstall a program", what "mounting" software? Or are we supposed to guess?

0

Share this post


Link to post
Share on other sites

Some locations are protected or owned by other accounts. TrustedInstaller is one of these accounts that may own a directory, and show an Access Denied message even to an account with Admin rights.

0

Share this post


Link to post
Share on other sites

For example mounting an image with Daemon Tools and uninstalling is impossible not just for one program but for all programs.

TrustedInstaller sounds like...correct answer but I'm still not sure. And if this is the case how he (my friend) can bypass it?

0

Share this post


Link to post
Share on other sites

Easy! You must become TrustedInstaller! :P

0

Share this post


Link to post
Share on other sites

Interesting find. I will see what I can do about it.

0

Share this post


Link to post
Share on other sites

Please do keep us posted about how it develops.

0

Share this post


Link to post
Share on other sites

My investigation was short. The reason for this strange acces denied errors was Comodo Firewall which I installed a few weeks ago to protect his laptop from viruses. Strange but thanksfully correct answer. :)

Thanks anyway for the suggestions, guys.

0

Share this post


Link to post
Share on other sites

Hey, at least you confirmed that the firewall did its job, even if it wasn't what you expected. And I suppose there is a setting you can adjust so that COMODO allows the requested activity.

Cheers and Regards

0

Share this post


Link to post
Share on other sites

Hey, at least you confirmed that the firewall did its job, even if it wasn't what you expected. And I suppose there is a setting you can adjust so that COMODO allows the requested activity.

Cheers and Regards

To be picky, a firewall should be between you and a (possible) fire and not stand right in the middle of your office, preventing you to get to (say) the restroom or your co-workers' desks. ;)

In other words, it should be a safety measure against perils coming from the outside, not an obstacle to everyday work.

Maybe this round the good Comodo guys overdid it a little. :unsure: (or their "smart" Default Deny Protection is not as smart as one would expect :whistle:)

jaclaz

0

Share this post


Link to post
Share on other sites

Hey, at least you confirmed that the firewall did its job, even if it wasn't what you expected. And I suppose there is a setting you can adjust so that COMODO allows the requested activity.

Cheers and Regards

To be picky, a firewall should be between you and a (possible) fire and not stand right in the middle of your office, preventing you to get to (say) the restroom or your co-workers' desks. ;)

In other words, it should be a safety measure against perils coming from the outside, not an obstacle to everyday work.

Maybe this round the good Comodo guys overdid it a little. :unsure: (or their "smart" Default Deny Protection is not as smart as one would expect :whistle:)

jaclaz

Hear hear. :thumbup: This nonsense they started quite a long time ago, pretty much around the time of mainstreaming OS and software from Win9x to WinXP. Many relatively tame programs in their "new" NT versions like Norton, McAfee, Flash, etc began to make ACL adjustments during setup. Perhaps it was even earlier during NT/NT4/Win2K, who knows, but it became noticeable during WinXP.

The problem is when you go to uninstall something that does this ( changes permissions on folders and registry keys ) there is little guarantee that the uninstaller will reset them back to the way they were before, even if they were so inclined do they really know what the permission should now be set at? It's not an easy task and naturally consumer Windows offers no simple method of auditing ACL's or saving their state, or resetting them. Consequently there are a million unexplained annoyances many of which are probably permission related.

This is one of the main reasons for the official "removers" from Norton and McAfee I believe, necessary to remove files and keys that mere mortals cannot. Flash still modifies several registry key permissions even today, with every single update even after you manually revert them to the way they were. Firewalls as Jaclaz says ( and all security software and everything else really ) should be a positive experience, a friendly tool, but there is no reason for them to be as we crossed the Rubicon of developer responsibility long ago unchallenged whenever they made these aggressive attacks on the user's very own computer. There is no semblance of responsibility or restraint, they do what they want. They don't even attempt to document what they have done, nor does it appear in many discussion threads.

The permission alteration issue is one of the moral cases, something that should be done "with permission" pardon the pun. It dovetails with another Rubicon that was crossed at the same time, programs that use the Internet at will ( phone home, or whatever ). This should never have been allowed to happen without permission as no-one will tolerate it in real life ( a guest visitor using the phone at will ). Another moral line crossed with hardly a whimper. Is there any wonder why malware is everywhere? It's almost hard to even call them illegal compared to what other software already does at will.

Back to the security topic, the only good solution IMHO is for someone to develop a comprehensive permissions auditing tool. One that records all of their states periodically and can do smart diffing, for example comparing all currently existing objects' ACL with their previous state but leaving out new ones and missing old ones and highlighting only changes. You can brute force record ACLs at two different periods in time but the diff comparison is almost unusable because of missing old ones and lots of new ones. Troubleshooting Windows is fast approaching needle-in-haystack probabilities.

0

Share this post


Link to post
Share on other sites

A great experiment which I never did was to install Windows XP on FAT instead of NTFS. ( never wanted to deal with potential structural problems or huge disk limits ).

But it would be nice to test Windows XP without any ACL's mucking up the mix, not to mention hidden streams. I doubt it is possible but I figured you would know if there was a way to format NTFS without those particular metadata.

Of course, there may be some dependencies in Windows XP that crap out when that metadata does not exist. But if it were possible, I believe every transaction would see an immediate boost in speed due to absent permission checking on every read/write, not to mention non-file-I/O logic not wasting time with admin/standard permissions. That is the theory of course. No guarantee the good guys in Redmond considered writing dual-use code ( that is, dual file system compatibility ) it might run through the permissions functions anyway and return "not-NTFS" and save no time whatsoever.

0

Share this post


Link to post
Share on other sites

I run XP strctly on FAT-32 since my 1st XP SP2 install in 2005. Never had any problem. :yes:

0

Share this post


Link to post
Share on other sites

Sure, there is no problem in running XP in FAT32, Vista is possible, Windows 7 seemingly no, and not really because of the hardlinks, symlinks and junctions (though of course the size grows), but because of the stupid WinSXS, and the senselessly long stupid filenames:

http://reboot.pro/topic/19643-winsxs-hardlinked-files/?p=182961

(the good news being that a Windows 7 on NTFS can be shrinked by hardlinking more stuff):

http://reboot.pro/topic/19643-winsxs-hardlinked-files/

jaclaz

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.