4
votes

Is there a way to find out what privileges my application needs in order to run in a Windows 7 environment?

I have a Delphi application that is using BDE and ODBC for database connectivity. This application works on most computers with Windows 7 running on a normal user account. However on some computers it only works on accounts with administrative privileges and is not working correctly on normal user accounts. I suspect it's a permission problem. The computers also are running in Active Directory.

I tried to find some informations using Process Monitor from SysInternals, however the output for me is too advanced. The process monitor log for two runs of my app (1. successful with administrative rights, 2. unsuccessfull on normal rights) had over 22k lines and i could not find the answer (needle) in the process monitor log (haystack).

What could i do to determine the privileges that my app needs in windows 7?

2
Most likely your app is saving to a protected folder, e.g. Program Files, or writing to a protected reg key, e.g. HKLM. Those are the first things to check. What feedback do you get from the app itself? I'm assuming you can't run the debugger on a system that fails.David Heffernan
Thanks for your comment David. I have a rather complicated login mechanism and my application refuses to login without administrative rights. But again you are right - i cant run on this systems the debugger so i dont know where the error is. So i tried procmon, but as for now without much success.Robert Niestroj
If you can't think of any file or registry access that is obviously to protected areas then you need to add logging to your app. Or learn how to decipher procmon output.David Heffernan
In the download page of MS Application Verifier, it says that "Application Verifier also includes checks to predict how well an application may perform under various account privileges". I have never seen it at work though.Sertac Akyuz
Nobody can debug your code for you. You're going to have to do it.Warren P

2 Answers

6
votes

Use the Standard User Analyzer from the Microsoft Application Compatibility Toolkit.

The Standard User Analyzer (SUA) tool and the Standard User Analyzer Wizard (SUA Wizard) both enable you to test your applications and to monitor API calls in order to detect potential compatibility issues due to the User Account Control (UAC) feature in the Windows® 7 operating system.

UAC, formerly known as Limited User Account (LUA), requires that all users (including members of the Administrator group) run as Standard Users, until the application is deliberately elevated, by using the security prompt dialog box. However, not all applications can run properly with the Standard User role, due to the application requiring access and privileges for locations that are unavailable to a Standard User.

1
votes

Aaron Margosis has a tool called LUA Buglight that is designed to help track down issues related to privileges.

You can download the latest version from this blog post: LUA Buglight 2.1.1 with support for Win7/2008R2 SP1

It is similar in concept to the MS Application Verifier. However, in practice I found LUA Buglight much easier to use and understand. Same with ProcessMonitor. It will monitor your process in a similar way but only report actions that failed as a normal user but succeeded as a admin user.

There is no documentation but it is simple to use. From the main GUI window select your Exe and let the BugLight program launch it. You need to be running in an Admin account with UAC enabled. Run your program though the steps that fail when you are not an admin. When you are done click on the Stop Logging button to see a report that lists what calls would have failed without admin rights.