Re: VC++ 6.0 dll can not access a network drive

Use Process Explorer (download from www.sysinternals.com which is actually a link to the
Microsoft SysInternals site. Enable showing the Integrity Level column

I just spent about eight weeks getting a program for one of my clients to run without
elevated integrity level; turns out they DO need the Windows Logo certification. I will
say that in the case of this particular program, whose details I cannot possibly discuss,
the first glance suggests that elevated integrity level was required. It was challenging
to make this one work without it, but I did it. Took about two weeks to accomplish, plus
six weeks of research (starting from ground zero) on integrity levels. There's a couple
really good blog sites out there that discuss these issues (google for
integrity level vista elevator
and the top hit is the one you want to read)

I'm not really an expert on file protection issues, but the integrity level really matters
in Vista. I wrote a program that will relaunch any program at a lower integrity level,
and it has a subroutine that displays integrity level. Since I wrote this subroutine on
my own time and it has no confidential information in it, I can send you a couple
subroutines (the whole program DOES have proprietary information in it, and I have to
seriously "sanitize" it before I can publish any part of it). Send me private email
before Sunday (otherwise I'll be off traveling for a week and off the Internet)
joe
On Tue, 25 Sep 2007 13:39:57 -0700, DBC User <dbcuser@xxxxxxxxx> wrote:

On Sep 25, 3:26 pm, Joseph M. Newcomer <newco...@xxxxxxxxxxxx> wrote:
Some notes:
*Accounts matter, but so does Integrity Level. This is an important parameter for Vista.
If accounts are the same, check integrity levels as well.

*Forcing code to run as admin may solve your problem, but it raises serious concerns about
security. Some sites will not permit users to run as admin, which is why I do my testing
as an ordinary user on Vista.

*As a consequence of local security policy being enforced, if you require "Run as
administrator" your program may no longer run on customer sites in the Real World. From a
Business Practice viewpoint, this is called a "fatal error".

*Assume that the need to "Run as administrator" is always a design mistake. In the very,
very, very few cases where it is not, then you will have to. VS really does require run
as administrator so it can debug. Not a lot of other programs should need this.

*You will have problems getting Vista certification from Microsoft if you require "Run as
Administrator"; if you do require it, you probably won't get a Microsoft logo ("Designed
for Microsoft Vista") on your product

*If the files you are working on are protected, there is a good chance they might be
"overprotected" and their security should be reduced.

*The access rights to the directory may be incorrect for lower integrity level processes.
joe





On Tue, 25 Sep 2007 12:53:44 -0700, DBC User <dbcu...@xxxxxxxxx> wrote:
On Sep 25, 1:15 pm, Bob Moore <> wrote:
I have a VC 6.0 dll, which is called from one another exe. This dll in
turn will execute couple of programs in a network with CreateProcess.
When I ran the CreateProcess, my getlast error returned with error
code 3
The server is Windows 2K3.

David's questions is very germane. What is the security context of the
loader process?

My company has a system where applications are run from within a
service, and we encountered a lot of problems when customers changed
from server 2000 to server 2003, because of the changes in share
security. It took some fairly panicky registry spelunking over an hour
on my part to fix this, and stop a customer in Florida summarily
ripping out *all* his server 2003 installations and reverting them to
2000.

Their service engineer kept saying it couldn't be security because he
could browse the problematic network location. It can be suprisingly
difficult to persuade people that just because YOUR account can see a
network resource, it doesn't mean every process currently running on
your machine can.

--
Bob Moorehttp://bobmoore.mvps.org/
(this is a non-commercial site and does not accept advertising)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Do not reply via email unless specifically requested to do so.
Unsolicited email is NOT welcome and will go unanswered.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thank you all for the answer. I used the process explorer and checked
the process running and is running under my user id. This happens only
in Vista client, XP clients are working fine. I am running the
application, by right clicking and selecting 'Run as Admin'.

Thanks.

Joseph M. Newcomer [MVP]
email: newco...@xxxxxxxxxxxx
Web:http://www.flounder.com
MVP Tips:http://www.flounder.com/mvp_tips.htm- Hide quoted text -

- Show quoted text -

Thank you for the detailed answer. Yes, this application I am working
on will not pass Windows logo for sure. This is our legacy
application. We already migrated part of our application (Click Once/
SCSF) and that runs nicely with Vista and keep the data all to the
user profile. Because of the client and management request, I need to
keep this app for another year till I completly migrate it to SCSF
model.
Sorry for being so naive, how and where can I check the integrity
level? I have already checked the directory and files security in the
server and they are set to normal.
Joseph M. Newcomer [MVP]
email: newcomer@xxxxxxxxxxxx
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
.

Relevant Pages

  • Re: VC++ 6.0 dll can not access a network drive
    ... This is an important parameter for Vista. ... *As a consequence of local security policy being enforced, ... *The access rights to the directory may be incorrect for lower integrity level processes. ... The server is Windows 2K3. ...
    (microsoft.public.vc.mfc)
  • Re: VC++ 6.0 dll can not access a network drive
    ... This is an important parameter for Vista. ... If accounts are the same, ... *As a consequence of local security policy being enforced, ... *The access rights to the directory may be incorrect for lower integrity level processes. ...
    (microsoft.public.vc.mfc)
  • Re: Who could tell me about process privilege?
    ... You are probably talking about what Vista calls "integrity level". ... that a process possesses that determines what it can and cannot interact with. ... note that you can create processes with much LOWER privilege than ...
    (microsoft.public.vc.mfc)
  • RE: Connot connect to shared Fax on SBS from Vista
    ... Please rerun the CEICW to make sure your SBS 2003 server have right ... On the SBS 2003 Server open the Server Management console. ... Windows Vista and Outlook 2007 ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: Outlook 2003 and Vista
    ... Based on my research, when you enable the RPC filter in ISA Server, the RPC ... Microsoft Internet Security and Acceleration Server 2004 Standard ... Ensure the default gateway and DNS of Vista are pointing to SBS internal NIC ... Can XP client with Outlook work fine? ...
    (microsoft.public.windows.server.sbs)
Loading