Re: [PS] Vista Install Issues

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi Keith;

Some answers to your questions:

1) Starting Prompt. I can't say anything about the prompt you got from the
installation -- but the message you got for the formatting file will go away
in the final version.

2) UAP. Windows Vista has the following concepts on how an executable
interacts with AUP:
- "Require Administrator" -- You will be prompted for (and run under)
your Administrator credentials whenever you launch the application. You
cannot run this as a non-admin user. No virtualization occurs.
- "Highest Available" -- Windows Vista will use the highest credential
that it can obtain. If you are running as an Administrator, you will get
the elevation prompt. No virtualization occurs.
- "As Invoker" -- The application runs under the same privilege as the
parent process. No virtualization occurs.
- (Default) -- The application runs under the same privilege as the
parent process. Protected parts of the filesystem and registry are
virtualized as required.

Since so few operations in Windows PowerShell actually require
Administrator credentials, the first two options would cause people to
needlessly run the shell under Administrator credentials most of the time.
Virtualizing the registry and filesystem is even worse, as administrators
may think they have modified the actual system -- when in fact they operated
only on a virtualized view of it. We chose the "As Invoker" model -- not
only because it was the last one left, but because it most closely followed
the principles of Least Privilege. This is also the model followed by
cmd.exe.

A "su" command would indeed be helpful -- I believe that runas.exe includes
switches to force an application to run under the actual credentials
supplied. Tony's posts might be helpful guidance here:
http://mshforfun.blogspot.com/2006/03/release-of-mshforfunsecurity-mshsnapin.html

3) "My Documents."

We don?t generate the files in this directory ? they are user-authored
documents. The folder will also contain other user-authored documents, such
as types and formatting customizations. Even more, the profile is one of a
shell user?s most treasured documents. Users quickly consider this to be a
vitally personal document ? along with their.emacs / .vimrc. The internet
is full of these ?dotfiles? that people are proud enough to share. It is
already one of the first and most common things that PowerShell users share.
In Word, you generate Word documents. In Excel, you generate spreadsheets.
In PowerShell, you generate profiles, scripts, and ps1xml extension files.

--
Lee Holmes [MSFT]
Windows PowerShell Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.


"Keith Hill [MVP]" <r_keith_hill@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23oc4JRKaGHA.4292@xxxxxxxxxxxxxxxxxxxxxxx
First thing is that the installer needs to be authenticode signed with the
Microsoft cert so that we don't get this omninous warning on install:



Vista should at the very least be able to determine that this software
package's publisher is Microsoft.

Also why do we get the warning when starting PowerShell about running
software from an untrusted publisher on types.ps1xml (ugh I really don't
like the "1" in there).? That file is signed. It seems to me that there
shouldn't be any issue about it being untrusted.

Also what is the plan to work with Vista User Account Control because even
though I'm an admin I get access denied when trying to execute
Set-ExecutionPolicy because I don't have write access to HKLM. I can use
"Run elevated" to start a new PS to do this but that is a drag and not very
"shell-ish". It would be nice to have some sort of subshell with SU like
capabilities.

Finally PS want to create my profile script in the Vista user Documents
directory. I really believe this is the *wrong* place considering that the
user's folder structure has been reworked such that Documents is empty
out-of-the-box and is meant only for text files, word, excel, power point,
etc. Even Pictures and Music has been moved out of Documents and resides at
the same level under C:\Users\<username>. I suggest that on Vista you
consider putting the profile in $home\PowerShell Configuration. Or I would
be perfectly happy with my profile scripts going directly under $home. I
have that many years with MKS toolkit sticking a profile.ksh in my $HOME
dir.

--
Keith


.

Quantcast