Windows Vista
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Windows Vista as PDF for free.
More details
- Words: 2,138
- Pages: 5
Windows Vista, Windows 64-bit User Account Control Windows Vista includes a new security feature - User Account Control (UAC). With UAC, even on administrator accounts most processes (running programs) have limited privileges. It creates problems for many programs. This topic describes problems that may have QM when running on Vista, and gives workarounds for most of them. You also may want to read about running QM-created programs on Vista. On Vista, there are several predefined privilege sets, also called integrity levels (IL). An IL is assigned to a process (running program) before starting it, and cannot be changed while it is running. The table gives some information about different integrity levels. IL High
Comments The process runs as administrator, like on Windows XP. When starting a process that needs administrator privileges, usually is shown a dialog with name "User Account Control" (consent dialog). The process then is called eleveted. The program can be marked to require such privileges, or you can run it as administrator using the right-click menu, or you can set it to run as administrator in file properties dialog, or if Windows decides that it is a setup program. A process launched by a process that has administrator privileges also has administrator privileges, but does not require a consent. By default, QM runs with High IL (as administrator), although you can change it in Options. To create better user experience, a consent dialog is not shown when QM starts. Otherwise QM would be blocked at Windows startup. Also, processes launched by QM have Medium IL by default.
Medium
The process runs as standard user, like on a non-administrator account. It has limited privileges. For example, It cannot write to Windows and Program Files folders, cannot write to most registry keys, cannot manipulate services, and much more. Also, it cannot interact (use keyboard, mouse and menu commands, send messages, use hooks, etc) with higher IL processes. On Vista, most processes have Medium IL. Windows Explorer also has Medium IL. QM runs with Medium IL if in Options is selected Vista UAC: run as User, which is not recommended.
uiAccess The process has Medium IL, but is allowed to interact (use keyboard, mouse and menu commands, send messages, use hooks, etc) with High IL and uiAccess processes.
Low
System
Only few programs have uiAccess privileges. QM runs with uiAccess privileges if in Options is selected Vista UAC: run as uiAccess, which is recommended if you don't want that QM is running as administrator. On non-administrator accounts, QM runs as uiAccess by default. The process has minimal privileges. It can write only to several predefined folders and registry keys. Normally, with Low IL runs only Internet Explorer, when protected mode is on. Highest privileges. Normally only some services and some system processes run with System IL.
Q. What IL uses QM? Can it be changed?
A. By default QM runs as administrator. It can be changed in Options. Q. Should QM run as administartor, uiAccess, or standard user? When it has less problems with UAC? A. QM has less problems when it runs as administrator. Then almost everything that worked in previous operating systems also works on Vista. Q. Is it safe if QM runs as administrator? A. It is quite safe. Programs started by QM (run) have medium IL. If you feel it is not safe, you can set it to run as uiAccess. The User mode (Medium IL) is not recommended. Q. Can some macros run with different IL than QM? A. Yes, if they run in separate process. You can set it in Properties. Q. Is it possible to turn off UAC? A. Yes, you can completely turn off UAC in Control Panel -> User Accounts. The security level will still be the same or slightly higher than on Windows XP. Also, some options can be changed in local security policy (run "secpol.msc"). For example, you can set to elevate without consent, or to show consent in default desktop. Q. Is it possible to run a program as administrator without a consent dialog? A. Use flag 0x10000 or 0x20000 with run. Or use function StartProcess. Or, in macro properties, check "Run in separate process" and select "Administrator" or "Highest available". It is possible only from QM. Without QM, it is possible for example using the Windows Task Scheduler. Q. Is it possible to automatically close the consent dialog for some programs? A. There is no such option in Windows. QM also cannot automate it because the dialog is created in a secure desktop. If the dialog is not in a secure desktop (you can set it in local security policy), then you can create a function that closes it. You can find more information about UAC in Vista Help and on the Internet. If you need QM-specific information, you can ask about it in the Quick Macros forum. See also: GetProcessUacInfo, IsUserAdmin What does not work on Vista
1. When you launch protected mode Internet Explorer, actually are started two processes. The first process usually exits immediately. For this reason, all "wait for" options don't work with run. For the same reason, SHDocVw.InternetExplorer functions don't work if you create the object using _create. Possible workarounds: 1. Use web instead. 2. In Properties, check "Run in separate process" and select Low. 3. Turn off IE protected mode. 4. Turn off UAC. 2. And maybe more (not yet discovered). To solve most other UAC-related problems, you can set QM or separate macros to run with appropriate IL. The information below should help you decide what IL you should use. What does not work on Vista when QM is running as Administrator or uiAccess Some operations are not allowed between different IL processes. Although most of them are not allowed only when initiated by the lower IL process, some of them also are not allowed when initiated by the higher IL process.
1. _getactive, GetObject (VBScript) and some other COM functions cannot get COM objects from different IL processes. _getactive also is used in some other functions. For example,
ExcelSheet.Init cannot connect to Excel. Possible workarounds: 1. In Properties, check "Run in separate process" and select same privileges as of the target app (usually User). 2. Start the target app using _create. 3. Run both QM and the target app as administrator. 4. Turn off UAC. 2. Drag and drop from Medium IL processes (e.g. Windows Explorer). QM uses another process to reenable its drag and drop feature. However, WM_DROPFILES in custom dialogs does not work. Possible workarounds: 1. Use QmRegisterDropTarget instead. 2. In Properties, check "Run in separate process" and select User. 3. Turn off UAC. 3. And maybe more. What does not work on Vista when QM is running as User or uiAccess Some functions and other QM features require administrator privileges. If QM (or exe) is not running as administrator, these features don't work.
1. Writing to some file system locations, such as Program Files and Windows folders (cop, ren, del, MkDir, SetAttr, str.setfile, etc).
2. Writing to some registry keys, such as HKEY_LOCAL_SYSTEM and HKEY_CLASSES_ROOT 3. 4. 5. 6. 7. 8.
9. 10. 11.
(rset). Automatic COM object registration by _create (because cannot write to the registry). RegisterComComponent. You can use flag 4 to show consent dialog. GetDiskUsage. It uses PDH functions that require administrator privileges. SetPrivilege. Manipulating services. Changing computer date. Some COM functions, including _getactive and GetObject (VBScript), don't work with different IL processes. Read more above. If you use shareware protection system for macros (available in the forum), make sure you have the latest version, because older versions don't work on Vista when running not as administrator. Also, some editing required. And maybe more.
Everything above also does not work on non-administrator user accounts on all OS. Possible workarounds: 1. In Properties, check "Run in separate process" and select Administrator. 2. Run QM as administrator. 3. Turn off UAC. What does not work on Vista when QM is running as User The following functions don't work with higher IL windows unless QM (or exe) is running as administrator or uiAccess. This is more actual for exe, because QM can run as administrator or uiAccess.
1. Keyboard and mouse commands (key, outp, str.getsel, str.setsel, lef, mou, acc.Mouse, ifk, wait 2. 3. 4. 5.
K, wait M, and other). Mouse commands don't work in any window if currently active window has higher IL. Windows API functions that send messages (SendMessage, PostMessage, etc). Only few messages can be sent. Many Windows API functions that manipulate windows (SetWindowPos, EnableWindow, etc). Functions that use SendMessage, SetWindowPos, etc . Most of them are menu and control functions (men, but, CB_x, LB_x, acc.DoDefaultAction, etc) and window functions (hid, max, mov, siz, ont, ArrangeWindows, Zorder, Transparent, etc). Most hooks. For example, function BlockInput2 (available in the forum) uses low level keyboard and mouse hooks.
6. BlockInput does not work with all windows. 7. And maybe more. This should not be a big problem, because normally most programs don't run as administrator. Administrative programs usually are used briefly and don't need to be automated. However, currently there are quite many non-Vista-aware programs that don't work without administrative privileges. For example, if a program saves files in its home directory, which usually is in Program Files, it must run as administrator. Possible workarounds (QM): 1. In Properties, check "Run in separate process" and select Administrator. 2. Run QM as administrator. 3. Turn off UAC. Possible workarounds (exe): 1. Run exe from QM: in Properties check "Run in separate process" and select As QM (if QM runs as administrator or uiAccess) or Administrator. If you need to launch it from e.g. desktop, create shortcut to run the macro (in Properties). Of course, QM must be installed. 2. Set uiAccess="true" in the manifest, and sign the exe file. It works well on any computer (QM is not needed). Read more about signing in the make exe topic. 3. Run exe as administrator. It requires consent, unless exe is started from another program that is running as administrator. 4. If possible, don't run target programs as administrator. 5. Turn off UAC. Vista bugs
1. uiAccess programs cannot open folders using ShellExecute[Ex] if "Launch folder windows in a separate process" is checked in Control Panel -> Folder Options -> View. It is unchecked by default. The run command, which uses ShellExecuteEx, uses a workaround for this. However it will fail in exe running with uiAccess privileges (exe can run with uiAccess privileges only if launched by QM or marked as uiAccess in manifest). Also, if you use ShellExecute[Ex] or other functions that call it, they will fail. Possible workarounds: 1. Uncheck the checkbox. 2. If QM is running as uiAccess, and "Run in separate process" is checked in Properties, select something other than As QM. 3. Use run "explorer.exe" "folder" instead of run "folder". 4. Turn off UAC. 2. QM cannot load some type libraries (maybe about 1%) because they are incorrectly registered. The OLE/COM Object Viewer also cannot open these type libraries. Possible workarounds: 1. If possible, with typelib use path instead of GUID. 2. Edit the registry: remove double quotes from type library path. 3. Since Vista SP1, when editing a scheduled task in QM, every time you press OK or Apply it shows a password dialog. Click Cancel. 4. And maybe more. Other problems on Vista
1. Scheduled tasks can be configured either for Vista or for XP/2000/2003. QM creates and recognizes tasks configured for XP/2000/2003. You should edit QM-created tasks only from QM. If you convert a task to the Vista format, it still works (starts the macro), but QM does not recognize it, and you must not try to edit it through QM. 2. Scheduled tasks created while UAC is turned off have two problems: 1. Cannot be managed from QM while UAC is on and QM is running not as administrator. 2. Checked 'Run with highest privileges'. These problems will appear only when you turn on UAC. Scheduled tasks created while UAC is on don't have these problems. Scheduled tasks created while QM runs as another user (runs as administrator from an user account) also have these problems, even if UAC is on. 64-bit Windows
Although QM is a 32-bit program, it runs well on 64-bit windows. There are some differences. On 64-bit Windows, there are separate System and Program Files folders for 64-bit and 32-bit programs. It does not break macros written on 32-bit Windows. Special folder "$program files$" expands to the 32-bit folder ("Program Files (x86)"). Special folder "$system$", although expands to the 64-bit folder ("C:\Windows\System32"), but actually is used the 32-bit folder ("C:\Windows\SysWOW64"). That is, the run command most of the time will launch 32-bit versions of programs. Also, there are separate registry locations for 32-bit programs. It does not break macros written on 32-bit Windows.
Comments The process runs as administrator, like on Windows XP. When starting a process that needs administrator privileges, usually is shown a dialog with name "User Account Control" (consent dialog). The process then is called eleveted. The program can be marked to require such privileges, or you can run it as administrator using the right-click menu, or you can set it to run as administrator in file properties dialog, or if Windows decides that it is a setup program. A process launched by a process that has administrator privileges also has administrator privileges, but does not require a consent. By default, QM runs with High IL (as administrator), although you can change it in Options. To create better user experience, a consent dialog is not shown when QM starts. Otherwise QM would be blocked at Windows startup. Also, processes launched by QM have Medium IL by default.
Medium
The process runs as standard user, like on a non-administrator account. It has limited privileges. For example, It cannot write to Windows and Program Files folders, cannot write to most registry keys, cannot manipulate services, and much more. Also, it cannot interact (use keyboard, mouse and menu commands, send messages, use hooks, etc) with higher IL processes. On Vista, most processes have Medium IL. Windows Explorer also has Medium IL. QM runs with Medium IL if in Options is selected Vista UAC: run as User, which is not recommended.
uiAccess The process has Medium IL, but is allowed to interact (use keyboard, mouse and menu commands, send messages, use hooks, etc) with High IL and uiAccess processes.
Low
System
Only few programs have uiAccess privileges. QM runs with uiAccess privileges if in Options is selected Vista UAC: run as uiAccess, which is recommended if you don't want that QM is running as administrator. On non-administrator accounts, QM runs as uiAccess by default. The process has minimal privileges. It can write only to several predefined folders and registry keys. Normally, with Low IL runs only Internet Explorer, when protected mode is on. Highest privileges. Normally only some services and some system processes run with System IL.
Q. What IL uses QM? Can it be changed?
A. By default QM runs as administrator. It can be changed in Options. Q. Should QM run as administartor, uiAccess, or standard user? When it has less problems with UAC? A. QM has less problems when it runs as administrator. Then almost everything that worked in previous operating systems also works on Vista. Q. Is it safe if QM runs as administrator? A. It is quite safe. Programs started by QM (run) have medium IL. If you feel it is not safe, you can set it to run as uiAccess. The User mode (Medium IL) is not recommended. Q. Can some macros run with different IL than QM? A. Yes, if they run in separate process. You can set it in Properties. Q. Is it possible to turn off UAC? A. Yes, you can completely turn off UAC in Control Panel -> User Accounts. The security level will still be the same or slightly higher than on Windows XP. Also, some options can be changed in local security policy (run "secpol.msc"). For example, you can set to elevate without consent, or to show consent in default desktop. Q. Is it possible to run a program as administrator without a consent dialog? A. Use flag 0x10000 or 0x20000 with run. Or use function StartProcess. Or, in macro properties, check "Run in separate process" and select "Administrator" or "Highest available". It is possible only from QM. Without QM, it is possible for example using the Windows Task Scheduler. Q. Is it possible to automatically close the consent dialog for some programs? A. There is no such option in Windows. QM also cannot automate it because the dialog is created in a secure desktop. If the dialog is not in a secure desktop (you can set it in local security policy), then you can create a function that closes it. You can find more information about UAC in Vista Help and on the Internet. If you need QM-specific information, you can ask about it in the Quick Macros forum. See also: GetProcessUacInfo, IsUserAdmin What does not work on Vista
1. When you launch protected mode Internet Explorer, actually are started two processes. The first process usually exits immediately. For this reason, all "wait for" options don't work with run. For the same reason, SHDocVw.InternetExplorer functions don't work if you create the object using _create. Possible workarounds: 1. Use web instead. 2. In Properties, check "Run in separate process" and select Low. 3. Turn off IE protected mode. 4. Turn off UAC. 2. And maybe more (not yet discovered). To solve most other UAC-related problems, you can set QM or separate macros to run with appropriate IL. The information below should help you decide what IL you should use. What does not work on Vista when QM is running as Administrator or uiAccess Some operations are not allowed between different IL processes. Although most of them are not allowed only when initiated by the lower IL process, some of them also are not allowed when initiated by the higher IL process.
1. _getactive, GetObject (VBScript) and some other COM functions cannot get COM objects from different IL processes. _getactive also is used in some other functions. For example,
ExcelSheet.Init cannot connect to Excel. Possible workarounds: 1. In Properties, check "Run in separate process" and select same privileges as of the target app (usually User). 2. Start the target app using _create. 3. Run both QM and the target app as administrator. 4. Turn off UAC. 2. Drag and drop from Medium IL processes (e.g. Windows Explorer). QM uses another process to reenable its drag and drop feature. However, WM_DROPFILES in custom dialogs does not work. Possible workarounds: 1. Use QmRegisterDropTarget instead. 2. In Properties, check "Run in separate process" and select User. 3. Turn off UAC. 3. And maybe more. What does not work on Vista when QM is running as User or uiAccess Some functions and other QM features require administrator privileges. If QM (or exe) is not running as administrator, these features don't work.
1. Writing to some file system locations, such as Program Files and Windows folders (cop, ren, del, MkDir, SetAttr, str.setfile, etc).
2. Writing to some registry keys, such as HKEY_LOCAL_SYSTEM and HKEY_CLASSES_ROOT 3. 4. 5. 6. 7. 8.
9. 10. 11.
(rset). Automatic COM object registration by _create (because cannot write to the registry). RegisterComComponent. You can use flag 4 to show consent dialog. GetDiskUsage. It uses PDH functions that require administrator privileges. SetPrivilege. Manipulating services. Changing computer date. Some COM functions, including _getactive and GetObject (VBScript), don't work with different IL processes. Read more above. If you use shareware protection system for macros (available in the forum), make sure you have the latest version, because older versions don't work on Vista when running not as administrator. Also, some editing required. And maybe more.
Everything above also does not work on non-administrator user accounts on all OS. Possible workarounds: 1. In Properties, check "Run in separate process" and select Administrator. 2. Run QM as administrator. 3. Turn off UAC. What does not work on Vista when QM is running as User The following functions don't work with higher IL windows unless QM (or exe) is running as administrator or uiAccess. This is more actual for exe, because QM can run as administrator or uiAccess.
1. Keyboard and mouse commands (key, outp, str.getsel, str.setsel, lef, mou, acc.Mouse, ifk, wait 2. 3. 4. 5.
K, wait M, and other). Mouse commands don't work in any window if currently active window has higher IL. Windows API functions that send messages (SendMessage, PostMessage, etc). Only few messages can be sent. Many Windows API functions that manipulate windows (SetWindowPos, EnableWindow, etc). Functions that use SendMessage, SetWindowPos, etc . Most of them are menu and control functions (men, but, CB_x, LB_x, acc.DoDefaultAction, etc) and window functions (hid, max, mov, siz, ont, ArrangeWindows, Zorder, Transparent, etc). Most hooks. For example, function BlockInput2 (available in the forum) uses low level keyboard and mouse hooks.
6. BlockInput does not work with all windows. 7. And maybe more. This should not be a big problem, because normally most programs don't run as administrator. Administrative programs usually are used briefly and don't need to be automated. However, currently there are quite many non-Vista-aware programs that don't work without administrative privileges. For example, if a program saves files in its home directory, which usually is in Program Files, it must run as administrator. Possible workarounds (QM): 1. In Properties, check "Run in separate process" and select Administrator. 2. Run QM as administrator. 3. Turn off UAC. Possible workarounds (exe): 1. Run exe from QM: in Properties check "Run in separate process" and select As QM (if QM runs as administrator or uiAccess) or Administrator. If you need to launch it from e.g. desktop, create shortcut to run the macro (in Properties). Of course, QM must be installed. 2. Set uiAccess="true" in the manifest, and sign the exe file. It works well on any computer (QM is not needed). Read more about signing in the make exe topic. 3. Run exe as administrator. It requires consent, unless exe is started from another program that is running as administrator. 4. If possible, don't run target programs as administrator. 5. Turn off UAC. Vista bugs
1. uiAccess programs cannot open folders using ShellExecute[Ex] if "Launch folder windows in a separate process" is checked in Control Panel -> Folder Options -> View. It is unchecked by default. The run command, which uses ShellExecuteEx, uses a workaround for this. However it will fail in exe running with uiAccess privileges (exe can run with uiAccess privileges only if launched by QM or marked as uiAccess in manifest). Also, if you use ShellExecute[Ex] or other functions that call it, they will fail. Possible workarounds: 1. Uncheck the checkbox. 2. If QM is running as uiAccess, and "Run in separate process" is checked in Properties, select something other than As QM. 3. Use run "explorer.exe" "folder" instead of run "folder". 4. Turn off UAC. 2. QM cannot load some type libraries (maybe about 1%) because they are incorrectly registered. The OLE/COM Object Viewer also cannot open these type libraries. Possible workarounds: 1. If possible, with typelib use path instead of GUID. 2. Edit the registry: remove double quotes from type library path. 3. Since Vista SP1, when editing a scheduled task in QM, every time you press OK or Apply it shows a password dialog. Click Cancel. 4. And maybe more. Other problems on Vista
1. Scheduled tasks can be configured either for Vista or for XP/2000/2003. QM creates and recognizes tasks configured for XP/2000/2003. You should edit QM-created tasks only from QM. If you convert a task to the Vista format, it still works (starts the macro), but QM does not recognize it, and you must not try to edit it through QM. 2. Scheduled tasks created while UAC is turned off have two problems: 1. Cannot be managed from QM while UAC is on and QM is running not as administrator. 2. Checked 'Run with highest privileges'. These problems will appear only when you turn on UAC. Scheduled tasks created while UAC is on don't have these problems. Scheduled tasks created while QM runs as another user (runs as administrator from an user account) also have these problems, even if UAC is on. 64-bit Windows
Although QM is a 32-bit program, it runs well on 64-bit windows. There are some differences. On 64-bit Windows, there are separate System and Program Files folders for 64-bit and 32-bit programs. It does not break macros written on 32-bit Windows. Special folder "$program files$" expands to the 32-bit folder ("Program Files (x86)"). Special folder "$system$", although expands to the 64-bit folder ("C:\Windows\System32"), but actually is used the 32-bit folder ("C:\Windows\SysWOW64"). That is, the run command most of the time will launch 32-bit versions of programs. Also, there are separate registry locations for 32-bit programs. It does not break macros written on 32-bit Windows.
Related Documents
Windows Vista
May 2020 22
Windows Vista
May 2020 3
Windows Vista
May 2020 9
Windows Vista
November 2019 29
Windows Vista
May 2020 29