|
This is a list of things to watch out for when developing your WinBatch scripts:
|
|
|
Administrative types of operationsThis is a list of functions known to require an Administrator with UAC on. Scripts that include these functions should have the manifest setting requireAdministrator. IMPORTANT!: This is not a complete list of functions and will be updated as necessary:
WIL Functions AppExist ( relies on Performance Monitoring ) AppWaitClose ( relies on Performance Monitoring ) ComputerNameSet FileCopy ( to protected directories: Program Files or Windows directory ) FileCopyAttr ( to protected directories: Program Files or Windows directory ) FileDelete ( to protected directories: to Program Files or Windows directory ) FileMove ( to protected directories: to Program Files or Windows directory ) FileMoveAttr ( to protected directories: Program Files or Windows directory ) FileOpen ( to protected directories: to Program Files or Windows directory ) FilePut ( to protected directories: to Program Files or Windows directory ) FilePutW ( to protected directories: to Program Files or Windows directory ) FileRename ( to protected directories: to Program Files or Windows directory ) FileTimeTouch ( to protected directories: to Program Files or Windows directory ) FileTimeSet ( to protected directories: to Program Files or Windows directory ) FileTimeSetEx ( to protected directories: to Program Files or Windows directory ) FileWrite ( to protected directories: to Program Files or Windows directory ) IgnoreInput IniDelete ( protected Windows directory ) IniDeletePvt ( to protected directories: to Program Files or Windows directory ) IniWrite ( protected Windows directory ) IniWritePvt ( to protected directories: to Program Files or Windows directory ) IntControl 58 (set system time) IntControl 84 RegApp ( protected key ) RegConnect RegLoadHive ( to protected keys: HKEY_LOCAL_MACHINE or HKEY_CLASSES_ROOT ) RegQuery__ ( to protected keys: HKEY_LOCAL_MACHINE or HKEY_CLASSES_ROOT ) RegSet__ ( to protected keys: HKEY_LOCAL_MACHINE or HKEY_CLASSES_ROOT ) RegUnloadHive ( to protected keys: HKEY_LOCAL_MACHINE or HKEY_CLASSES_ROOT ) TerminateApp ( relies on Performance Monitoring ) WinExeName ( relies on Performance Monitoring )
Extender Functions Control Manager Extender ( relies on Performance Monitoring): cWndByWndSpec, cWndByWndSpecName, cWndGetWndSpec, cWndGetWndSpecName Process Extender ( relies on Performance Monitoring): tListProc Win32 Network Extender ( add or delete User accounts): WntUserAdd, wntUserDelete ADSI Extender ( add or delete User accounts): dsCreateObj, dsDeleteObj
uiAccess TRUE issuesIf Manifest uiAccess set to TRUE then:
Control Manager ExtenderIn order to run a compiled WinBatch EXE, that contains Control Manager Extender functions, on a Windows System with UAC enabled requires:
Roboscripter / Control Manager ExtenderISSUE: 'Minor Error Occured' when trying to execute an 'action' in Roboscripter on Vista 64 These functions are designed for Windows 32 bit application controls and cannot be used on Windows 64 bit controls. cClearLVItem cClearTVItem cClickToolbar cDblClickItem cGetCalDate cGetHRText cGetIpAddr cGetLVColText cGetLvDdtText cGetLvFocText cGetLvSelText cGetLVText cGetSBText cGetTBText cGetTVItem cGetUpDownMax cGetUpDownMin cSetCalDate cSetDTPDate cSetLVItem cSetTVItem cSetUpDownPos
DiskScan IssuesDiskScan(4) is returning a blank string on Windows Vista, even though Windows Explorer shows the network drive mappings. ISSUE: When running as an Administrator on Vistaor newer , the user has two contexts: the limited user context, and the administrator context. When you map drives in Windows Explorer, they are added only for the limited user context. Thus when the script runs in the administrative context, no mapped drives 'seen' by the script. WBT files run with user elevation 'HighestAvilable', which means when running under an Administrator account the script is running in the context of the administrator NOT the user. OPTIONS:
It would seem that many other functions are also affected by this issue. Most any function that references the mapped drive: DirChange, FileOpen, FileExist, FileItemize, wntGetCon, etc.
Run 1932 WinExec Error 'Requested Operation Requires Elevation'Run, RunWait or RunShell causing the '1932: WinExec Function Failed' error with the additional error information stating ' Requested Operation Requires Elevation'. Instead call ShellExecute which will prompt the user if necessary.
Registry IssuesWindows Vista and newer is clamping down on Windows applications that require administrative privileges. Specifically applications that 'unnecessarily' write to the HKEY_LOCAL_MACHINE (HKLM) or system parts of the file system. For example, HKEY_LOCAL_MACHINE only grants KEY_WRITE to administrators and SYSTEM Accounts. An application that requests KEY_WRITE to HKEY_LOCAL_MACHINE will not work with UAC enabled. Registry virtualization is a Microsoft application compatibility technology that enables registry write operations that have global impact to be redirected to per-user locations. This redirection is transparent to applications reading from or writing to the registry. It is supported starting with Windows Vista. Registry operations to the global store (HKEY_LOCAL_MACHINE\Software) are redirected to a per-user location within the user's profile known as the virtual store (HKEY_USERS\<User SID>_Classes\VirtualStore\Machine\Software). Keep this in mind when developing scripts that write to the registry. The function RegOpenFlags lets you specify an alternate view of the registry for Reg[..] functions which create, open, and delete registry keys, when running on (or accessing) a 64-bit Windows platform.
File System RedirectionWinBatch is a 32 bit application. When it is run on a 64 bit Windows platform, the Windows file system auto-magically redirects file operations that refer to 64 bit directories to the 32 bit equivalents. For example, the %windir%\System32 directory is reserved for 64-bit applications. Since most System DLL file names were not changed when porting to 64-bit, 32-bit applications must use a different directory as their System32 directory. WOW64 hides this difference using file system redirection. Whenever a 32-bit application,like WinBatch, attempts to access %windir%\System32, the access is redirected to a new directory, %windir%\SysWOW64. IntControl 92 can be used to disable this functionality.
RunOnce and Startup IssuesOn Vista or newer this issue occurs because a program or a service that has User Account Control (UAC) restrictions tries to start during the Windows startup process or logon process. Software Explorer blocks programs or services that require UAC confirmation from running. To let you know that the program has been blocked, a message will appear in the notification tray to the right of your desktop, near the clock. Those who wish to have their compiled WinBatch scripts as part of the startup process are encouraged to architect their applications to run AsInvoker so that all users (that is, administrators and standard users) can run the software without the need for a UAC elevation. The UacExePromptTest function can be used to check if the EXE was going to cause a UAC prompt. If the EXE causes a UAC prompt Vista will not allow it to run at Startup.
Possible work around: This will allow your script to run at windows startup with full permission and no longer display the blocked programs alert on the bottom right tray.
Remove the EXE from the Startup. You will need to create a Task using the Task Scheduler with full permissions. 1. Launch the Task Scheduler. Start Menu | All Programs | Accessories | System Tools 2. From the Actions panel on the right, select Create Task... a. Name the Task in the "Name Section" 3. On the General tab under Security Options a. Select an user account with administrative privileges b. Select the radio button 'Run only when user is logged on' c. Check the box 'Run with highest privileges' 4. On the Triggers tab and click New... a. In Begin the task, select 'At log on' b. In the Settings options, select All users c. In the 'Advanced Settings' options, check the box Enabled d. Click OK to close the dialog 5. On the Actions tab and click New... a. For Action, select 'Start a program' b. In the Settings options, browse for the script you want to execute on startup c. Click OK to close the dialog 6. On the Settings tab a. Check the box Run task as soon as possible after a scheduled start is missed b. Uncheck the box Stop the task if it runs longer than 7. Make any other desired settings 8. Click OK to save and close the task properties
The reason the task scheduler solution is allowed to work is because non-administrative programs cannot create scheduled tasks, so there is no way for malware to abuse this service in the way that is possible with the other startup methods.
Unknown PublisherIf you do not sign your compiled WinBatch EXEs then Windows Vista or newer makes your program to appear as if it's a malware or a virus program. When you run an EXE on Vista or newer, you may receive a message asking you whether or not you trust the application you are about to run. If your EXE is not digitally signed then the Popup message will reference an "Unknown Publisher". If the EXE is digitally signed it will reference your own information in the Popup message. NOTICE: Down the road, Windows will require any EXE, regardless of functionality, running under UAC, to be signed and trusted.
Installer Detection TechnologyInstallation programs are applications designed to deploy software, and most write to system directories and registry keys. These protected system locations are typically writeable only by an administrator user, which means that standard users do not have sufficient access to install programs. Windows Vista and newer heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows also heuristically detects updater and uninstallation programs. Note that a design goal of UAC is to prevent installations from being executed without the user's knowledge and consent since they write to protected areas of the file system and registry. Installer Detection only applies to:
Before a 32 bit process is created, the following attributes are checked to determine whether it is an installer:
Note: Installer Detection should not affect your WinBatch scripts that include a Manifest.
More Information on UACThis is only a basic explanation of UAC. For more info on UAC:
Understanding and Configuring User Account Control in Windows
|