Jump to content











Photo
* * * - - 1 votes

WinBuilder [074] and the Vista Permissions Nightmare


  • Please log in to reply
45 replies to this topic

#26 allanf

allanf

    Gold Member

  • .script developer
  • 1256 posts

Posted 27 February 2008 - 12:21 AM

Just Right-Click on WinBuilder and run as admin.


antonio9,

... also cannot dublicate that error on 'Server 2008 beta 3' with newly created Standard User and UAC turned on. Only require Rt-Click as above, and follow prompts. No problems!

#27 paraglider

paraglider

    Gold Member

  • .script developer
  • 1729 posts
  • Location:NC,USA
  •  
    United States

Posted 27 February 2008 - 03:08 AM

I have no problem running winbuilder on vista + sp1 with UAC enabled as long as I run winbuilder as an administrator. I find the easiest way is to right click on winbuilder.exe and in the compatability options set 'Run the program as an administrator' check box. That way however the program is launched its run as an administrator.

#28 Arvy

Arvy

    Frequent Member

  • Developer
  • 430 posts
  • Location:Canada, Parry Sound
  • Interests:IT, Outdoors, Horses
  •  
    Canada

Posted 27 February 2008 - 04:57 AM

I have already taken ownership of the primary C:\WinBuilder folder (I use a little own.reg file that adds
a very convenient "Take Ownership" option to the menu you get when you right-click a file or folder).

Just taking ownership of the primary C:\WinBuilder folder is not sufficient. To repeat with emphasis: your first action MUST be to take ownership of the primary C:\WinBuilder folder and EVERYTHING within that folder that you don't already own. That means ALL of the subordinate subfolders and their content.

I need help in the specific steps required to apply and propagate a consistent set of permissions throughout the entire folder/subfolders/files structure (if it is possible). You can review my travails while I was trying to give full control to "Everyone", in my original post and in my reply to arby. Actually, I am in a "desperation" phase where I believe that what I'm trying to do is just not possible on Vista Home Premium! Apparently, there is workaround that may work on Vista Ultimate.

I recall very well your travails as you described them in your first reply to me: "An error occurred while applying security information to C:\winbulder\custom. Access denied" and “Stopping the propagation of permission leads to an inconsisting state, in which some objects have the settings but others don’t”. If nothing else, it certainly makes inconsistent access permisions very obvious.

That is exactly why I offered the advice that I did. I can only repeat that also with added emphasis: So long as a situation exists where you (UserX) don't have the ability to alter permissions for EVERY entity (folders and files) subordinate to the primary folder, you will continue to be thwarted by that "Catch-22" situation of (1) an error message telling you so and (2) a scary message about inconsistent propagation when you accept the error message.

I understand and can empathise with your "desperation" because I've also been in some tight corners from time to time. But, for that very reason, I only offer advice based on what I consider safe and would do myself. In this case, owning the entire folder/subfolders/files structure is the surest way I know to enable the propagation of a consistent set of permissions throughout that structure.

#29 online

online

    Silver Member

  • Advanced user
  • 767 posts

Posted 27 February 2008 - 08:09 AM

Maybe the lines you crossed out are needed

Ok, the first procedure needs to set password only after some steps and Microsoft's method needs the password setting immediately otherwise the administrator account will not be really activated and now I've lightly modified Microsoft's procedure as following and it's 100% working under Vista Home Premium (about Administrator account exclusive permissions issue):

1. create a password for your current account in "Control Panel > User accounts";

2. add to registry the following entry (in order to type account name @ boot logon);

Windows Registry Editor Version 5.00			 



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

 "dontdisplaylastusername"=dword:00000001

3. Reboot your machine;

4. Log-in your user account (typing name and password);

5. cmd (Run as administrator) > type net user administrator active:yes;

6. type net user administrator 12345 (where "12345" is your administrator password);

7. Reboot your machine and log-in your user account (typing name and password);

8. cmd (Run as administrator) > type net user in order to verify user accounts list > type net user administrator in order to check that administrator account is really active > type net user username /delete (where "username" is your previous account name) in order to remove your previous account or type net user username active:no in order to simply disable it (if you delete it then in "Control Panel > User Accounts > Configure advanced user profile properties > "Account\Unknown" you can delete it too. This procedure will remove your access to previous user's default folders (maybe it remove folders at all, at this moment I don't remember it), then it would must done after a fresh installation or however after to have moved at least "Documents" sub-folder existing in "Users\yourprevioususername". If you have installed some applications only for the current user really "previoususer\AppData" folder issue will present: you know that delete an user account under Windows not just after a fresh installation will make some issues...) http://www.computerp...sta_appdata.htm ;

9. Reboot your machine and log-in the Administrator account typing "Administrator" and its password;

10. Done!

Now you have a Vista Home Premium with only Administrator account active and Real Full Administrator Privileges (and UAC will not prompt more, although still enabled).


Btw: please, note that we still cannot know if enabling Administrator built-in exclusive account will solve the topic issue, but it will reach removing Vista account restrictions...

Btw2: create a backup of your system before to proceed.

#30 Nuno Brito

Nuno Brito

    Platinum Member

  • .script developer
  • 10549 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 27 February 2008 - 08:13 AM

Your post is very informative, would you also post it on the tutorial section?

http://www.boot-land...orials-f31.html

:)

#31 antonio9

antonio9

    Newbie

  • Members
  • 19 posts
  • Location:Miami

Posted 27 February 2008 - 01:53 PM

Ok, the first procedure needs to set password only after some steps and Microsoft's method needs the password setting immediately otherwise the administrator account will not be really activated and now I've lightly modified Microsoft's procedure as following and it's 100% working under Vista Home Premium (about Administrator account exclusive permissions issue):

1. create a password for your current account in "Control Panel > User accounts";

2. add to registry the following entry (in order to type account name @ boot logon);

Windows Registry Editor Version 5.00			 



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

 "dontdisplaylastusername"=dword:00000001

3. Reboot your machine;

4. Log-in your user account (typing name and password);

5. cmd (Run as administrator) > type net user administrator active:yes;

6. type net user administrator 12345 (where "12345" is your administrator password);

7. Reboot your machine and log-in your user account (typing name and password);

8. cmd (Run as administrator) > type net user in order to verify user accounts list > type net user administrator in order to check that administrator account is really active > type net user username /delete (where "username" is your previous account name) in order to remove your previous account or type net user username active:no in order to simply disable it (if you delete it then in "Control Panel > User Accounts > Configure advanced user profile properties > "Account\Unknown" you can delete it too. This procedure will remove your access to previous user's default folders (maybe it remove folders at all, at this moment I don't remember it), then it would must done after a fresh installation or however after to have moved at least "Documents" sub-folder existing in "Users\yourprevioususername". If you have installed some applications only for the current user really "previoususer\AppData" folder issue will present: you know that delete an user account under Windows not just after a fresh installation will make some issues...) http://www.computerp...sta_appdata.htm ;

9. Reboot your machine and log-in the Administrator account typing "Administrator" and its password;

10. Done!

Now you have a Vista Home Premium with only Administrator account active and Real Full Administrator Privileges (and UAC will not prompt more, although still enabled).


Btw: please, note that we still cannot know if enabling Administrator built-in exclusive account will solve the topic issue, but it will reach removing Vista account restrictions...

Btw2: create a backup of your system before to proceed.

Hi online,
Thank you very much for your detailed procedure (the kind I like). It seems adventurous, but it looks like you know your stuff. I shall try it as soon as a have a means to back up my system. (Actually, the main purpose of my trying to build VistaPE was to have a tool to create an image of my system as a backup)
Regards,
Antonio

#32 antonio9

antonio9

    Newbie

  • Members
  • 19 posts
  • Location:Miami

Posted 27 February 2008 - 02:43 PM

Just taking ownership of the primary C:\WinBuilder folder is not sufficient. To repeat with emphasis: your first action MUST be to take ownership of the primary C:\WinBuilder folder and EVERYTHING within that folder that you don't already own. That means ALL of the subordinate subfolders and their content.


I recall very well your travails as you described them in your first reply to me: "An error occurred while applying security information to C:\winbulder\custom. Access denied" and “Stopping the propagation of permission leads to an inconsisting state, in which some objects have the settings but others don’t”. If nothing else, it certainly makes inconsistent access permisions very obvious.

That is exactly why I offered the advice that I did. I can only repeat that also with added emphasis: So long as a situation exists where you (UserX) don't have the ability to alter permissions for EVERY entity (folders and files) subordinate to the primary folder, you will continue to be thwarted by that "Catch-22" situation of (1) an error message telling you so and (2) a scary message about inconsistent propagation when you accept the error message.

I understand and can empathise with your "desperation" because I've also been in some tight corners from time to time. But, for that very reason, I only offer advice based on what I consider safe and would do myself. In this case, owning the entire folder/subfolders/files structure is the surest way I know to enable the propagation of a consistent set of permissions throughout that structure.


I believed that I was taking ownership of the primary C:\WinBuilder folder and of the subordinate subfolders and their content all along!

This is the little own.reg file that I used to add the option "take owneship" to my shell menus in Windows explorer.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shell\runas]
@="Take Ownership"
"NoWorkingDirectory"=""
[HKEY_CLASSES_ROOT\*\shell\runas\command]
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
[HKEY_CLASSES_ROOT\Directory\shell\runas]
@="Take Ownership"
"NoWorkingDirectory"=""
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"

When I right-click the primary folder and then select "Take ownership", the resulting command prompt window certainly shows a lot of action. (It scrolls down very fast, but I paused it several times and it seemed like it was doing its job)

Now I'm trying my luck with the other project in WinBuilder [074], VistaPE core v12 (beta)
In my first attempt, the build stopped at the error message "Error extracting system files! please send full log file to vistape@vistape.net". This I did. I'm stuck again but now with a different kind of problem.
Regards,
Antonio

#33 antonio9

antonio9

    Newbie

  • Members
  • 19 posts
  • Location:Miami

Posted 27 February 2008 - 03:21 PM

I have no problem running winbuilder on vista + sp1 with UAC enabled as long as I run winbuilder as an administrator. I find the easiest way is to right click on winbuilder.exe and in the compatability options set 'Run the program as an administrator' check box. That way however the program is launched its run as an administrator.

Hi, paraglider
I'm glad that somebody has been able to run winbuilder successfully!
But what puzzles me is where is the "little detail" that is leading me astray.
In order to obtain administrator privileges, what I do is right- click on winbuilder.exe and then select "run as administrator". This is somewhat different from what you do. Is there a real difference?
I have not yet updated to Vista Home Premium SP1, but I don't see why this should be a problem when using the new Windows AIK as a source.
Please let me know what you think.
Regards.

#34 Arvy

Arvy

    Frequent Member

  • Developer
  • 430 posts
  • Location:Canada, Parry Sound
  • Interests:IT, Outdoors, Horses
  •  
    Canada

Posted 27 February 2008 - 04:37 PM

I believed that I was taking ownership of the primary C:\WinBuilder folder and of the subordinate subfolders and their content all along! ...

Well, Techguy Forums tips are usually quite reliable and I've seen that one posted by MS MVPs as well. However, I know of no other explanation for those "scary messages" as you reported them. Your normal Vista administrators group status is not an inhibiting factor in that respect whatever AFAIK:

Btw: please, note that we still cannot know if enabling Administrator built-in exclusive account will solve the topic issue, but it will reach removing Vista account restrictions...
Btw2: create a backup of your system before to proceed.

In any case, it appears that you are off on a different route now. So there's really nothing useful that I can add.

#35 antonio9

antonio9

    Newbie

  • Members
  • 19 posts
  • Location:Miami

Posted 27 February 2008 - 06:14 PM

Well, Techguy Forums tips are usually quite reliable and I've seen that one posted by MS MVPs as well. However, I know of no other explanation for those "scary messages" as you reported them. Your normal Vista administrators group status is not an inhibiting factor in that respect whatever AFAIK:

In any case, it appears that you are off on a different route now. So there's really nothing useful that I can add.

Hi Arvy,
I would like your comment on this:
Paraglider reports “I have no problem running winbuilder on vista + sp1 with UAC enabled as long as I run winbuilder as an administrator. I find the easiest way is to right click on winbuilder.exe and in the compatability options set 'Run the program as an administrator' check box.

I simply right-click winbuilder.exe and then select “Run as Administratror ‘ in the shell menu. Could possibly be a difference in the two procedures to get administartor privileges?
Regards

#36 paraglider

paraglider

    Gold Member

  • .script developer
  • 1729 posts
  • Location:NC,USA
  •  
    United States

Posted 28 February 2008 - 12:42 AM

They both achieve the same thing and both solve the problem for me. My way just protects you against forgetting to run as an administrator. I am also not running winbuilder on the boot drive - maybe that is significant - and am also using as the source a version of Vista with SP1 integrated. I also use the W2008 AIK to mount the wim files.

#37 JonF

JonF

    Gold Member

  • .script developer
  • 1185 posts
  • Location:Boston, MA
  •  
    United States

Posted 28 February 2008 - 01:21 AM

and am also using as the source a version of Vista with SP1 integrated.

OT, but ...

How did you obtain that? I tried to make one by the procedure at Vista SP1 Reverse Integration Guide (Updated x11). I did it in VMs, and it took about 24 hours elapsed. The VistaPE using that as source blue-screens early in the boot.

#38 paraglider

paraglider

    Gold Member

  • .script developer
  • 1729 posts
  • Location:NC,USA
  •  
    United States

Posted 28 February 2008 - 12:58 PM

Its one of the benefits of being a beta tester for MS. They made available integrated versions.

#39 paraglider

paraglider

    Gold Member

  • .script developer
  • 1729 posts
  • Location:NC,USA
  •  
    United States

Posted 28 February 2008 - 01:02 PM

Its also available on MSDN for MSDN subscribers.

#40 Arvy

Arvy

    Frequent Member

  • Developer
  • 430 posts
  • Location:Canada, Parry Sound
  • Interests:IT, Outdoors, Horses
  •  
    Canada

Posted 28 February 2008 - 05:33 PM

Hi Arvy, I would like your comment on this:
Paraglider reports “I have no problem running winbuilder on vista + sp1 with UAC enabled as long as I run winbuilder as an administrator. I find the easiest way is to right click on winbuilder.exe and in the compatability options set 'Run the program as an administrator' check box. I simply right-click winbuilder.exe and then select “Run as Administratror ‘ in the shell menu. Could possibly be a difference in the two procedures to get administartor privileges?

Sorry for the slow reponse. Been off attending to some personal matters. I'm not aware of any difference at all, other than the persistence factor that Paraglider mentioned.

I honestly can't think of anything useful to add to what I've already said. I know that, when performed manually, taking ownership and setting permissions require two separate file/folder access operations, but your context 'trick' seems to accomodate that as well. Other than that, I have found occasionally that a reboot is the only solution to some mysterious 'gremlins' that prevent exclusive (e.g., chkdsk or delete) access to a drive or folder that should be available, but that hardly qualifies as a 'scientific' observation.

#41 online

online

    Silver Member

  • Advanced user
  • 767 posts

Posted 29 February 2008 - 12:39 PM

would you also post it on the tutorial section?

Done! :)

I have found occasionally that a reboot is the only solution to some mysterious 'gremlins' that prevent exclusive (e.g., chkdsk or delete) access to a drive or folder that should be available, but that hardly qualifies as a 'scientific' observation.

:( :cheers:


@ antonio9: at this point just for curiosity I asked myself about the amount of free-space on your (C:\) drive...

#42 antonio9

antonio9

    Newbie

  • Members
  • 19 posts
  • Location:Miami

Posted 29 February 2008 - 10:43 PM

Done! :)

n, an
:( :cheers:


@ antonio9: at this point just for curiosity I asked myself about the amount of free-space on your (C:\) drive...

My (C:\) drive has 287 GB free out of 327 GB

I'm back in my struggle with project VistaPE Multiboot v11! Quite by accident, I found out that I couldn't save a batch file I had created into C:\, or into C:\program files\ , or into c:\users\public\ because lack of permissions, but I could save it into C:\users\username without being bothered by UAC. So I decided to install both WAIK and WinBuilder into this folder.

I just run Winbuilder, and as I look at the log file, it seems to me that I'm now in quite a different scenario. My first hurdle is that the program stopped at "Error with mounting source" while running the 0-Preconfig section. (This did not happened when I had Winbuilder installed into C:\) Of course, 1-Copyfiles fails to copy a bunch of files.

I wonder if you could have a look at the log file that results from running section “Main Configuration” through section “1-Copy Files”

Main Configuration, Path tab: Source Directory “c:\users\username\Windows AIK”
Extended Configuration, Path tab: Source Directory same folder
0-Precofig: Script tab: Source Directory same folder and Path tab: Source Directory same folder
1-Copy Files, Path tab: Source Directory same folder
I didn't change any of the default configurations.
Thanks in advance for any help!

Attached Files

  • Attached File  log.zip   73.13KB   189 downloads


#43 Nuno Brito

Nuno Brito

    Platinum Member

  • .script developer
  • 10549 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 01 March 2008 - 05:06 AM

If you have so much free space then why not creating another partition and try running wb from there?

Some people reported too many issues trying to run on the same partition as Windows.

--

To create a new partition, righ-click on "My computer" --> Select "Management" and from there you find the tools to manage and resize/split your hard drive.

:)

#44 paraglider

paraglider

    Gold Member

  • .script developer
  • 1729 posts
  • Location:NC,USA
  •  
    United States

Posted 01 March 2008 - 01:21 PM

If you have to run on the boot drive and are messing with security settings of the drive or any windows directories make sure you have a backup of the drive and a way to restore it. It is entirely possible you will kill your operating system if you are not extremely careful.

#45 antonio9

antonio9

    Newbie

  • Members
  • 19 posts
  • Location:Miami

Posted 01 March 2008 - 02:27 PM

If you have so much free space then why not creating another partition and try running wb from there?

Some people reported too many issues trying to run on the same partition as Windows.

--

To create a new partition, righ-click on "My computer" --> Select "Management" and from there you find the tools to manage and resize/split your hard drive.

:)

You may be right and I may end up doing just that! But with Vista I have had a bad experience using a second partition. I used Acronis Disk Director v10 to create the second partition and Acronis True Image v11 to create an image of my Windows Vista operating system. For a while I thought that I had a good backup, the image was good and the program verified its integrity. When the time came to restore the image, I was unable to do it. Something to do with the master boot record (MBR). With my old computer and Windows XP I used to routinely save and restore my operating system to and from a second partition with the Acronis tools without a glitch.
I read something recently about Disk Director 10 not being quite ready for Vista, so that application might be the primary suspect.

#46 antonio9

antonio9

    Newbie

  • Members
  • 19 posts
  • Location:Miami

Posted 01 March 2008 - 02:45 PM

If you have to run on the boot drive and are messing with security settings of the drive or any windows directories make sure you have a backup of the drive and a way to restore it. It is entirely possible you will kill your operating system if you are not extremely careful.

That’s true! Also, I am beginning to think that similar Vista installations may have quite different privilege structures, depending of their previous history of creating partitions, deleting partitions, reinstalling, etc. This would explain the different experiences people have running WinBuilder.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users