Using the ForceAdminAccess Fix

Applies To: Windows 7, Windows Vista

This section includes information about using the ForceAdminAccess compatibility fix, including the issue details, the intercepted APIs, and the recommended fix for a permanent solution.

ForceAdminAccess

ForceAdminAccess fixes an issue whereby an application can be manipulated to run as a Standard User or Protected Administrator, instead of as an administrator, but runs incorrectly due to an explicit administrator check.

Investigating the Issue

Application-related issues that can be resolved by applying the ForceAdminAccess fix are typically detected by using the Standard User Analyzer (SUA) tool, which is provided by the Application Compatibility Toolkit (ACT). SUA can detect if an application is explicitly checking for administrator credentials and if so, offers this compatibility fix as a resolution that allows the application to function correctly with a Standard User or Protected Administrator account.

Intercepted APIs

The following table provides a list of APIs that are intercepted by the ForceAdminAccess fix.

API Description

AccessCheck

Returns a value of True if the AccessStatus value is returned as False, but the application includes the Administrators SID value in the security descriptor of the ACCESS_ALLOWED_ACE_TYPE key.

CheckTokenMembership

Returns a value of True if the IsMember value is returned as False and the SidToCheck value is returned as the Administrator SID.

RegOpenKeyExW

Retries the API requesting the KEY_READ value as the desired access mask, if an API attempts to open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Perfproc\Performance registry key and receives an ERROR_ACCESS_DENIED value.

RegOpenKeyExA

Retries the API requesting the KEY_READ value as the desired access mask, if an API attempts to open the HKEY_LOCAL_MACHINE\System registry key and receives an ERROR_ACCESS_DENIED value

GetTokenInformation

Replaces the DOMAIN_ALIAS_RID_USERS key with the DOMAIN_ALIAS_RID_ADMIN key, if the ForceAdminAccess API locates a TokenGroup that includes an entry where the sub-authorities include SECURITY_BUILTIN_DOMAIN_RID and DOMAIN_ALIAS_RID_USERS keys.

IsUserAnAdmin

Returns a value of True, if the user is a member of the Administrators group.

NetUserGetInfo

Modifies the USER_PRIV_USER key to the USER_PRIV_ADMIN key in the usri1_priv, usri2_priv, usri3_priv, usri4_priv, and the usri11_priv values, if the level requested by this API is 1, 2, 3, 4, or 11.

SetActivePwrScheme

Calls the SetLastError(ERROR_SUCCESS) API, if the GetLastError API call receives an ERROR_ACCESS_DENIED value.

Fixing Your Code

Applications should be modified to support the Standard User and Protected Administrator accounts to the maximum extent possible. Administrator functionality should be separated out into the smallest possible modules, and should request the expected privilege levels.

See Also

Concepts

Windows Vista and Windows 7 Operating Systems