Gaining control in w-7

[Gene E. Bloch]

I started a new thread since it's a different subject. How do I do away
with all the irritating and aggravating "permissions" in W-7? I can't take
control of anything and I'm the Administrator. How is all this crap shut
off or shut down? Under Properties (for a dll file for example) I can't
change anything. It's grayed out. I don't even feel like I own the W-7
computer.

Please, anyone... how do I stop this 'permission' craziness?

First: you are most likely not *the* Administrator, you are probably
*an* Administrator, i.e., a normal user with (a subset of )
Administrator privileges.

You can turn off UAC, but you do open yourself to some malware attacks.

To log on as *the* Admin, first you need to enable it, then you need to
switch users to the real Admin:

http://tinyurl.com/2q56p3

Which is a shortened version of this:
http://www.howtogeek.com/howto/wind...idden-administrator-account-on-windows-vista/

 

[Gene E. Bloch]

Please, anyone... how do I stop this 'permission' craziness?

I should have added to my other post:

Stop using Windows 7

Sorry, I couldn't resist.

OK, I'm not really sorry...

 

[Ken1943]

First: you are most likely not *the* Administrator, you are probably
*an* Administrator, i.e., a normal user with (a subset of )
Administrator privileges.

You can turn off UAC, but you do open yourself to some malware attacks.

To log on as *the* Admin, first you need to enable it, then you need to
switch users to the real Admin:

http://tinyurl.com/2q56p3

Which is a shortened version of this:
http://www.howtogeek.com/howto/wind...idden-administrator-account-on-windows-vista/

Did you read some of the threads at that site ? Comes down to "If you
don't know what you are doing, stay the hell out".


KenW

 

[Dave \Crash\ Dummy]

First: you are most likely not *the* Administrator, you are probably
*an* Administrator, i.e., a normal user with (a subset of )
Administrator privileges.

You can turn off UAC, but you do open yourself to some malware
attacks.

To log on as *the* Admin, first you need to enable it, then you need
to switch users to the real Admin:

http://tinyurl.com/2q56p3

Which is a shortened version of this:
http://www.howtogeek.com/howto/wind...idden-administrator-account-on-windows-vista/

Just a footnote. You don't have to open a command box. Running the
command(s) in the Run box will work.

 

[RH Breener]

I started a new thread since it's a different subject. How do I do away
with all the irritating and aggravating "permissions" in W-7? I can't take
control of anything and I'm the Administrator. How is all this crap shut
off or shut down? Under Properties (for a dll file for example) I can't
change anything. It's grayed out. I don't even feel like I own the W-7
computer.

Please, anyone... how do I stop this 'permission' craziness?

 

[Gene E. Bloch]

That's OK. One day I may take that advice and buy a MAC. All three of our
kids have MACs now, and our son was a devout Windows freak.

Ignore my other post. I got the command prompt to work.

I *was* going to ignore it - it was too vituperative for my taste,
considering that:

1. I was trying to help.

2. I gave accurate advice.

3. I gave you a pointer to further accurate advice.

 

[RH Breener]

First: you are most likely not *the* Administrator, you are probably
*an* Administrator, i.e., a normal user with (a subset of )
Administrator privileges.

You can turn off UAC, but you do open yourself to some malware attacks.

I don't care. I can't put up with this permissions thing. How do I make
myself the Administrator then?

To log on as *the* Admin, first you need to enable it, then you need to
switch users to the real Admin:

What do you mean "log on" as the Admin? When the PC is turned on I am
logged in so how do log-in as the Admin?

http://tinyurl.com/2q56p3

That wont work because when I open the prompt it alread says:

It gives me the version of windows and then:

C:\Users\Breener>

I get the error:

Command not recognized.

So what else can it try?

Which is a shortened version of this:
http://www.howtogeek.com/howto/wind...idden-administrator-account-on-windows-vista/

The PC is W-7, not Vista. How can I shut this crap off alltogether? I
don't care if I'm open to attack.

 

[RH Breener]

I should have added to my other post:

Stop using Windows 7

Sorry, I couldn't resist.

OK, I'm not really sorry...

That's OK. One day I may take that advice and buy a MAC. All three of our
kids have MACs now, and our son was a devout Windows freak.

Ignore my other post. I got the command prompt to work.

 

[Joe Morris]

First: you are most likely not *the* Administrator, you are probably
*an* Administrator, i.e., a normal user with (a subset of )
Administrator privileges.

Um...Gene, my apologies for disagreeing with you, but a given account is
either an administrator or not an administrator. The built-in local
administrator account gains its privileges the same way that other,
non-built-in accounts do: it's a member of the local Administrators group.

There are some advantages to "being" the built-in local administrator (LA)
account, such as not being locked out, and the ability to rename it by GPO,
but aside from the unlikely possibility that the LA might be the
creator/owner of an object, you don't gain extra privileges by using that
account.

What the OP is encountering is the (poorly documented) change in the default
permissions established by Windows setup in Vista and Windows 7. A typical
file that's part of the Windows system has the following ACL:

SYSTEM: Read, read/execute
Administrators: Read, read/execute
Users: Read, read/execute
TrustedInstaller: Full control

Note that the local Administrators group has only read and read/execute
permissions.

Also, TrustedInstaller is the owner.

Since "TrustedInstaller" is not a "real" account (it's the name of a
service), you can never log onto the machine under that account, and so can
never gain the permissions needed to modify the file. This can be (and is)
a royal PITA when you have a legitimate need to modify a file.

The PITA is there for a reason: it's part of what security professionals
refer to as "defense in depth" where you accept that some of the attacks you
might experience will succeed in penetrating one of the protections...but
with defense in depth there are other barriers that must be breached before
the malware can do something ... um, "unfortunate" to your computer. By not
giving any interactive user the right to modify system files the system has
been hardened against attacks.

There is a workaround: take ownership of the object, then use that privilege
to alter the ACL to give yourself the desired privilege. That's what I did
when writing a script-based build kit for Windows 7: it fixes the stoopid
default behavior of the Microsoft-provided themes in Win7 which if you
invoked them would quietly turn off your screensaver. (And yes, after
making the change I restored the ACL and ownership data to their original,
(reasonably) secure values.)

You can turn off UAC, but you do open yourself to some malware attacks.

Read that as "open yourself to lots of malware attacks." UAC is also a
royal PITA that showed a dramatic lack of understanding on Microsoft's part
of how its customers (especially enterprise customers) use Windows, but it
stands in the way of many of the attacks that are mounted against Windows
XP.


If you (the OP) are comfortable with removing protections against malware
attacks, that's your call since you're the person with the most knowledge of
your tolerance for risk. You've probably gathered that I don't recommend
it, but all I know about your situation is what you've posted.

Joe

 

[John Williamson]

The PC is W-7, not Vista. How can I shut this crap off alltogether? I
don't care if I'm open to attack.

As Vista and W7 are both to a large extent the same code with different
bells and whistles, I'd expect the Vista method to work on W7 in the
same way. It certainly does for everything else I've tried, if anything
W7 security is easier to get past than Vista.

If you weren't aware of this, then maybe you don't know enough to be
messing round at that level. If the Vista method doesn't work, then it's
one of very few differences. If it doesn't work beause you can't find
the various bits, be assured they are still there, but not necessarily
in the same places.

 

[Paul]

I don't care. I can't put up with this permissions thing. How do I make
myself the Administrator then?


What do you mean "log on" as the Admin? When the PC is turned on I am
logged in so how do log-in as the Admin?


That wont work because when I open the prompt it alread says:

It gives me the version of windows and then:

C:\Users\Breener>

I get the error:

Command not recognized.

So what else can it try?


The PC is W-7, not Vista. How can I shut this crap off alltogether? I
don't care if I'm open to attack.

You can find the tutorial information on other sites. With
a multitude of options for doing it.

http://www.sevenforums.com/tutorials/507-built-administrator-account-enable-disable.html

Be aware, that one change in approach for the newer operating systems, is
the Administrator account is not "God". The security model previously, on
quite a few OSes, was that once you used the Administrator account was used,
restrictions "magically fell away". Then the temptation of all home users,
was to just "run as administrator" all the time, to make a
"flat security model".

On Windows 7, there is an account called "TrustedInstaller". Some things on
your system are owned by TrustedInstaller, and you could still be
denied the simplest of things, because of the account owning the facility.
TrustedInstaller is there, as an account that only a trusted part of the
OS, doing installation work, should be using. The new Windows use multiple
accounts, to try to confound malware.

http://en.wikipedia.org/wiki/Windows_Resource_Protection

"Permission for full access to modify WRP-protected resources is restricted
to the processes using the Windows Modules Installer service
(TrustedInstaller.exe). Administrators no longer have full rights to
system files. Protected resources can be modified or replaced only if
administrators take ownership of the resource and add the appropriate
Access Control Entries (ACEs). The "Trusted Installer" account is used
to secure core operating system files and registry keys. Protected files
and registry keys have an access control list applied that prevents other
user accounts and programs that execute under any other user account except
the TrustedInstaller account from making changes."

If you bump into something like that, you can probably change the
ownership of the pesky facility, to gain access to it. But if you
thought the Administrator account was the "magic carpet" it used
to be, no, its not. For security reasons, lots of things are
less convenient than they could be. And... thats life.

I think, only once so far, I've run into a Registry setting I couldn't
change in regedit, because of the default permissions applied when the
OS was installed. So even when meddling with the Registry, as an
Administrator, you can still run into "resistance". There should
be a way to deal with it, but it takes time.

Disabling UAC, would reduce the number of dialog boxes when attempting
to do stuff. Running as Administrator, would be a separate issue.
And the ownership of critical facilities in Windows by the
TrustedInstaller account, means that the Administrator account
can't run roughshod over everything, instantly. Given time,
you can probably achieve the results you want, but not without
some "hair loss".

http://en.wikipedia.org/wiki/User_Account_Control

"Criticism

There have been complaints that UAC notifications slow down various
tasks on the computer such as the initial installation of software
onto Windows Vista. It is possible to turn off UAC while installing
software, and reenable it at a later time. However, this is not
recommended since, as File & Registry Virtualization is only active
when UAC is turned on, user settings and configuration files may be
installed to a different place (a system directory rather than a
user-specific directory) if UAC is switched off than they would be
otherwise. Also Internet Explorer 7's "Protected Mode", whereby the
browser runs in a sandbox with lower privileges than the standard user,
relies on UAC; and will not function if UAC is disabled."

Could you use some utility, to change the ownership of files so
they're all "Administrator" and fix it that way ? Perhaps. Except
the next time you go to install some new software, the system
facilities used, may notice the security is all wrong. And I don't
know what would happen in that case. Again, on older systems, the
system might not have been sophisticated enough to notice when
you do stuff like that. Like, imagine what would happen if
you needed to install a Service Pack, and the installer
started looking at the setup.

There's more complexity in Windows 7, than I can handle.

Paul

 

[Jeff Layman]

I started a new thread since it's a different subject. How do I do away
with all the irritating and aggravating "permissions" in W-7? I can't take
control of anything and I'm the Administrator. How is all this crap shut
off or shut down? Under Properties (for a dll file for example) I can't
change anything. It's grayed out. I don't even feel like I own the W-7
computer.

Please, anyone... how do I stop this 'permission' craziness?

Not sure that I'd want to stop it completely, even though it is a pain
at times. If you need to change a file or do something to it that Win7
won't allow you to, then there is always the option to boot with a Linux
live CD and use its file manager do what you want to with that file.

May even be possible to make registry changes with it as, AFAIU, much of
the registry is just a text file (I believe that the security settings
are encoded, so you can't change those in any meaningful way). I've
never tried it, so others who post here may know if it's [possible or not.

Just remember that if you do make changes, you might render your PC
unbootable.

 

[Paul]

There seems to be more complexity than I care to handle also. I can't
see how all these aggravating security features are necessary.

The future of computing is totally locked down systems.
(Akin to "Terminal - Mainframe" computing, using small
display devices and the Cloud.)

In Windows 8, there'll be two streams. Win RT for ARM based tablets.
And Windows 8 for Intel processor desktops etc.

Win RT machines, will not be allowed to boot an alternate OS.
There will be an "app store", just like the competition uses,
and developer products will go through that "gate" to get
to customers. I don't think you're even allowed to use
an alternate web browser in Win RT.

If you don't like what you've currently got, there's always
something new coming along to make you appreciate the past.
I happen to like the freedom to trash my machines with the
silly things I do, but it doesn't look like that's the future.

*******

In the future, all the cool cats, will be using $35 open source computers.
The next generation of users know where it's at - wires all over the
table, circuit boards laying open to the air...

http://www.raspberrypi.org/

http://www.raspberrypi.org/wp-content/uploads/2012/06/emilyage5-e1340190910746-225x300.jpg

That cat's got a pretty kick-ass game of Pong going there

http://www.engadget.com/2012/06/01/raspberry-pi-impressions-the-35-linux-computer-and-tinker-toy/

Paul

 

[Paul]

I'm not looking to edit the registry, just switch a .dll. I don't think
Linux would help and I know nothing about Linux.

Are you following the tutorial ?

It makes mention of a Take Ownership thing I think.

You can add Take Ownership to your right-click context menu, for
bludgeoning stuff that gets in the way.

http://www.sevenforums.com/tutorials/5481-windows-mail.html

Isn't bludgeoning fun ?

Paul

 

[Ed Cryer]

The future of computing is totally locked down systems.
(Akin to "Terminal - Mainframe" computing, using small
display devices and the Cloud.)

In Windows 8, there'll be two streams. Win RT for ARM based tablets.
And Windows 8 for Intel processor desktops etc.

Win RT machines, will not be allowed to boot an alternate OS.
There will be an "app store", just like the competition uses,
and developer products will go through that "gate" to get
to customers. I don't think you're even allowed to use
an alternate web browser in Win RT.

If you don't like what you've currently got, there's always
something new coming along to make you appreciate the past.
I happen to like the freedom to trash my machines with the
silly things I do, but it doesn't look like that's the future.

*******

In the future, all the cool cats, will be using $35 open source computers.
The next generation of users know where it's at - wires all over the
table, circuit boards laying open to the air...

http://www.raspberrypi.org/

http://www.raspberrypi.org/wp-content/uploads/2012/06/emilyage5-e1340190910746-225x300.jpg


That cat's got a pretty kick-ass game of Pong going there

http://www.engadget.com/2012/06/01/raspberry-pi-impressions-the-35-linux-computer-and-tinker-toy/


Paul

All that looks very like over 30 years ago when we all brought a ZX
Spectrum home, and spent hours trying to get it to load something.
It was wired into the TV and any available radio-cassette player.

Our cats loved it all. They used to have great fun running at the wires,
grabbing hold of them and yanking stuff apart. While we were pulling our
hair out trying to load Manic Miner, the cats had the time of their life
bonding with chaos.

Ed

 

[Char Jackson]

I am so f*&^%$# mad, I'm still not getting anywhere with removing the
msoe.dll file in WindowsMail on W7 to replace it with the one I need to
replace it with. Now I need to get permission from the "Trusted Installer."
There is no information on how to get this permission? How do I do that? I
can't believe this. How the bloody hell do I get to use this computer as
the owner who paid for the OS as part of the price for computer? My blood
pressure must be up to 200 already.

You're quite amusing. Thanks.

 

[RH Breener]

As Vista and W7 are both to a large extent the same code with different
bells and whistles, I'd expect the Vista method to work on W7 in the same
way. It certainly does for everything else I've tried, if anything W7
security is easier to get past than Vista.

If you weren't aware of this, then maybe you don't know enough to be
messing round at that level. If the Vista method doesn't work, then it's
one of very few differences. If it doesn't work beause you can't find the
various bits, be assured they are still there, but not necessarily in the
same places.

I can see that. I can't find much of the things I've looked for. Or I have
to waste a lot of time finding them. I can't see any benefit to changing
their names or where they're located in W7. In WindowsExplorer I can't find
the Delete button or any way to get it to show. The W7 OS is very
disappointing. And all the Permissions and other safety crap is annoying as
hell.

 

[RH Breener]

You can find the tutorial information on other sites. With
a multitude of options for doing it.

http://www.sevenforums.com/tutorials/507-built-administrator-account-enable-disable.html

Be aware, that one change in approach for the newer operating systems, is
the Administrator account is not "God". The security model previously, on
quite a few OSes, was that once you used the Administrator account was
used,
restrictions "magically fell away". Then the temptation of all home users,
was to just "run as administrator" all the time, to make a
"flat security model".

On Windows 7, there is an account called "TrustedInstaller". Some things
on
your system are owned by TrustedInstaller, and you could still be
denied the simplest of things, because of the account owning the facility.
TrustedInstaller is there, as an account that only a trusted part of the
OS, doing installation work, should be using. The new Windows use multiple
accounts, to try to confound malware.

http://en.wikipedia.org/wiki/Windows_Resource_Protection

"Permission for full access to modify WRP-protected resources is
restricted
to the processes using the Windows Modules Installer service
(TrustedInstaller.exe). Administrators no longer have full rights to
system files. Protected resources can be modified or replaced only if
administrators take ownership of the resource and add the appropriate
Access Control Entries (ACEs). The "Trusted Installer" account is used
to secure core operating system files and registry keys. Protected
files
and registry keys have an access control list applied that prevents
other
user accounts and programs that execute under any other user account
except
the TrustedInstaller account from making changes."

If you bump into something like that, you can probably change the
ownership of the pesky facility, to gain access to it. But if you
thought the Administrator account was the "magic carpet" it used
to be, no, its not. For security reasons, lots of things are
less convenient than they could be. And... thats life.

And so those if us who have never had a problem with hackers and viruses and
all those things have to suffer for those who don't protect their computers.

I think, only once so far, I've run into a Registry setting I couldn't
change in regedit, because of the default permissions applied when the
OS was installed. So even when meddling with the Registry, as an
Administrator, you can still run into "resistance". There should
be a way to deal with it, but it takes time.

Disabling UAC, would reduce the number of dialog boxes when attempting
to do stuff. Running as Administrator, would be a separate issue.
And the ownership of critical facilities in Windows by the
TrustedInstaller account, means that the Administrator account
can't run roughshod over everything, instantly. Given time,
you can probably achieve the results you want, but not without
some "hair loss".

http://en.wikipedia.org/wiki/User_Account_Control

"Criticism

There have been complaints that UAC notifications slow down various
tasks on the computer such as the initial installation of software
onto Windows Vista. It is possible to turn off UAC while installing
software, and reenable it at a later time. However, this is not
recommended since, as File & Registry Virtualization is only active
when UAC is turned on, user settings and configuration files may be
installed to a different place (a system directory rather than a
user-specific directory) if UAC is switched off than they would be
otherwise. Also Internet Explorer 7's "Protected Mode", whereby the
browser runs in a sandbox with lower privileges than the standard
user,
relies on UAC; and will not function if UAC is disabled."

Could you use some utility, to change the ownership of files so
they're all "Administrator" and fix it that way ? Perhaps. Except

the next time you go to install some new software, the system
facilities used, may notice the security is all wrong. And I don't
know what would happen in that case. Again, on older systems, the
system might not have been sophisticated enough to notice when
you do stuff like that. Like, imagine what would happen if
you needed to install a Service Pack, and the installer
started looking at the setup.

There's more complexity in Windows 7, than I can handle.

Paul

There seems to be more complexity than I care to handle also. I can't see
how all these aggravating security features are necessary.

 

[Bob Hatch]

In WindowsExplorer I can't find the Delete button or any way to get it
to show.

It's in the same place on your keyboard it's always been.


--
I do not carry a gun hoping that
I'll be able to shoot someone, anymore than
I carry a jack hoping I'll have a flat
tire.
Me.

 

[RH Breener]

If you (the OP) are comfortable with removing protections against malware
attacks, that's your call since you're the person with the most knowledge
of your tolerance for risk. You've probably gathered that I don't
recommend it, but all I know about your situation is what you've posted.

Joe

I am so f*&^%$# mad, I'm still not getting anywhere with removing the
msoe.dll file in WindowsMail on W7 to replace it with the one I need to
replace it with. Now I need to get permission from the "Trusted Installer."
There is no information on how to get this permission? How do I do that? I
can't believe this. How the bloody hell do I get to use this computer as
the owner who paid for the OS as part of the price for computer? My blood
pressure must be up to 200 already.