Using the ForceAdminAccess Fix
Applies To: Windows 7, Windows Vista
This section includes information about using the ForceAdminAccess compatibility fix, including the issue details, the intercepted APIs, and the recommended fix for a permanent solution.
ForceAdminAccess
ForceAdminAccess fixes an issue whereby an application can be manipulated to run as a Standard User or Protected Administrator, instead of as an administrator, but runs incorrectly due to an explicit administrator check.
Investigating the Issue
Application-related issues that can be resolved by applying the ForceAdminAccess fix are typically detected by using the Standard User Analyzer (SUA) tool, which is provided by the Application Compatibility Toolkit (ACT). SUA can detect if an application is explicitly checking for administrator credentials and if so, offers this compatibility fix as a resolution that allows the application to function correctly with a Standard User or Protected Administrator account.
Intercepted APIs
The following table provides a list of APIs that are intercepted by the ForceAdminAccess fix.
| API | Description |
|---|---|
AccessCheck |
Returns a value of True if the AccessStatus value is returned as False, but the application includes the Administrators SID value in the security descriptor of the ACCESS_ALLOWED_ACE_TYPE key. |
CheckTokenMembership |
Returns a value of True if the IsMember value is returned as False and the SidToCheck value is returned as the Administrator SID. |
RegOpenKeyExW |
Retries the API requesting the KEY_READ value as the desired access mask, if an API attempts to open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Perfproc\Performance registry key and receives an ERROR_ACCESS_DENIED value. |
RegOpenKeyExA |
Retries the API requesting the KEY_READ value as the desired access mask, if an API attempts to open the HKEY_LOCAL_MACHINE\System registry key and receives an ERROR_ACCESS_DENIED value |
GetTokenInformation |
Replaces the DOMAIN_ALIAS_RID_USERS key with the DOMAIN_ALIAS_RID_ADMIN key, if the ForceAdminAccess API locates a TokenGroup that includes an entry where the sub-authorities include SECURITY_BUILTIN_DOMAIN_RID and DOMAIN_ALIAS_RID_USERS keys. |
IsUserAnAdmin |
Returns a value of True, if the user is a member of the Administrators group. |
NetUserGetInfo |
Modifies the USER_PRIV_USER key to the USER_PRIV_ADMIN key in the usri1_priv, usri2_priv, usri3_priv, usri4_priv, and the usri11_priv values, if the level requested by this API is 1, 2, 3, 4, or 11. |
SetActivePwrScheme |
Calls the SetLastError(ERROR_SUCCESS) API, if the GetLastError API call receives an ERROR_ACCESS_DENIED value. |
Fixing Your Code
Applications should be modified to support the Standard User and Protected Administrator accounts to the maximum extent possible. Administrator functionality should be separated out into the smallest possible modules, and should request the expected privilege levels.