virsual studio等AP无法访问网络映射驱动器(map network drive)的解决办法(二)
前面一篇文章已经提到了问题所在:
直接通过 映射网络(map network drive) 硬盘,run as Administrator的AP会出现无法访问的情况,这是因为直接通过explorer上的map network drive按钮进行映射网络硬盘的动作是没有run在Admnistrator权限下的,访问权限不match导致run as Adninistrator的AP无法访问映射网络硬盘。
参考:
http://woshub.com/how-to-access-mapped-network-drives-from-the-elevated-apps/
解决办法有很多种:
方法一:前文提到的修改注册表中EnableLUA来解决,是Disable UAC,修改EnableLUA=0,disable UAC。它不同于我们经常使用的Disable UAC notification,而是真正的disable UAC。
参考:https://msdn.microsoft.com/zh-cn/library/ff715520.aspx
EnableLUA specifies whether Windows® User Account Controls (UAC) notifies the user when programs try to make changes to the computer. UAC was formerly known as Limited User Account (LUA).
| true | Windows notifies the user when programs try to make changes to the computer. This is the default value. |
| false | Windows does not notify the user when programs try to install software or make changes to the computer. We do not recommend using this setting, but it can be selected for systems that use programs that are not certified for Windows(R) 8, Windows Server® 2012, Windows(R) 7 or Windows Server® 2008 R2 because they do not support UAC. |
https://social.technet.microsoft.com/Forums/en-US/b06a0e1f-0d2e-4978-8eb5-49a7d766d49f/if-i-use-windows-10-default-administrator-account-i-cant-open-applications-else-my-operation?forum=win10itprogeneral
This behavior is by design. The built-in administrator account is disabled and should only be enabled when there are no other administrator accounts available. Enabling and using the built-in administrator account is not recommended and opening certain applications with that account will yield the "This app can't open" message.
During the out of box setup an account is created and added to the default administrators group. This is the account that should be used.
文中提出了解决办法是,重新创建一个非administartor权限的用户,在这个用户上运行。笔者尝试新建一个standard user,在这个用户上运行calc.exe成功。
很明显,上述策略需要在不同的用户去运行不同权限的AP,这不是我们想要的结果。那么我们只能继续寻找其他方法。
方法二:在Administartor下利用net use来建立网络映射,net use使用说明如下:
NET USE
[devicename | *] [\\computername\sharename[\volume] [password | *]]
[/USER:[domainname\]username]
[/USER:[dotted domain name\]username]
[/USER:[username@dotted domain name]
[/SMARTCARD]
[/SAVECRED]
[[/DELETE] | [/PERSISTENT:{YES | NO}]]
NET USE {devicename | *} [password | *] /HOME
NET USE [/PERSISTENT:{YES | NO}]
简单举个例子:
net use x: \\10.0.0.1\dir PASSWD /user:USERNAME
USERNAME和PASSWD分别为 \\10.0.0.1\dir的用户名和密码
利用Administartor运行后其他运行在Administartor的AP便可访问x盘。这个方法的优点是不需要修改注册表、用户信息,缺点是每次启动需要手动运行或者创建bat加入自启动。
方法三:修改注册表项EnableLinkedConnections
- Open the registry editor (regedit.exe)
- Go toHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Create a new parameter (DWORD type) with the name EnableLinkedConnections and the value 1
- restart
这种方法的原理如下,不同权限对应于不同的access token,普通权限map的network drive用的是token2,administtrator权限用的是token1,这样无法利用token1访问token2 map的network drive。而EnableLinkedConnections=1,在map network drive的同时,check是否有多个token,如果有则同时为所有的token做一份copy,保证每个token都可以访问此network mapped drive.
root cause:
Why does it happen? This peculiarity is connected with UAC mechanism for a user with the local administrator privileges. The matter is that when this user signs in, two access tokens are created: the first token provides access without the administrator privileges (the filtered access token, with which most apps are run) and the second is the administrator token with full privileges in the system (all apps approved elevated in UAC are run using it).
When connecting shared network folders, they are associated with the current session for the current process access token and are not available with another token.
solution:How it works. After you enable EnableLinkedConnections parameter of the registry, LanmanWorkstation and LSA will check if there is the second access token associated to the session of the current user. If this token is found, the list of the mounted network drives will be copied from one token to another. Thus, the network drives mounted elevated will be seen in the standard mode, and vice versa.
参考:
http://woshub.com/how-to-access-mapped-network-drives-from-the-elevated-apps/
总结下最简单方法的方法:
- Open the registry editor (regedit.exe)
- Go toHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Create a new parameter (DWORD type) with the name EnableLinkedConnections and the value 1
- restart