Ask Learn
Preview
Please sign in to use this experience.
Sign inThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Windows 7 Administrator's Pocket Consultant , by William Stanek, series editor of our Administrator’s Pocket Consultant series, is now available. The book provides 704 pages of easily accessible details related to the daily administration of Windows 7; its ISBN is 9780735626997.
William is a Microsoft MVP with more than 20 years of experience in systems management and advanced programming. He is an award-winning author who’s written more than 100 books, including Windows Server 2008 Inside Out.
In this post you’ll find the book’s Introduction and an excerpt from Chapter 9, “Installing and Maintaining Programs.”
First the Intro:
Introduction
Writing Windows 7 Administrator’s Pocket Consultant was a lot of fun—and a
lot of work. As I set out to write this book, my initial goals were to determine
how Windows 7 was different from Windows Vista and Windows XP and what new
administration options were available. As with any new operating system—but
especially with Windows 7—I had to do a great deal of research and a lot of digging
into the operating system internals to determine exactly how things work.
When you start working with Windows 7, you’ll see at once that the operating
system is different from earlier releases of Windows. What won’t be apparent, however,
is just how different Windows 7 is from its predecessors—and that’s because
many of the most significant changes to the operating system are below the surface.
These changes affect the underlying architecture, as well as the user interfaces, and
they were some of the hardest for me to research and write about.
Because Administrator’s Pocket Consultants are meant to be portable and readable—
the kind of book you use to solve problems and get the job done wherever
you might be—I had to carefully review my research to make sure I focused on the
core aspects of Windows 7 administration. The result is the book you hold in your
hands, which I hope you’ll agree is one of the best practical, portable guides to
Windows 7. Toward that end, the book covers everything you need to perform the
core administrative tasks for computers running Windows 7.
Because my focus is on giving you maximum value in a pocket-size guide, you
don’t have to wade through hundreds of pages of extraneous information to find
what you’re looking for. Instead, you’ll find exactly what you need to address a specific
issue or perform a particular task. In short, the book is designed to be the one
resource you turn to whenever you have questions regarding Windows 7 administration.
It zeroes in on daily administration procedures, frequently used tasks,
documented examples, and options that are representative while not necessarily
inclusive.
One of the goals for this book is to keep its content concise so that it remains
compact and easy to navigate while at the same time packing it with as much information
as possible to make it a valuable resource. Instead of a hefty 1,000-page
tome or a lightweight, 100-page quick reference, you get a valuable resource guide
that can help you quickly and easily perform common tasks, solve problems, and
implement everyday solutions for systems and users.
Who Is This Book For?
Windows 7 Administrator’s Pocket Consultant covers all editions of Windows 7. The
book is designed for:
To pack in as much information as possible, I had to assume that you have basic
networking skills and a basic understanding of Windows operating systems. As a
result, I don’t devote entire chapters to understanding Windows basics, Windows
architecture, or Windows networks. I do, however, cover desktop customization,
mobile networking, TCP/IP configuration, user profiles, and system optimization.
The book also goes into depth on troubleshooting, and I’ve tried to ensure that
each chapter, where appropriate, has troubleshooting guidelines and discussions to
accompany the main text. From the start, troubleshooting advice is integrated into
the book—instead of being captured in a single, catchall troubleshooting chapter
inserted as an afterthought. I hope that after you read these chapters and dig into
the details, you’ll be able to improve the overall experience of your users and reduce
downtime.
How Is This Book Organized?
Windows 7 Administrator’s Pocket Consultant is designed to be used in daily administration,
and as such, the book is organized by job-related tasks rather than by
Windows 7 features. The books in the Administrator’s Pocket Consultant series are
down-and-dirty, in-the-trenches books.
Speed and ease of reference are essential elements of this hands-on guide. The
book has an expanded table of contents and an extensive index for finding answers
to problems quickly. Many other quick reference features have been added as well.
These features include step-by-step instructions, lists, tables with fast facts, and
extensive cross-references.
Conventions Used in This Book
I’ve used a variety of elements to help keep the text clear and easy to follow. You’ll
find code listings in monospace type, except when I tell you to actually type a
command. In that case, the command appears in bold type. When I introduce and
define a new term, I put it in italics.
Other conventions include the following:
Note To provide additional details about a particular point that needs emphasis
Tip To offer helpful hints or additional information
Caution To warn you when there are potential problems you should look out for
Real World To provide real-world advice when discussing advanced topics
I truly hope you find that Windows 7 Administrator’s Pocket Consultant provides
everything you need to perform the essential administrative tasks on Windows 7
systems as quickly and efficiently as possible. You are welcome to send your
thoughts to me at williamstanek@aol.com. Thank you.
And here’s the opening of Chapter 9:
Chapter 9
Installing and Maintaining Programs
Managing Application Virtualization and Run Levels 311
Installing Programs: The Essentials 318
Deploying Applications Through Group Policy 322
Configuring Program Compatibility 324
Managing Installed and Running Programs 328
Administrators and support staff often install and configure applications that
are used on desktop computers. You need to install and configure applications
before deploying new computers, install new applications on computers
when the programs are requested, and update applications when new versions
become available. Also, as users install additional applications, you might be called
on to help troubleshoot installation problems or to help uninstall programs. Most
program installation problems are fairly easy to solve if you know what to look
for. Other problems are fairly difficult to resolve and require more work than you
might expect. In this chapter, you’ll learn how User Account Control (UAC) affects
how you install and run applications and about techniques for installing, uninstalling,
and maintaining programs.
Managing Application Virtualization and Run Levels
User Account Control (UAC) changes the way that applications are installed and
run, where applications write data, and what permissions applications have. In
this section, I’ll look at how UAC affects application installation, from application
security tokens to file and registry virtualization to run levels. This information is
essential when you are installing and maintaining applications on Windows 7.
Application Access Tokens and Location Virtualization
All applications used with Windows 7 are divided into two general categories:
The distinction between UAC-compliant applications and legacy applications
is important because of the architectural changes required to support UAC.
UAC-compliant applications use UAC to reduce the attack surface of the operating
system. They do this by preventing unauthorized programs from installing or
running without the user’s consent and by restricting the default privileges granted
to applications. These measures make it harder for malicious software to take over a
computer.
Note The Windows 7 component responsible for UAC is the Application Information
service. This service facilitates the running of interactive applications with an
“administrator” access token. You can see the difference between the administrator
user and standard user access tokens by opening two Command Prompt windows,
running one with elevation (right-click, and then click Run As Administrator), and
the other as a standard user. In each window, type whoami /all and compare the
results. Both access tokens have the same security identifiers (SIDs), but the elevated,
administrator user access token will have more privileges than the standard user
access token.
All applications that run on Windows 7 derive their security context from the
current user’s access token. By default, UAC turns all users into standard users even
if they are members of the Administrators group. If an administrator user consents
to the use of her administrator privileges, a new access token is created for the user.
It contains all the user’s privileges, and this access token—rather than the user’s
standard access token—is used to start an application or process.
In Windows 7, most applications can run using a standard user access token.
Whether applications need to run with standard or administrator privileges depends
on the actions the application performs. Applications that require administrator
privileges, referred to as administrator user applications, differ from applications
that require standard user privileges, referred to as standard user applications, in the
following ways:
Applications not written for Windows 7 run with a user’s standard access token
by default. To support the UAC architecture, these applications run in a special compatibility
mode and use file system and registry virtualization to provide “virtualized”
views of file and registry locations. When an application attempts to write to a
system location, Windows 7 gives the application a private copy of the file or registry
value. Any changes are then written to the private copy, and this private copy is
then stored in the user’s profile data. If the application attempts to read or write to
this system location again, it is given the private copy from the user’s profile to work
with. By default, if an error occurs when the application is working with virtualized
data, the error notification and logging information show the virtualized location
rather than the actual location that the application was trying to work with.
Application Integrity and Run Levels
The focus on standard user and administrator privileges also changes the general
permissions required to install and run applications. In Windows XP and earlier
versions of Windows, the Power Users group gave users specific administrator
privileges to perform basic system tasks when installing and running applications.
Applications written for Windows 7 do not require the use of the Power Users
group. Windows 7 maintains it only for legacy application compatibility.
As part of UAC, Windows 7 by default detects application installations and
prompts users for elevation to continue the installation. Installation packages for
UAC-compliant applications use application manifests that contain run-level designations
to help track required privileges. Application manifests define the application’s
privileges as one of the following:
To protect application processes, Windows 7 labels them with integrity levels
ranging from high to low. Applications that modify system data, such as Disk
Management, are considered high integrity. Applications performing tasks that
could compromise the operating system, such as Windows Internet Explorer 8 in
Windows 7, are considered low integrity. Applications with lower integrity levels
cannot modify data in applications with higher integrity levels.
Windows 7 identifies the publisher of any application that attempts to run with
an administrator’s full access token. Then, depending on that publisher, Windows 7
marks the application as belonging to one of the following three categories:
To help you quickly identify the potential security risk of installing or running the
application, a color-coded elevation prompt displays a particular message depending
on the category to which the application belongs:
Prompting on the secure desktop can be used to further secure the elevation
process. The secure desktop safeguards the elevation process by preventing spoofing
of the elevation prompt. The secure desktop is enabled by default in Group
Policy, as discussed in the section “Optimizing User Account Control and Admin
Approval Mode” in Chapter 5.
Setting Run Levels
By default, only applications running with a user’s administrator access token run in
elevated mode. Sometimes, you’ll want an application running with a user’s standard
access token to be in elevated mode. For example, you might want to start the
Command Prompt window in elevated mode so that you can perform administration
tasks.
In addition to application manifests (discussed in the previous section),
Windows 7 provides two different ways to set the run level for applications:
To run an application once as an administrator, right-click the application’s
shortcut or menu item, and then click Run As Administrator. If you are using a
standard account and prompting is enabled, you are prompted for consent before
the application is started. If you are using a standard user account and prompting
is disabled, the application will fail to run. If you are using an administrator account
and prompting for consent is enabled, you are prompted for consent before the
application is started.
Windows 7 also enables you to mark an application so that it always runs with
administrator privileges. This approach is useful for resolving compatibility issues
with legacy applications that require administrator privileges. It is also useful for
UAC-compliant applications that normally run in standard mode but that you use to
perform administration tasks. As examples, consider the following:
Note You cannot mark system applications or processes to always run with
administrator privileges. Only nonsystem applications and processes can be marked
to always run at this level.
Real World The Windows Application Compatibility Toolkit (ACT) is a solution
for administrators that requires no reprogramming of an application. ACT can help
you resolve common compatibility problems. For example, some programs run
only on a specific operating system or when the user is an administrator. Using ACT,
you can create a shim that responds to the application inquiry about the operating
system or user level with a True statement, which allows the application to run. ACT
also can help you create more in-depth solutions for applications that try to write to
protected areas of the operating system or use elevated privileges when they don’t
need to. ACT can be downloaded from the Microsoft Download Center (https://download .
microsoft.com).
You can mark an application to always run as an administrator by following these
steps:
1. On the Start menu, locate the program that you want to always run as an
administrator.
2. Right-click the application’s shortcut, and then click Properties.
3. In the Properties dialog box, click the Compatibility tab, shown in Figure 9-1.
4. Do one of the following:
Note If the Run This Program As An Administrator option is unavailable, it means
that the application is blocked from always running at an elevated level, the application
does not require administrator credentials to run, or you are not logged on as
an administrator.
The application will now always run using an administrator access token. Keep
in mind that if you are using a standard account and prompting is disabled, the
application will fail to run.
Optimizing Virtualization and Installation Prompting for Elevation
With regard to applications, two areas of User Account Control can be customized:
In Group Policy, you can configure these features by using the Administrative
Templates policies for Computer Configuration under Windows Settings\Security
Settings\Local Policies\Security Options. The security settings are as follows:
In a domain environment, you can use Active Directory–based Group Policy to
apply the security configuration you want to a particular set of computers. You can
also configure these settings on a per-computer basis by using local security policy.
To do this, follow these steps:
1. Click Start, point to All Programs, Administrative Tools, and then click Local
Security Policy. This starts the Local Security Policy console.
2. In the console tree, under Security Settings, expand Local Policies, and then
select Security Options.
3. Double-click the setting you want to work with, make any necessary changes,
and then click OK.
Installing Programs: The Essentials
Program installation is fairly straightforward. Not so straightforward are troubleshooting
the many things that can go wrong and fixing problems. To solve problems
that might occur, you first need to understand the installation process. In many
cases, the typical installation process starts when Autorun is triggered. Autorun in
turn invokes a setup program. Once the setup program starts, the installation process
can begin. Part of the installation process involves checking the user’s credentials
to ensure that he or she has the appropriate privileges to install the program
and prompting for consent if the user doesn’t. As part of installing a program,
you might also need to make the program available to all or only some users on a
computer.
Occasionally, Windows might not be successful in detecting the required installation
permissions. This can occur if the installation manifest for the program has an
embedded RequestedExecutionLevel setting that has a value set as RequireAdministrator.
Because the RequestedExecutionLevel setting overrides what the installer
detects in Windows, the installation process fails any time you run the installer with
standard user permissions. To solve this problem, back out of the failed installation
by exiting, canceling the installation, or taking another appropriate action. Next,
locate the executable file for the installer. Right-click this file, and then click Run As
Administrator to restart the installation process with administrator privileges.
Additionally, it is important to understand that in Windows 7 and Windows
Server 2008 Release 2, Application Control policies replace Software Restriction
policies. Software Restriction policies control the applications that users can install
and run on Windows 2000, Windows XP, and Windows Vista. Application Control
policies control the applications that users can install and run on Windows 7 and
Windows Server 2008 Release 2. Keep the following in mind:
We hope you find this book extremely helpful!
Anonymous
October 27, 2009
Are there any known errors/corrections for this book?
Anonymous
November 03, 2009
Not yet, Bert. When there are, you'll be able to find a KB Support article here: http://support.microsoft.com/search/?adv=1
Anonymous
March 04, 2011
How can I purchase a hard copy of this book?
Anonymous
March 11, 2011
Tama, see the options here: oreilly.com/.../9780735626997
Anonymous
August 25, 2011
I have Windows Vista Administrator's Pocket consultant. Is there any differance or can you configure it the same???
Please sign in to use this experience.
Sign in