Safe place to put an executable file on Windows 7 (and Windows XP)

Question

I'm working on a tweak to our logon script which will copy an executable file to the local hard drive and then, using the schtasks command, schedule a task to run that executable daily.

It's a standalone executable file, and when run it creates a folder in the working directory (which would be the same directory as the executable in this case). In Windows XP, of course, it can be put anywhere - I'd probably just throw it in C:\SomeRandomFolder and let it be. But this logon script also runs on Windows 7 64-bit machines, and those are trickier with UAC and all that.

The user is a local administrator but UAC is enabled, so I'm pretty sure that the executable would be blocked from copying to a location like C:\ or C:\Program Files (since those seem to be at least mildly protected by UAC). The scheduled task needs to run under the user's profile, so I can't just run it with SYSTEM and ignore the UAC boundaries; I need to find a path which the user can copy into.

Where can I copy this standalone executable file, so that the copy operation succeeds without a UAC prompt on Windows 7, the path is either common to both WinXP and Win7 or uses environment variables, and the scheduled task running with user permissions is able to launch the executable?

score 1 · Answer 1 · answered Mar 12 '11 at 02:55

1

You should be deploying the application via Startup Script. You can still run the task as the user who has logged-on, but deploying the application with a Startup Script will prevent any problems associated with UAC that you're concerned about.

Your deployment Startup Script can set the permissions on the folder where you're deploying the program such that it can create its subfolder w/ a user's stripped token (add "Users / Modify" to the folder where you're putting the file, and remove "Users / Modify" on the EXE so that other users or malicious software can't replace or modify the EXE).

answered Mar 12 '11 at 02:55

Evan Anderson

141,881
20
196
331

So you are saying I should create a Startup Script which creates the subfolder and sets permissions to it so that the logon script is able to copy into this folder? And this sort of doesn't directly answer my question of which folder to copy to, but at least it changes the answer to "any folder" instead of "any folder not protected with UAC". – Ricket Mar 12 '11 at 15:53
@Ricket: I'd use the Startup Script to create a folder, copy down the executable, set the permissions on the folder so that the executable (which will run as an unprivileged user) can create the subfolder it wants to, and finally to set the permissions on the executable such that it can't be modified by unprivileged users (since it'll be sitting in a folder that *can*). – Evan Anderson Mar 15 '11 at 17:59

score 0 · Answer 2 · edited Mar 12 '11 at 06:02

0

What about the All Users Profile Folder?

It might not be the prettiest way, but if your executable is small and makes no hassle it should be safe enough. Of course You can get the path by env var.

edited Mar 12 '11 at 06:02

John Gardeniers

27,458
12
55
109

answered Mar 11 '11 at 18:41

Martin

26
1

The problem is that on Windows XP, %ALLUSERSPROFILE% points to `C:\Documents and Settings\All Users` - this is where you'd expect it. But in Windows 7, for some reason, %ALLUSERSPROFILE% points to `C:\ProgramData`. As far as I can tell, those two folders serve completely different purposes. – Ricket Mar 11 '11 at 19:27

score 0 · Answer 3 · edited Mar 12 '11 at 02:55

At our company I wrote this script which does a couple of things,

A.) It check for a current drive map and if non existence then would map a drive letter.

B.) I checks for a files existence on the local users desktop if the file is not there then it copies if from a network share.

C.) It check which version of windows is running and runs a different script accordingly.

Hopefully this will help you.

+++++++++++++++++++++++++

@echo off
echo Created by: Jeff Borg - 01/25/2011
echo.
echo.

IF NOT EXIST P: GOTO :NetMap

net use P: /delete

:NetMap
net use P: \\SERVER2\bvdata

ver | find "XP" > nul
if %ERRORLEVEL% == 0 goto ver_xp

if not exist %SystemRoot%\system32\systeminfo.exe goto warnthenexit

systeminfo | find "OS Name" > %TEMP%\osname.txt
FOR /F "usebackq delims=: tokens=2" %%i IN (%TEMP%\osname.txt) DO set vers=%%i

echo %vers% | find "Windows 7" > nul
if %ERRORLEVEL% == 0 goto ver_7

echo %vers% | find "Windows Vista" > nul
if %ERRORLEVEL% == 0 goto ver_vista


:ver_xp
echo Current Version Windows XP
Echo.
Echo. 
C:
IF NOT EXIST "C:\Documents and Settings\%username%\Desktop\BusinessVisionCSE.rdp" GOTO xpNotFound
Echo Found "BusinessVisionCSE.rdp" on %username%'s desktop
goto exit

:ver_vista
echo Current Version Windows Vista
Echo.
Echo.
C:
IF NOT EXIST C:\Users\%username%\Desktop\BusinessVisionCSE.rdp GOTO vistaNotFound
Echo Found "BusinessVisionCSE.rdp" on %username%'s desktop
goto exit

:ver_7
echo Current Version Windows 7
Echo.
Echo.
C:
IF NOT EXIST C:\Users\%username%\Desktop\BusinessVisionCSE.rdp GOTO 7NotFound
Echo Found "BusinessVisionCSE.rdp" on %username%'s desktop
goto exit

:xpNotFound
Echo Could not find file "BusinessVisionCSE.rdp" on %username%'s desktop.
Echo.
Echo.
Echo Copying from \\SERVER1\gpofiles\BusinessVisionCSE.rdp
Echo.
Echo.
xcopy \\SERVER1\gpofiles\BusinessVisionCSE.rdp "C:\Documents and settings\%username%\Desktop\"
Echo.
Echo.
Echo Found "BusinessVisionCSE.rdp" on %username%'s desktop
GOTO exit

:vistaNotFound
Echo Could not find file "BusinessVisionCSE.rdp" on %username%'s desktop.
Echo.
Echo.
Echo Copying from \\SERVER1\gpofiles\BusinessVisionCSE.rdp
Echo.
Echo.
xcopy \\SERVER1\gpofiles\BusinessVisionCSE.rdp C:\Users\%username%\Desktop\
Echo.
Echo.
Echo Found "BusinessVisionCSE.rdp" on %username%'s desktop
GOTO exit

:7NotFound
Echo Could not find file "BusinessVisionCSE.rdp" on %username%'s desktop.
Echo.
Echo.
Echo Copying from \\SERVER1\gpofiles\BusinessVisionCSE.rdp
Echo.
Echo.
xcopy \\SERVER1\gpofiles\BusinessVisionCSE.rdp C:\Users\%username%\Desktop\
Echo.
Echo.
Echo Found "BusinessVisionCSE.rdp" on %username%'s desktop
GOTO exit

:warnthenexit
echo Unable to determine current OS version - Contact helpdesk@getconnected.ca
pause

:exit
Echo.
Echo.`

Safe place to put an executable file on Windows 7 (and Windows XP)

3 Answers3