0

Calling DeleteIpForwardEntry() works perfectly well on Windows XP and Windows 7. On Windows Vista, however, it fails with ERROR_ACCESS_DENIED.

The documentation says that "the user lacks the required administrative privileges on the local computer or the application is not running in an enhanced shell as the built-in Administrator (RunAs administrator)."

Well, in my case the user is the Administrator on the local computer and the application is run on logon via SOFTWARE\Microsoft\Windows\CurrentVersion\Run so I can't really tell it to run in an "enhanced shell".

Is there a way to solve this "Catch 22" situation in Vista?

skaffman
  • 398,947
  • 96
  • 818
  • 769
Android Eve
  • 14,864
  • 26
  • 71
  • 96

1 Answers1

1

I don't understand why this would work on Windows 7. The docs indicate the failure will be the same.

On Windows Vista and later, the DeleteIpForwardEntry function can only be called by a user logged on as a member of the Administrators group. If DeleteIpForwardEntry is called by a user that is not a member of the Administrators group, the function call will fail and ERROR_ACCESS_DENIED is returned.

Also, your post indicates the logged on user is an Administrator. Is it possible that your Windows 7 and Windows Vista tests are for different users - on Windows 7 your test user is an admin, on Windows Vista machine the test user is not?

There's no way to work around this running the app in that way. Can you re-implement this as a Windows Service running in an admin account, which acts on interactive logon events on the machine to manipulate the IP configuration as needed?

Steve Townsend
  • 53,498
  • 9
  • 91
  • 140
  • Steve, thanks and +1 for your answer. I have to double-check your question about the users, but I almost sure that both in Vista and 7 they are simply the default Administrators created by the installation program ("Power Users" in XP...). As for re-implementing this as a Windows Service, I thought about this option but this will certainly require much more work on my side. – Android Eve Dec 08 '10 at 18:50
  • It's puzzling, because the behaviour should be the same, on the face of it. Keep latest info updated here, anywhere. – Steve Townsend Dec 08 '10 at 18:52
  • yes the behavior should be the same but, if I am not mistaken, Windows 7 *is* different from Vista in handling UAC. My understanding is that what's brought to Windows 7 the fame and praises from those who criticized Vista. Perhaps I am missing something on this front. – Android Eve Dec 08 '10 at 19:48
  • @Android Eve - going back to your first comment above, that may be the problem. 'Power User' is NOT the same as 'Administrator', it has far less broad permissions. See here - http://www.kellys-korner-xp.com/xp_groups.htm. – Steve Townsend Dec 08 '10 at 19:51
  • Windows Vista is so different from Windows XP... Project priorities have shifted but I promise to delve into this when time is due. I would love to solve this mystery. – Android Eve Dec 21 '10 at 11:15