So we are doing a lot of things in parallel at work, including an implementation of Solar Winds and a deployment of Windows 7. Today, they came together in a particularly craptastic fashion. Seems like every single web page on the Solar Winds Orion application threw a UAC prompt on Windows 7. Even just sitting there doing nothing, UAC would pop up every few minutes. You can imagine how much fun that was.
Disabling UAC is not an option…we want it. Clicking the ‘show details’ on the UAC prompt, I saw that Windows was throwing UAC because it was attempting to download an executable ‘from the Internet’ called swtoolset.exe. Please read that again. Yes, a so-called web interface was downloading AN EXECUTABLE to provide functionality. Now I am not a programmer, and I did not spend the night in a Holiday Inn Express, but I have seen things done with ActiveX, Flash, even Java, that are comparable to what Orion is giving me, and you only have to agree to the ActiveX or applet prompt once per user profile. Looking at the source, you can see this…
<div id="ctl00_ctl00_toolsetObject" style="position:absolute; left:0; visibility:hidden; height:0; width: 0">
<object classid=’clsid:26700CD9-6157-4B72-B46F-EC93C952F19C’ id=’SWTool’ name=’SWTool’ codebase=’/SWToolset.exe#ver=8,5,0,1′ style="height:0;width:0;"></object>
and you can also see the page refreshes, so it pulls down this executable again and again every five minutes if you just leave the browser open.
var orionPageRefreshTimeout=setTimeout(‘window.location.reload(true)’, 300000);
var orionPageRefreshMilSecs = 300000;//]]>
</script>
Warning, rant approaching…
- <rant>
A web app that has you pull down an EXE? That’s not a web app, heh heh, oh, no…
IT’S A PIECE OF S**T !!!! AWW!! AWW!!! AWWWWW!!!!!! SAY IT!!!!! SAAAYYYYY IIIIIIITTTTTT!!!!
</rant>
So the bad news…
You cannot exempt a specific program from UAC.
It’s a download, so code signing is not an option.
Again, it is a DOWNLOAD of an EXECUTABLE (sorry, but this crap really bugs me) so you cannot cobble up a shortcut to work around it, because you are pulling it down over http each time, and IE is rightly concerned about just running an executable willy nilly.
Adding the site to Trusted Sites makes no difference…again, your PC sees you downloading and executing a binary….which is why UAC is throwing a fit.
but there is good news…
Chrome loads the site without complaint. I imagine Firefox will too. Do you use either? If so, use them, but don’t let your users see that you do, else they will want to as well, and we can’t control them the same way as IE </wink.>
And now for your entertainment (and education if you don’t know the genius that was Sam Kinison,) I include for you one of my favourite Kinison moments. Warning NSFW language, and not for the kiddies.
Sound off. What do you think of using EXEs instead of Flash, Java applets, or ActiveX to provide functionality in a browser? Leave a comment and let us know how you feel.
No related posts.
{ 2 comments… read them below or add one }
Yes but if the browsers do allow this by default they are technically allowing an exploit to occur meaning that there is greater risk with those browsers. Still, for internal use this is an agreeable option. Funny article.
Agreed, though I would much prefer that a product that promotes itself as web browser based not require you to pull down an exe, especially repeatedly. Javascript, Flash, HTLM5, even ActiveX, but not an exe.