On Fri, 19 Apr 2024 18:51:32 GMT, MustavData <d...@openjdk.org> wrote:
>> @rebarbora-mckvak Can you please update [this >> test](https://github.com/openjdk/jdk/blob/master/test/jdk/sun/security/mscapi/AllTypes.java)? >> There is no need for the `hasAdminPrivileges` flag now. > > @wangweij , your [comment on > JDK-8313367](https://bugs.openjdk.org/browse/JDK-8313367?focusedId=14664542&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14664542) > indicates you are unable to request a Windows system including a secured > user. If all your Windows systems are configured with a single user > requiring Administrators group membership, here are some options to get you > unblocked: > > 1. Request a new domain user account for a role, versus a person. Sometimes > this is referred to as a service account. Then grant that user "Standard > User" (_Not Administrator_) access to the Windows test system via the Control > Panel's "Give other users access to this computer" (_a.k.a. the "Advanced > User Account Control Panel"_) dialog. You can also modify the service user's > group memberships via that dialog's Advanced tab (_do not add an > Administrator's group membership_). Once configured, login as, or [switch > accounts > to](https://support.microsoft.com/en-us/windows/how-to-switch-users-accounts-in-windows-660d4dcd-fa8d-7467-10b3-fee0e70e11d4), > this service user to perform secure environment testing. > 2. Spawn the test's process as the single user minus their Administrators > group privilege via the [RunAs.exe command included on all Windows > systems](https://en.wikipedia.org/wiki/Runas) . > 3. Spawn the test's process as the single user minus their Administrators > group privilege using [PsExecs.exe command included with downloadable > SysInternals > commands](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec). > > For option 2 on Windows 10 or Windows Server: > `runas /trustlevel:0x20000 "<command line>"` > For option 2 on Windows 11: > `runas /machine:amd64 /trustlevel:0x20000 "<command line>"` > For option 3 on any Windows OS: > `PsExec -l "<command line>"` > > Tips: > > - Try option 2 or 3 with `cmd` or `powershell` as the command line. The > resulting window title will explain the granted access privilege. > - Option 2 on Windows 11 requires the `/machine` option. "amd64" indicates > Intel or AMD processors. Type `runas /?` for additonal processor types. > - If you need to embed quotes, use a backslash to escape them like `"cmd > "<path to bat script>" "script argument"" `. > - You can prove these techniques work by using them to execute the commands > in Step 10 of the steps to reproduce. The jarsigner command should fail with > "Access Denied". @MustavData, thanks a lot for the instructions. ------------- PR Comment: https://git.openjdk.org/jdk/pull/16687#issuecomment-2067213005
