Microsoft Press Windows Vista Administrator's Pocket Consultant ebook
Page 19
On a system with multiple monitors or video cards, use the Monitor Type list box to select the monitor and video card with which you want to work.
Click Advanced Settings.
On the Monitor tab, click Properties.
In the Driver tab, click Update Driver. This starts the Update Driver Software Wizard.
Continue with the driver update as discussed in steps 7–10 of the previous procedure.
Changing the Screen Resolution and Color Quality
Screen resolution and color quality are key factors affecting display appearance. Screen resolution is the number of pixels that make up the display. Color quality is the number of colors that can be displayed simultaneously on the screen.
A low-end monitor has resolutions of 640 × 480, 800 × 600, and 1024 × 768. High-end monitors have additional resolutions of 1280 × 1024, 1600 × 1200, 1920 × 1200, 2048 × 1536, and sometimes even higher. The best resolution to use depends on the size of the monitor and what the user plans to do with the computer. Designers and developers who need a large screen area will appreciate a higher resolution, such as 1920 × 1200. They can then see more of what they're working with on the screen. Users who spend most of their time reading e-mail or working with Word documents might prefer a lower resolution, such as 1280 × 1024. At that resolution, screen elements are easier to see, and users will have less eyestrain.
Color quality depends greatly on screen resolution settings. Color quality can range from 16 colors for standard Video Graphics Adapter (VGA) monitors to four billion colors (32-bit) for high-end monitors. Most video cards display fewer colors the higher you set the screen resolution. This means that a computer might be able to use 16-bit, 24-bit, or 32-bit color, but the screen resolution must be decreased to achieve this color quality. In most cases, the higher the color quality you can set, the better. Keep in mind that the amount of memory required to maintain the video display is determined by multiplying the number of pixels on the screen (based on screen resolution) by the number of bits per pixel (determined by color quality). Furthermore, the maximum resolution and color quality combination allowed is a function of the video memory on the video adapter.
You can set the screen resolution and color quality by completing the following steps:
Right-click an open area of the desktop and then select Personalize.
Click Display Settings to display the Display Settings dialog box.
On a system with multiple monitors or video cards, use the Monitor Type list box to select the monitor and video card you want to work with.
Use the Resolution slider to set the display size, such as 1024 × 768 pixels.
Use the Colors list box to select a color quality, such as Highest (32-bit).
Click OK.
Changing the Display Refresh Rate
The refresh rate is the rate at which the screen is repainted. The higher the refresh rate, the less flicker there is in the display. If you've ever seen video footage of a computer system with a monitor that seemed to be scrolling or blinking, it appeared this way because the computer's refresh rate was out of sync with the video recording speed. Your eyes don't notice the flicker as much, but a low refresh rate (under 72 Hz) can make your eyes tired if you look at the display too long.
To view or set the refresh rates for a video card, follow these steps:
Right-click an open area of the desktop, and select Personalize.
Click Display Settings.
If multiple monitors are configured, select the monitor you want to work with.
Click Advanced Settings.
On the Adapter tab, click List All Modes. The current refresh rates supported by the monitor are listed.
On the Monitor tab, use the Screen Refresh Rate list box to set the refresh rate.
Caution
In many cases, the Hide Modes That This Monitor Cannot Display check box is disabled so that it cannot be selected. If you are able to clear this check box, keep in mind that if the refresh rate exceeds the capabilities of the monitor or the video card, the screen can become distorted. Additionally, running the computer at a higher refresh rate than it supports can damage the monitor and video adapter.
Chapter 5: Installing and Maintaining Programs
Administrators and support staff often install and configure the applications that will be used on desktop computers. Typically, you'll need to install and configure applications prior to deploying new computers, install new applications on existing computers as they are requested, and update existing applications as new versions become available. As users install additional applications, you might also be called on to help troubleshoot installation problems or to help uninstall programs. Most program installation problems are fairly easy to solve if you know what to look for. Other problems are fairly difficult to resolve and require more work than you might expect. In this chapter, you'll learn how User Account Control (UAC) affects installing and running applications as well as techniques for installing, uninstalling, and maintaining programs.
Managing Application Virtualization and Run Levels
User Account Control (UAC) changes the way that applications are installed and run, how applications are installed, where applications write data, and what permissions applications have. In this section, I'll provide a comprehensive look at how UAC affects application installation from application security tokens to file and registry virtualization to run levels. This information is essential when you are installing and maintaining applications.
Application Access Tokens and Location Virtualization
All applications used with Microsoft Windows Vista are divided into two general categories:
Windows Vista–compliant Any application written specifically for Windows Vista is considered to be a compliant application. Applications that have been certified as compliant with the new Windows Vista architecture have the Windows Vista–Compliant logo.
Legacy Any application written for an earlier version of Microsoft Windows is considered to be a legacy application.
The distinction between compliant and legacy applications is an important one because of the architecture changes required to support UAC. Windows Vista–compliant applications use UAC to reduce the attack surface of the operating system. They do this by preventing unauthorized programs from installing or running without the user's consent, and by restricting the default privileges granted to applications. This makes it harder for malicious software to take over a computer.
Note
The Windows Vista component responsible for UAC is the Application Information service. This service facilitates the running of interactive applications with an "administrator" access token. You can see the difference between the administrator user and standard user access tokens by opening two Command Prompt windows, one run with elevation (right-click and select Run As Administrator) and one run as a standard user. In each window, type whoami /all and compare the results. Both access tokens will have the same security identifiers (SIDs), but the elevated, administrator user access token will have more privileges than the standard user access token.
All applications that run on Windows Vista derive their security context from the current user's access token. By default, UAC turns all users into standard users even if they are members of the Administrators group. If an administrator user has consented to use their administrator privileges, a new access token is created for the user. It contains all of the user's privileges, and this access token—rather than the user's standard access token—is used to start an application or process.
In Windows Vista, most applications can run using a standard user access token. Whether applications need to run with standard or administrator privileges depends on the actions the application performs. Applications that require administrator privileges, referred to as administrator user applications, differ from applications that require standard user privileges, referred to as standard users applications, in the following ways:
Administrator user
applications require elevated privileges to run and perform core tasks. Once started in elevated mode, an application with a user's administrator access token can perform tasks that require administrator privileges and can also write to system locations of the registry and the file system.
Standard user applications do not require elevated privileges to run or to perform core tasks. Once started in standard user mode, an application with a user's standard access token must request elevated privileges to perform administration tasks. For all other tasks, the application should not run using elevated privileges. Further, the application should write data only to nonsystem locations of the registry and the file system.
Applications not written for Windows Vista run using a user's standard access token by default. To support the UAC architecture, these applications run in a special compatibility mode and use file system and registry virtualization to provide "virtualized" views of file and registry locations. When an application attempts to write a system location, Windows Vista gives the application a private copy of the file or registry value. Any changes are then written to the private copy, and this private copy is in turn stored in the user's profile data. If the application attempts to read or write to this system location again, it is given the private copy from the user's profile to work with. By default, if an error occurs when the application is working with virtualized data, the error notification and logging information show the virtualized location rather than the actual location that the application was trying to work with.
Application Integrity and Run Levels
The focus on user and administrator privileges also changes the general permissions required to install and run applications. In earlier versions of Windows, the power users group gave users specific administrator privileges to perform basic system tasks when installing and running applications. Applications written for Windows Vista do not require the use of the power users group; Windows Vista maintains it only for legacy application compatibility.
As part of UAC, Windows Vista detects application installations and prompts users for elevation to continue the installation by default. Installation packages for Windows Vista–compliant applications use application manifests that contain run level designations to help track required privileges. Application manifests define the application's desired privileges as one of the following:
RunAsInvoker Run the application with the same privileges as the user. Any user can run the application. For a standard user or a user who is a member of the administrators group, the application runs with a standard access token. The application would run with higher privileges only if the parent process from which it is started has an administrator access token. For example, if you start an elevated Command Prompt window and then launch an application from this window, the application will run with an administrator access token.
RunAsHighest Run the application with the highest privileges of the user. The application can be run by both administrator users and standard users. The tasks that can be performed by the application depend on the user's privileges. For a standard user, the application runs with a standard access token. For a user who is a member of a group with additional privileges, such as the backup operators, server operators, or account operators group, the application runs with a partial administrator access token that only contains the privileges the user has been granted. For a user who is a member of the administrators group, the application runs with a full administrator access token.
RunAsAdmin Run the application with administrator privileges. Only administrators can run the application. For a standard user or a user who is a member of a group with additional privileges, the application only runs if the user can be prompted for credentials required to run in elevated mode or if the application is started from within an elevated process, such as an elevated Command Prompt window. For a user who is a member of the administrators group, the application runs with an administrator access token.
To protect application processes, Windows Vista labels them with integrity levels ranging from high to low. Applications that modify system data, such as Disk Management, are considered "high" integrity, while those performing tasks that could compromise the operating system, such as Windows Internet Explorer 7 in Windows Vista, are considered "low" integrity. Applications with lower integrity levels cannot modify data in applications with higher integrity levels.
Windows Vista identifies the publisher of any application that attempts to run with an administrator's full access token. Then, depending on that publisher, Windows Vista marks the application as belonging to one of the following three categories:
Windows Vista
Publisher verified (signed)
Publisher not verified (unsigned)
To help you quickly identify the potential security risk of installing or running the application, the color-coded elevation prompt displays a particular message depending on the category to which the application belongs:
If the application is from a blocked publisher or is blocked by Group Policy, the elevation prompt has a red background and displays the message "The application is blocked from running."
If the application is administrative (such as Computer Management), the elevation prompt has a blue/green background and displays the message "Windows needs your permission to continue."
If the application has been signed by Authenticode and is trusted by the local computer, the elevation prompt has a gray background and displays the message "A program needs your permission to continue."
If the application is unsigned (or is signed but not yet trusted), the elevation prompt has a yellow background and red shield icon and displays the message "An unidentified program wants access to your computer."
The prompt to the secure desktop, which can only be accessed by core Windows processes, further secures the elevation process. This safeguards the elevation process by preventing spoofing of the elevation prompt. The secure desktop is enabled by default in Group Policy, as discussed in the "Optimizing User Account Control and Admin Approval Mode" section of Chapter 2, "Managing Windows Vista Systems."
Setting Run Levels
By default, only applications running with a user's administrator access token run in elevated mode. Sometimes, you'll want an application running with a user's standard access token to be in elevated mode. For example, you might want to start the Command Prompt window in elevated mode so you can perform administrator tasks.
In addition to application manifests discussed previously, Windows Vista provides three different ways to set the run level for applications. You can choose to perform one of the following:
Run an application once as an administrator.
Always run an application as an administrator.
Always run an application with different credentials.
Each of these techniques is discussed in the sections that follow.
Running an Application Once as an Administrator
To run an application once as an administrator, right-click the application's shortcut or menu item and then select Run As Administrator. If you are using a standard account and prompting is enabled, you are prompted for consent before the application is started. If you are using a standard account and prompting is disabled, the application will fail to run. If you are using an administrator account and prompting for consent is enabled, you are prompted for consent before the application is started.
Always Running an Application as an Administrator
Windows Vista also enables you to mark an application so that it always runs with administrator privileges. This is useful for resolving compatibility issues with legacy applications that require administrator privileges. It is also useful for Windows Vista–compliant applications that normally run in standard mode but which you use to perform administrative tasks. As examples, consider the following:
An application written for an earlier version of Windows requires administrator privileges. Because this program is configured to use standard mode by de
fault under Windows Vista, the program isn't running properly and is generating numerous errors. To resolve the compatibility problem, you decide to mark the application to always run as an administrator.
A standard application written for Windows Vista is routinely run in elevated mode and used for administration tasks. To eliminate the need to right-click the application shortcut and select Run As Administrator before running the application, you decide to mark it to always run as an administrator.
Note
You cannot mark system applications or processes to always run as an administrator. Only nonsystem applications and processes can be marked to always run as an administrator.
You can mark an application to always run as an administrator by following these steps:
On the Start menu, locate the program that you want to always run as an administrator.
Right-click the application's shortcut and then click Properties.
In the Properties dialog box, select the Compatibility tab.
Under Privilege Level, select the Run This Program As An Administrator check box, as shown in Figure 5-1.
Figure 5-1: Configure an application to run as an administrator.
Note
If the Run This Program As An Administrator option is unavailable, it means that the application is blocked from always running as elevated, the application does not require administrative credentials to run, or you are not logged on as an administrator.
Click OK.
The application will now always run using an administrator access token. Keep in mind that if you are using a standard account and prompting is disabled, the application will fail to run.
Always Running an Application with Different Credentials
Although you cannot mark system applications or processes to run as an administrator, you can specify that an application or process should run using different credentials. Setting an application to run with different credentials allows a non-administrator user to mark an application to run as an administrator. Once set, administrator credentials will need to be provided before the application can be started using the shortcut. Follow these steps to set an application so that it always runs with different credentials: