-
Title
An application fails to elevate with Privilege Manager for Windows -
Description
An application fails to elevate even though there is a rule present for it.
-
Cause
If an application takes too long to launch (over 10 seconds), there is a very good chance it will fail to be elevated.
When a process is first launched, the Privilege Manager driver intercepts the process and notifies the CSEHost Service of the started process. At that point the driver pauses the process until it hears back from the CSEHost, or until a specific amount of time has elapsed (default is 10 seconds). Then it attempts to match it to any of the rules on the client, and if it does match it, it then attempts to match any of the defined properties of that rule. While the CSEHost is attempting to process the rule properties (Validation Logic, publisher, file version, file hash, etc.), if it delays more than 10 seconds (the default time) the driver un-pauses the process so that it can continue and it won’t hang the system.
While CSHost is usually able to take all necessary actions on a process and notify the driver it is done in less than one second; occasionally, certain actions done by CSEHost can take longer than desired to complete. Some of the actions that can take CSEHost longer than expected to perform are to retrieve file information (publisher, file hash, product code, file version, etc…) from an .exe or .msi that resides on a network resource, especially if the network connection is slow.
-
Resolution
Modify the rule(s) to eliminate the actions that are causing CSEHost to take too long to process the executable. For example, if calculating the file hash is causing the problem, remove the file hash check from the rule, if possible.
Or
If the delay is being caused by the fact that the network connection is slow, so file access to where the process is running from takes an exceptional amount of time, if possible, run the process from a location that does not utilize that slow resource or network connection.
Or
Another alternative is to increase the amount of time that the driver (QGPEProcMon) will wait for the notification from CSEHost before it un-pauses the process. As stated above, the default value for this delay (referred to as “WaitTimeout”) is 10 seconds. To increase that default to a higher value, add the following registry key to the client computer (registry key location below is based on an x64 OS) and under that a new DWORD named “WaitTimeout”. The value given to the DWORD “WaitTimeout” should be equal to the number of seconds you wish to change the time out to, multiplied by 1000. The maximum value you can set is 210,000 (equivalent to 3.5 minutes or 210 seconds). For example, if you want to change the amount of time that the driver will pause the process from the default of 10 seconds, to 30 seconds, then multiple 30 by 1000 to result in a value of 30000.
x86
HKEY_LOCAL_MACHINE\SOFTWARE\ScriptLogic Corporation\Privilege Authority\GPEProcessMonitor
x64
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ScriptLogic Corporation\Privilege Authority\GPEProcessMonitorDWORD named “WaitTimeout”
Once the value is changed, you must reboot the client for the new value to take effect.
NOTE: Technical Support does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft Article ID 256986 “Description of the Microsoft Windows registry” at Microsoft Support.