UAC stops standard users from installing fonts
Problem: The UAC in Vista & Windows 7 controls the installation of fonts and only allows an administrator to install new fonts.
In XP the solution was to set permissions on %windir%\fonts and a couple of registry keys to allows Builtin\Users change access.
I have tried this in Windows 7 and Vista including setting other file permissions such as fontcache.dat but I'm still prompted for admin credentials.
I assume I need to set the application to run with lower privilege but the compatibility options are greyed out in file properties for %windir%\system32\fontview.exe even though I have taken ownership (as administrators) and set permissions for users to change etc.
How can I allow a small number non privileged users to install fonts using a manual workaround in the short term?
Then how can I do this with group policy in the longer term?
Thanks Chris
March 22nd, 2010 1:09am
Hi,
try this..but it not install font>only give font to cache..
http://www.dailygyan.com/2008/05/how-to-install-fonts-in-windows-without.html
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2010 4:20am
Thanks Jií Janata!
That might well do the trick! My clients need to use fonts supplied in publications but not have them permanently installed. So this neatly sidesteps the UAC on Vista/Windows 7 as there's no permanent change and no need for admin credentials.
I just checked it on a new Virtual Machine and it works perfectly.
The utility registers fonts for use with a standard user account and without any permission changes and then they are gone from cache after logoff.
I would still like to know if there is a more permanent way to modify a system program's privilege requirement but it's a great workaround.
Chris
March 23rd, 2010 12:00am
Thanks Jií Janata!
That might well do the trick! My clients need to use fonts supplied in publications but not have them permanently installed. So this neatly sidesteps the UAC on Vista/Windows 7 as there's no permanent change and no need for admin credentials.
I just checked it on a new Virtual Machine and it works perfectly.
The utility registers fonts for use with a standard user account and without any permission changes and then they are gone from cache after logoff.
I would still like to know if there is a more permanent way to modify a system program's privilege requirement but it's a great workaround.
Chris
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2010 12:01am
Hi,
Jií Janata's suggestion is a temporary workaround. However, if you would like to install the fonts permanently, you must login on the machine with administrator privilege.
For more information, please refer to the following article:
Installing fonts on Windows
Thanks,
Novak
March 23rd, 2010 4:22am
Thanks Novak,
Yes I know that normally an administrator credential is required to add fonts. The environment I support is Government so we don't want to provide administrator rights to standard users.
However as I stated under XP we were able to provide standard users the ability to install fonts by modifying file and registry permissions only.
Under Vista and Windows 7 the UAC stops font installation as fontview.exe is a system program. I was hoping there was a way of lowering the privilege required to install fonts say by Group Policy so that on request we could provide this for our standard users without giving them any other elevated privilege.
I could create an SCCM package for example to provide an advertisment which the user could run everytime they need to install new fonts to avoid having an administrator visit or remote in, but Group Policy would be simpler.
Chris
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2010 9:30pm
Hi,
Based on my research, Jií Janata's suggestion is the only way to install fonts with Standard user privilege. For more information, please also refer to the following article:
Issue with implementing group policy to allow users to install Fonts
Thanks,
Novak
March 24th, 2010 2:23am
Hi Novak,
Yes I have to agree with you that solution proposed by Jií Janata appears to be the only solution
However as Tsukasa no Hibi was the developer of the solution I think it's only fair that he get the direct attribution he deserves
for the work done. The other website Daily Gyan simply reports what they found with some additional comments.
http://tsukasa.jidder.de/blog/2008/04/18/temporarily-register-fonts-using-a-normal-user-account
It does require .Net Framework 2.0 but Tsukasa includes the source and it could be re-written in C++ if you're good enough!
I have tested and implemented a solution for my clients using a batch file along the lines of
pushd c:\temp\fonts; For %f in (*.*) do registerfont %f; popd
This works well and if the batch file is added to Startup it will register the fonts for each user session.
It could also be added to the Windows\Run registry key etc.
Chris
Free Windows Admin Tool Kit Click here and download it now
March 29th, 2010 5:08pm
As mentioned before Tsukasa had developed a workaround to add fonts to the user's current session
http://tsukasa.jidder.de/blog/2008/04/18/temporarily-register-fonts-using-a-normal-user-account
Now another developer dcpurton has created a C version complete with GNU license and source code!
http://marshwiggle.net/regfont/ This has the advantage of not requiring .Net Framework 2.0.
I will be using this to implement a solution for our users who require fonts but are not local administrators.
Just type Regfont.exe *.* and all font files in the current directory are registered. Add this to a User's Startup and it happens every time they logon so they appear to have installed the Fonts!
Chris
September 8th, 2010 11:32pm
I believe I have come up with a workable model to solve this issue, it is not watertight from a security aspect as it leaves the fonts directory open but it works in my test lab.
let me know if you have not got anywhere on this
Free Windows Admin Tool Kit Click here and download it now
January 27th, 2012 2:18pm
If your solution is working with UAC turned on lee_martin1985, I'd sure like to know how you did it! I've automated the folder/registry permissions stuff but still get prompted by UAC. Turn UAC off and all is good. I'd rather have the fonts folder open than
UAC off.
Permissions script (replace [domain] with your domain name):
' Set permissions to font folder to allow standard users to install fonts
Option Explicit
Dim objFSO, objShell, strTempFile, objTempScript
Const HIDE_WINDOW = 0
Const SHOW_WINDOW = 1
Const WAIT_ON_RETURN = True
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("WScript.Shell")
' Create temp file with the script that regini.exe will use
strTempFile = objFSO.GetTempName
Set objTempScript = objFSO.CreateTextFile (strTempFile)
' Granting Administrators, System and Interactive Users Full Control
objTempScript.WriteLine Chr (34) & "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Fonts" & Chr (34) & " [1 17 21]"
objTempScript.Close
' Change registry permissions with regini.exe
objShell.Run "regini.exe " & strTempFile, SHOW_WINDOW, WAIT_ON_RETURN
' Delete temp file
objFSO.DeleteFile strTempFile
' set folder to non-system and enable writing
objShell.Run "attrib.exe -r -s %systemroot%\Fonts", SHOW_WINDOW, WAIT_ON_RETURN
' set ownership of folder to domain users - /r = recurse, /d n = default answer 'no'
objShell.Run "takeown.exe /f %systemroot%\fonts /r /d n /s %computername% /u " & Chr (34) & "[domain]\Domain Users" & Chr (34), SHOW_WINDOW, WAIT_ON_RETURN
' give users permisison to the folder
objShell.Run "icacls.exe %systemroot%\fonts /grant " & Chr (34) & "[domain]\Domain Users:M" & Chr (34) & " /t", SHOW_WINDOW, WAIT_ON_RETURN
' give users permission to font cache file
objShell.Run "icacls.exe %systemroot%\system32\FNTCACHE.dat /grant " & Chr (34) & "[domain]\Domain Users:M" & Chr (34) & " /t", SHOW_WINDOW, WAIT_ON_RETURN
WScript.Echo "Done!"
February 6th, 2012 3:14pm
I now have this implemented with SCCM as the delivery mechanism.
To keep the desktop secure we install fonts for users to take away the need they have for admin rights.
Let me know if you have this as I can show how I have this setup.
Thanks
Free Windows Admin Tool Kit Click here and download it now
May 27th, 2012 6:33am