Skip to content

November 6, 2013

9

Rethinking the PCoIP Config Utility

As I am doing some planning for View 5.3 and the new dynamic PCoIP tuning feature I am debating re-writing the PCoIP Config Utility from the ground up.  I’d like your feedback on a few items though, the first of which is this-

One “issue” with the utility as it stands today is that it requires Admin privileges to run.  This can be dealt with in various ways but there’s only really one reason it requires escalation – the PCoIP registry entries are in HKLM and not HKCU.  In order to get access to the keys and, most importantly, make changes to them, you need higher privileges.

This could be gotten around by changing the security on the Registry keys that house the PCoIP settings, but I don’t know if this would be something frowned upon by most users and/or their security teams.

So, I am asking:  Are people OK with things as they are and having the app require escalation, or would they prefer to make other changes and have the app run without escalation?  If so, what changes are they willing to do?

Also, I am open to other thoughts/options on how to implement this as well.  One option I tossed around a while ago was to install a system-level service with access to the required Registry keys and then have the front-end piece talk to that service to apply changes.  This way, you could install the service once into a master image and users could run the utility as-is and stop/restart it without any special permissions.  Is this a better way?

Please drop your thoughts into the comments.

Read more from Uncategorized
9 Comments Post a comment
  1. Nov 6 2013

    Chuck, create a windows service that runs as administrator and is installed by the administrator on the parent image. This windows device is responsible for modifying the registries. Then, create a UI interface, more like an independent executable, that will talk to the service with admin rights. This was the user will not need to have admin rights to make the changes.

    -Andre

    Reply
    • RexRemus
      Nov 6 2013

      This was my thinking a while back, but wasn’t sure about the impact of breaking into two pieces and the additional installation work. But it always felt like a good way to handle it via separation of duties.

      Reply
  2. Josh
    Nov 6 2013

    Hi Chuck, I think there is a lot of potential for a GUI/CLI interface seperate from the service. This would allow us to expose the Registry features we need to users (eg, a simple mobile vs LAN widget for persistent desktops)

    Will be interesting to see how settings get reapplied mid-session by GP update for the new dynamic variables.

    Thanks for the hard work, very useful app for testing and demos!

    Reply
  3. Nov 7 2013

    Hi Chuck,

    great to hear that you are working on that great tool again! I would prefer a separate service and UI.

    Thanks!

    Pieterjan

    Reply
  4. Nov 12 2013

    A separate service and an app to utilize the service is nice. You typically want services to run with admin privileges though, only give the service the permissions is needs and thats it. I do like what you have done, I believe the tool is very useful. I do however notice the export feature to excel is not working.

    Reply
  5. Nov 12 2013

    Oh, and use escalation, UAC on windows if set will prompt you to accept, its not a big deal and preferred in a security environment.

    Reply
  6. Bryan
    Dec 11 2013

    This utility is fantastic, but we also have the challenge of running it with elevated credentials as 95% of our users do not have admin rights.

    We very much would like to run this as a system service that can be installed on the base/gold image and have a front-end component that users can run as they please and/or have launch at session login/reconnect.

    Great work on all this Chuck – thank you!

    Reply
    • RexRemus
      Dec 11 2013

      I’ve started work on the service element and will be building it out over the next few weeks. This seemed to be the generally accepted best path forward so I’ve architected the next-gen version of the utility around it. I’m also adding some stuff I think will greatly improve the features and capabilities of the tool for both users and admins – but I need to keep a few surprises for when I release it :) Thanks for the feedback!

      Reply
  7. Neal Leyendecker
    Jan 10 2014

    Hello Chuck, this is a great product but we really need a method of getting it to work on Internet isolated systems.

    Reply

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments