none
How to register fingerprint for a specific user in desktop FMA base on WBF? RRS feed

  • General discussion

  • 1. FMA application is always running as system account (when run from Control Panel->Biometrics);

    2. It seems WBF functions (WinBioEnrollBegin, WinBioEnrollCommit) can only support register fingerprint for its process owner,     and cannot register fingerprint for other user;

    3. How to support register fingerprint to another account base on WBF?

    Regards, MaxAlex.

    Thursday, July 4, 2013 9:42 AM

All replies

  • Not a driver question, I would suggest asking on a win32 or security forum

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, July 4, 2013 1:06 PM
  • >> FMA application is always running as system account (when run from Control Panel->Biometrics);

    No, that's not a correct statement. An FMA always runs in the context of the user who fired up the Control Panel. In addition, there are certain accounts that are specifically blocked from performing any biometric operations at all (the built-in Administrator account, for example.)

    >> It seems WBF functions (WinBioEnrollBegin, WinBioEnrollCommit) can only support register fingerprint for its process owner, and cannot register fingerprint for other user;

    Yes, that's by design. As a security precaution, WBF will only attach a new biometric enrollment to the account SID of the currently logged-on user. It's not possible to enroll on behalf of someone else.

    >> How to support register fingerprint to another account base on WBF?

    (See above.) By design, we specifically don't allow that.

    Thursday, July 4, 2013 6:28 PM
  • Thanks for the answer, it clears up much, but I face the following sitution:

    1. I have Windows 8 (x86) two accounts: the administrator - max, the user - max_user;
    2. At login as the administrator everything is fine;
    3. At login as the user, by a call of FMA appears the UAC window with the requirement to enter the password of the administrator;
    4. Further FMA is started on behalf of the administrator and all registered templates are brought in base of the administrator;
    5. The FMA specified in the manifest:

    <?xml version="1.0" encoding="utf-8" standalone="yes"?>
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
      <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="MyApp" type="win32"/>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
        <security>
          <requestedPrivileges>
            <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
          </requestedPrivileges>
        </security>
      </trustInfo>
    </assembly>

    Regards, MaxAlex.

    Friday, July 5, 2013 1:32 AM
  • What manifest are you looking at?

    This in particular doesn't look right:

          <requestedPrivileges>
            <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
          </requestedPrivileges>

    You shouldn't be seeing any UAC prompt when you fire up the FMA from the Control Panel page for biometrics. Even from an account that's not in the Admin group, the FMA should start up and run.

    Regards,
    -Art Baker

    Saturday, July 6, 2013 1:52 AM