some issues

[gelöscht]

Hello Kay,

I'm using your SuRun utility for a week now. It's a very useful tool and the most configurable of all its kind (I've tried sudown, sudowin, dropmyrights, makemeadmin etc.).
I've also discovered some issues.

1. If I surun explorer (opening a folder with administrative rights) the changes that I make (ex. creating or removing a file) become visible only after refreshing the screen (F5). Missing a FileSystemWatch or something. Another thing is that folder icon customizations visible in my limited account and made HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons are not visible when I run as admin.

2. If I run secpol.msc even with admin rights it displays an error. The only way to run it correctly is to use Windows' Run as...

3. I've tested surun on a virtual machine and deliberately infected it with some .mp3.exe virus that I've found on DC P2P networks. The virus didn't write anything to C:\ but still managed to mess the HKCR\exefile key (changing the execution command to C:\command.exe %1). Is there a way for surun to warn the user when an app (run even in limited account) tries to modify certain HKCR keys? These are shared by all users, affecting even admins, unless custom keys are provided in HKCU\Software\Classes.
Keys that need to be protected are at least those for executable files. Typically, a limited account app should not be able to change HKCR keys at all, but that's M$'s "trustworthy computing"...

4. IMHO the surun.exe process running in SYSTEM account should not be easy to kill (ex. a process from ZoneAlarm - vsmon.exe aka "TrueVector Internet Monitor" - cannot be killed by an admin).

-----------------
SuRun 1.2.0.6 beta 6
Windows XP SP3 fully updated until January 2009

Kay

Hello Hansm,

hansm wrote: 1. If I surun explorer (opening a folder with administrative rights) the changes that I make (ex. creating or removing a file) become visible only after refreshing the screen (F5).

This is a known Explorer bug. It appears in all other MakeMeAdmin-like tools.
I tried to make a workaround, but had no success yet.

hansm wrote: Another thing is that folder icon customizations visible in my limited account and made HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons are not visible when I run as admin.

That's rather strange... How can I reproduce this behavior here? (XPize?)

hansm wrote: 2. If I run secpol.msc even with admin rights it displays an error.

This is a known issue.
SecPol checks the Token Authentication ID of the user token. And that is a limited ID.
"SuRun /RUNAS secpol.msc" works well without the need to use Windows' RunAs.

hansm wrote: 3. I've tested surun on a virtual machine and deliberately infected it with some .mp3.exe virus that I've found on DC P2P networks. The virus didn't write anything to C:\ but still managed to mess the HKCR\exefile key (changing the execution command to C:\command.exe %1).

How could it do this? Usually there's no write access for "Users" in this Key.

Just a guess: Is your limited user the creator/owner of HKCR\exefile?

hansm wrote: Is there a way for surun to warn the user when an app (run even in limited account) tries to modify certain HKCR keys? These are shared by all users, affecting even admins, unless custom keys are provided in HKCU\Software\Classes.
Keys that need to be protected are at least those for executable files. Typically, a limited account app should not be able to change HKCR keys at all, but that's M$'s "trustworthy computing"...

Usually the virus should not be able to modify anything in HKCR or HKLM, except when you started it with Admin rights, what you never should do. So there should not be a need to check access to these keys.

Please note that SuRun is no protection or security software. It is a program launcher, no HIPS.
SuRun (hopefully) does not compromise system security more than Microsoft (through RunAs).

Setting up correct ACLs is up to the Administrator of the system.

hansm wrote: 4. IMHO the surun.exe process running in SYSTEM account should not be easy to kill (ex. a process from ZoneAlarm - vsmon.exe aka "TrueVector Internet Monitor" - cannot be killed by an admin).

ZoneAlarm must be running (like any HIPS or Virus scanner) to keep the system safe.
But this is not true for SuRun. No one can do any harm by killing the SuRun service.
To kill it you need to be Admin anyway, so what should the protection be good for?

Kay

I just checked my registry using SysInternals' AccessCheck:
[indent]"surun cmd" -> "accesschk.exe -s -w -k kay HKLM"; "accesschk.exe -s -w -k kay HKCR"[/indent]

My limited user had write access to "SOFTWARE\Microsoft\Windows\CurrentVersion\Hints" (User account pictures), to "HKLM\SOFTWARE\Microsoft\MSLicensing\Store\LICENSE000" and to some HKCR\CLSID\{CAFEEFAC-00??-000?-????-ABCDEFFEDCBA} keys that all belong to Sun-Java.

Also as default the creator/owner of any Key in HKCR get "full control" access. That may have compromised your HKCR\exefile security(?).

[gelöscht]

Thank you for your prompt and well explained answers.

Indeed, the fact that the virus could write to HKCR\exefile is likely due to the key's ownership (or to other stuf that I may have made in that VM). I've just rechecked the ownership/permissions and the exefile key already provided full access to what is now a limited account (but what was on install time an admin account). So, mea culpa :D.

If the secpol.msc and Explorer refresh issues are third-party bugs, I have nothing to object.

As for the folder customizations via "Shell Icons", to reproduce the behavior use this in a .reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons]
"3"="%systemroot%\\explorer.exe,1"

It makes some sort of "mask" for icons in shell32.dll and Explorer displays them rather than the icons in HKCR\<file>\DefaultIcon. I've customized my icons this way using Axialis IconWorkshop.
The entry I've provided replaces the usual folder icon. To see it, the icon cache must be refreshed/rebuilt (a tool for that would be TweakUI).

Again, thank you for this excellent app. It's exactly what I looked for in Windows (craving for good ol' sudo from Linux).
This tool has gained star status on my machines and I'll recommend it to all my friends.

[sorry if I've misposted, I don't know German, so I try to guess what those forum buttons do :)]

Kay

hansm wrote: As for the folder customizations via "Shell Icons", to reproduce the behavior use this in a .reg:
----
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons]
"3"="%systemroot%\\explorer.exe,1"
----

I tried that and <win>+"E" Explorer shows the "magnification glass" on folders.

Then I started "SuRun Explorer" and it does not show the icons. :'(

...after that I started "Explorer" (Folder Options: Start Explorer windows in separate process") and: No magnification glass on folders 8-(

So it seems that Explorer does not respect this registry key if it is not the shell process... as it does not refresh it's folder views. Hmmm well programmed apps come from Microsoft ;-)

hansm wrote: [sorry if I've misposted, I don't know German, so I try to guess what those forum buttons do :)]

You posted perfectly right. :-)