Option to switch users?

Kay

Good idea. :-)
I'm currently researching how to implement a FUS replacement.

quantic

wow! Nice Kay, very nice indeed.
Thanks for that.

Take a look at this tool: SUperior SU
He hasn't updated it since 2004 and source code is not available but see if it helps in anyway.

[gelöscht]

Hi, Kay:

Thanks for your dev efforts! Cool admin tool! Can't wait for the new implemenation suggested by the other forum user!

Count on me for language localization if you have any planned in this regard!

aLL tHE bEST fr ;-) M bRaZiL

MCHAL.110mb.com

Kay

Ok Guys, I found a way to easily implement FUS.
The first try is built into SuRun 1.2.0.7 Beta 9.
Please tell me what you think.
Is it worth making a GUI?

quantic

That was fast! :D
THANK YOU, Mr Kay!
Really,thanks a lot for this.

From my brief tests, it's all working ok without any glitches.
This on an XP SP3 en-EN 32-bits

As for your question, I don't need a GUI at all but if you want to make one will be welcomed of course.
For now, this only works if the Welcome Screen is ON.
Any chance to disable the Welcome Screen and use Classic Logon prompt as DUST does?

EDIT:

post cleaned up a bit, I used DUST a long time ago and was mixing things up.

and also want to say that I'm just lovin' this tool :cool:
You are a really nice guy Kay.

Kay

quantic wrote: For now, this only works if the Welcome Screen is ON.
Any chance to disable the Welcome Screen and use Classic Logon prompt as DUST does?

If I disable the Welcome screen, FUS is also disabled.
So I can only have one user logged onto the box at a time.
Do you know how I then do logon multiple users and switch between them?

quantic

From DUST page, read sections:

"Classic Logon under Windows XP"

and

"Enforcing Windows XP Fast User Switching"

it seems this is how they do it:

This is achieved through a service that monitors specific changes to the registry and then makes adjustments as necessary.

it also says that it doesn't work for Vista though...

Kay

There's some effort in monitoring or automatically modifying the registry. Also some (more) HIPS might rate SuRun as Malware.

As far as understand, the welcome screen is off primarily for domain users. This makes it even harder as I do not have access to a real life domain for tests.

So I'd like to avoid implementing that feature.

What is your reason for turning off the welcome screen?

quantic

Fair enough Kay.
THE feature I wanted most is already implemented, so I'm a happy SuRunner :D

The only reason I asked for it is mainly for personal taste, nothing more, I guess I'm more into the old-school sort of things.
I even use the /sos switch in boot to see text instead of GUI :D

Disregard it completely, seriously. I'm very grateful for what you did in so short time.
Big thank you.

Just one more question Kay.
How's the feedback from Windows 7 users? Is it working ok?

Kay

I just tested Windows 7 RC1 in a VM. SuRun works, but not perfect.
* Windows puts "SuRun /SYSMENUHOOK" into a "virtualized" state.
* SuRun can't start an elevated Explorer.
* SuRuns hooks do not affect Explorer, so SuRun can't intercept execution of programs and all automagic is of no use in Win7 RC1 right now.

I'll give Win7 RTM a try and (hopefully) fix the issues.

quantic

I sure hope you can do it.
I'm planning to write an article about it and I'd like to let Win7 readers know, that they can replace UAC with SuRun.
Maybe I'll write it now and then make an update, or I'll just wait for the compatibility fixes.
I'll let you know either way.

Kay

I would not replace UAC, I'd leave it enabled and additionally use SuRun.
UAC seems to be implemented deeply in the system.
It should provide better safety than SuRun. (I hope MS fixed that RunDll32 UAC bug in Win7)
Also SuRun uses only ACLs for securing processes, UAC uses ILs that deny sending messages to (and so remote controlling) elevated processes.

quantic

I've not yet switched from XP, but from what I've been reading, UAC is undoubtedly flawed, not by design but by its implementation as proved here: Windows 7 UAC whitelist: Code-injection Vulnerability (and more)

And even though rundll32.exe is not in the whitelist anymore, as it's stated here: Short: Windows 7 Release Candidate auto-elevate white list, code-injection is still possible as proved in the 1st link.

Of course, this is only possible when using an Admin account, which many people still do in Vista/7.

kay wrote: It should provide better safety (...)

You said the magic word, "should".

Let's see how that turns out in the RTM, or SP1

[gelöscht]

Just found SuRun. I tested /switchto on XP SP3 from a remote ultravnc session and it worked (GOOD!)
However, I did have a small issue.
1. installed SuRun 09beta on a clean machine as username A in administrator's group, restarted PC
2. added two LUA users B and C to surunners group (A not in group)
3. from A's account, in cmd window tried surun /switchto B several times. nothing happened (ISSUE)
4. used windows WIN+L to FUS to user's B account
5. in cmd window tried /switchto A, this time it worked (after password prompt)
6. in A's account, in cmd window tried /switchto B again, this time it worked
So it seems that step 5 initialized something that enabled /switchto for admin user A, something that wasn't initialized (properly?) in step 3.

Other than that, so far SuRun seems really good. Thank you lots!

cosmo

My guess:

You did not log into account B prior doing step 3, did you?

If the target-account is not logged-in, Surun (at now) cannot switch and Beta 9 does not (yet) give any hint.
This has been discussed already (but in German language, so you may not know this) and will be addressed by Kay in a later version.

[gelöscht]

You guessed right!

paradigmshift

I would not replace UAC, I'd leave it enabled and additionally use SuRun.

I'll be disabling UAC in Windows 7 in favor of using SuRun, LUA, SRP, and AppLocker.