I got here by trying to set up the simplest possible implementation of SuRun on an XP SP3 system with a basic combination of SRP and NTFS access rights, using Sandboxie, Windows 7 Firewall Control, Microsoft Security Essentials, and FireFox as my security "suite." (I'm not a "systems" person and may need more hand-holding than most on this forum.)

My goal was VERY simple: Have just one program that won't run properly in a LUA start automatically with elevated rights (only when called, not at startup, nor in a Sandbox, nor anything else fancy) for just one Limited User. No additional rights are desired for this "SuRunner" (no changing SuRun settings, no ability to elevate rights of other programs, no tinkering with protected Windows settings). Also, no automatic checking for programs that need elevated rights and no additions to the context menus are desired.

I tried to achieve this simplicity by limiting most of the options in SuRun's Settings: No "Shell Integration;" the sole SuRunner cannot change SuRun's settings and can only run the predefined programs elevated; the only program listed to start automatically with elevated rights; on the "Execution Hooks" tab, do not try to detect if applications need elevated rights; on the "Advanced" tab, check all the "If a non "SuRunners..." boxes and un-check all of the "Convenience settings".... (I also tried un-checking the both of first two boxes on the "Execution Hooks" tab, "Install filter..." and "Set a Hook...", but I rapidly found that this prevented my program from running with elevated rights at all.)


First Question: Is the above a viable way to use SuRun for my limited purpose? Are there any other features that I can safely disabled?


So far so good with my one program, until I tried to run FireFox in a Sandbox. Then I got error messages, and Sandboxie wouldn't start FireFox at all (as others have reported here since about 2008). Initially I thought this might be a problem with the above very limited settings, but then I found discussion of the problem on this forum most recently here (http://forum.kay-bruns.de/thread/317). Subsequently, I have found another potentially simpler solution here (http://www.wilderssecurity.com/showpost.php?s=b00bee899fd0c7f9c7de97192fdfb964&p=1961712&postcount=20). This latter solution has also been advocated here (http://www.sandboxie.com/phpbb/viewtopic.php?t=9198&highlight=surun).


Second Question: Understanding that I will not be doing anything tricky like installing software from a LUA or otherwise running SuRun inside a Sandbox (or vice versa), which of these two proposed solutions is preferable and why?

1) From Kays's post:
"You need to set "full access" to the named pipe of SuRuns service (\Device\NamedPipe\SuperUserRun).
This ca be done in Sandboxie.ini:
OpenPipePath=\Device\NamedPipe\SuperUserRun"

2) From peterk62's post:
"...in the SuRun settings, go to the "Execution Hooks" tab and click the "Blacklist" button, then add the path to "Sandboxie\Start.exe" to the blacklist."


Thanks in advance for any clarification of these combined issues! -- jclarkw
My problem occurs when I try to run FireFox inside a Sandbox from an LUA. I repeatedly get the following message from Sandboxie:

"SBIE22-04 cannot start sandboxed service RpcSs(-1)"

When I examine the contents of the (default) Sandbox, I find three programs listed as running:

1) Start.exe (I don't know what this one is...)
2) SuRun.exe (I don't know why this should be running inside the Sandbox, since I'm not trying to elevate rights for anything -- SuRun Settings/Execution hooks/"Try to detect if unknown..." is UN-checked, SuRun Settings/SuRunners group/"User can only run predefined......" is CHECKED, and all of the options mentioned above involving shell integration are disabled! I've only left the the top two options in Settings/Execution hooks checked, as mentioned before -- maybe not both are necessary?)
3) Start.exe (again...)

As I said before, my one program desired DOES run successfully with elevated rights (outside a Sandbox).

This does not sound to me like the problem that Kays has addressed -- see (1) in the previous message -- and in fact, when I try the solution proposed by peterk62 -- see (2) in the previous message -- my problem SEEMS to vanish. (None of the above-listed programs is now running in the sandbox.)

Needless to say, I'm still confused. Can anyone help me to understand what's going on here? -- jclarkw
Hello jclarkw, welcome to the SuRun forum,
jclarkw:1333900139 wrote: Understanding that I will not be doing anything tricky like installing software from a LUA or otherwise running SuRun inside a Sandbox (or vice versa), which of these two proposed solutions is preferable and why?
Both options do the same for YOU, they make SuRun work with SandboxIE.
My suggestion would enable SuRun's hooks inside SandboxIE while peterk62 would prevent them to work (and to eventually be risky).
I'd suggest you use peterk62's solution... or to read on below...
jclarkw:1333900139 wrote: First Question: Is the above a viable way to use SuRun for my limited purpose? Are there any other features that I can safely disabled?
Just uncheck everything in "Shell Integration" and everything in "Execution Hooks".

If you need SuRun just for one program and don't need the hooks, you can just delete "SuRun /SYSMENUHOOK" from "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run".

This disables all SuRun hooks and set's SuRun to work manually.

To start your program, you then need to start "surun.exe yourprogram.exe" (or right click "Start as Administrator").
jclarkw wrote: 1) Start.exe (I don't know what this one is...)
This is part of SandboxIE
jclarkw wrote: 2) SuRun.exe (I don't know why this should be running inside the Sandbox, since I'm not trying to elevate rights for anything -- SuRun Settings/Execution hooks/"Try to detect if unknown..." is UN-checked, SuRun Settings/SuRunners group/"User can only run predefined......" is CHECKED, and all of the options mentioned above involving shell integration are disabled! I've only left the the top two options in Settings/Execution hooks checked, as mentioned before -- maybe not both are necessary?)
SuRun's hooks start SuRun.exe to check if a program is on your Program list. This needs to be done because your Program list is not accessible for your user, so SuRuns hooks must ask the service "A Program is about to be started, should it be started with elevated rights?".

If you blacklist the SandboxIE folder for SuRun, everything should work.
Kay wrote: ...Both options do the same for YOU, they make SuRun work with SandboxIE.
My suggestion would enable SuRun's hooks inside SandboxIE while peterk62 would prevent them to work (and to eventually be risky)...


Dear Kay -- Thanks VERY much for the most helpful response. The only part that I don't understand at all is your parenthetical remark quoted. What's potentially risky about peterk62's approach?

(I might need to use more of SuRun's capabilities in the future and would not want to get myself into trouble!) -- jclarkw


P.S. -- Apparently I was editing my second message while you were typing your reply. I hope I didn't confuse the issue further... -- J.W.
I'll explain in a simplyfied form how SuRun basically works in the hope you lose some confusion:

SuRun is a command line based program. SuRun.exe is one binary for the service and the client.

While running as service ("SuRun.exe /ServiceRun"), SuRun listens on a "named pipe" for commands from the client.

When started as client, SuRun writes it's request into the "named pipe" of the service.
The service handles the request and responds to the client by modifying the client's memory.

The hooks are implemented in SuRunExt.dll.
If a hook detects that a program is about to be executed, it starts "surun.exe /TestAA...".
This asks the service if this program must be handled specially by SuRun.
If SuRun started the program, the hooks return without calling the original Windows API.
If SuRun did not start the program, the hooks call the original Windows API to continue starting the program.

SuRun's Tray-Icon ("SuRun /SYSMENUHOOK") starts the shell integration and the hooks and shows the user information of the process owning the active Window.

When you disable the AutoRun of "SuRun /SYSMENUHOOK", you disable SuRun's hooks and shell integration.

When you run "SuRun.exe notepad.exe c:\MyText.TXT" you ask the SuRun service to start Notepad.exe with c:\MyText.TXT as administrator.
Whhops, we post a bit overlapping.
jclarkw wrote: What's potentially risky about peterk62's approach?
peterk62's suggestion is not risky, mine is, potentially, because in my suggestion SuRun gets into the game, in peterk62's SuRun is out and thus less risky.
Kay wrote:peterk62's suggestion is not risky, mine is, potentially, because in my suggestion SuRun gets into the game, in peterk62's SuRun is out and thus less risky.

Thanks again, Kay. That clarifies the matter sufficiently for me. -- jclarkw
Eine Antwort schreiben…
Impressum, Datenschutz