VistaUACMaker lets one specify a program's desired privilege level

[MrBrian]

From http://www.securityxploded.com/vistauacmaker.php:

Quote:

Vista has introduced new feature called UAC (User Account Control). In short it basically controls the way in which applications are executed by different users. Due to enforcement of this UAC, by default any application on Vista will run under the context of standard user instead of administrator. As a result the application which requires administrator privilege will fail to work properly on Vista.

So VistaUACMaker is designed to address this problem by making any Windows XP based application compatible with Vista as well as Windows 7.

Most useful functionality for me: preventing a program that doesn't really need to run as admin from requesting to be run as admin.

VistaUACMaker works on Windows 7 also.

[Rmus]

Quote:

Originally Posted by MrBrian

Most useful functionality for me: preventing a program that doesn't really need to run as admin from requesting to be run as admin.

It's not clear to me why a program already installed shouldn't run as admin. Is there a threat that the program could have been infected?

Or is there another reason?

thanks,

rich

[MrBrian]

Quote:

Originally Posted by Rmus

It's not clear to me why a program already installed shouldn't run as admin. Is there a threat that the program could have been infected?

Or is there another reason?

Another situation is a program running in a standard account and unnecessarily asking for elevation, but the user either doesn't have admin credentials or doesn't want to type admin credentials.

[Sadeghi85]

Corrupted one of my files.

[m00nbl00d]

Quote:

Originally Posted by Rmus

It's not clear to me why a program already installed shouldn't run as admin. Is there a threat that the program could have been infected?

Or is there another reason?

thanks,

rich

If a program requests Administrator privileges, and the very nature of the program does not require it, it only means the software developer(s) only tested it under an Administrator account. If you ask me, these are lazy developers who go the easy way.

Now imagine one of those applications (like Internet facing applications) with security vulnerabilities; running them as Administrator is asking for problems, if you ask me.

Would you give full access to your house to the cable guy/girl if only they need is access to the TV cables/TV or whatever it is required for stuff to work? No, you wouldn't, I guess.

[chronomatic]

Quote:

Originally Posted by Rmus

It's not clear to me why a program already installed shouldn't run as admin.

Uh, because there is something in the computer world called privilege separation that has been around for 40 years on other OS's but was virtually unheard of on Windows until fairly recent times. It seems many Windows users (even those who claim to be security experts) have a hard time understanding it. Many so-called Windows security experts even suggest to new users to ignore such security measures.

Privilege separation is closely tied in with capability based security. The idea is to not allow a program access to anything on the file system it does not expressly need (essentially the POLP). Since there is no widely used general purpose OS that is built from the ground up with capability based security, there are other means that allow the POLP to be enforced. One of them (popular on the *nixes) is MAC.

Quote:

Is there a threat that the program could have been infected?

The idea is that if the program is "infected" or is somehow breached via a code exploit, it cannot affect anything else on the system. It is essentially sandboxed.

Quote:

thanks,

rich

You're welcome.

Quote:

Originally Posted by MrBrian

Most useful functionality for me: preventing a program that doesn't really need to run as admin from requesting to be run as admin.

How does one know when a program needlessly asks for administrator privileges? I trust all the programs installed on my pc so the few that request admin privileges are granted them. Secunia PSI and EasyBCD are two that come to mind. After all, if they don't work properly under a standard account, then why deny them admin rights?

[MrBrian]

Manifest View lets you view a program's manifest, which will tell you the program's requested privilege level, if any has been specified.

[MrBrian]

Quote:

Originally Posted by wat0114

How does one know when a program needlessly asks for administrator privileges? I trust all the programs installed on my pc so the few that request admin privileges are granted them. Secunia PSI and EasyBCD are two that come to mind. After all, if they don't work properly under a standard account, then why deny them admin rights?

I'd recommend using this tool only when necessary. On another forum, a user indicated that a certain program worked fine in a standard account with UAC disabled, but when UAC was enabled it would trigger a UAC prompt in the standard account. This was in a business setting in which the program was to be widely deployed, and the business didn't want the standard users to have admin credentials.

The aforementioned Manifest View lets you know what, if any, desired privilege level a program wants. Some developers who don't understand UAC well enough specify a requested privilege level that is higher than necessary. As to the "how do one know" question, well, run the given program with a lower privilege level and see if something breaks .

Quote:

Originally Posted by MrBrian

I'd recommend using this tool only when necessary. On another forum, a user indicated that a certain program worked fine in a standard account with UAC disabled, but when UAC was enabled it would trigger a UAC prompt in the standard account. This was in a business setting in which the program was to be widely deployed, and the business didn't want the standard users to have admin credentials.

The aforementioned Manifest View lets you know what, if any, desired privilege level a program wants. Some developers who don't understand UAC well enough specify a requested privilege level that is higher than necessary. As to the "how do one know" question, well, run the given program with a lower privilege level and see if something breaks .

Okay thanks, I'll take a look. In my own home pc situation, however, it's not the concern it could be for an enterprise environment, but it will be interesting to see what those programs require with that tool.

[MrBrian]

Quote:

Originally Posted by wat0114

Okay thanks, I'll take a look. In my own home pc situation, however, it's not the concern it could be for an enterprise environment, but it will be interesting to see what those programs require with that tool.

Look for requestedExecutionLevel with Manifest View. Some programs, especially XP-era programs, won't have it.