Please try on your setup

Hi,

I everybody knows (well at least at Wilders) that is possible to use the taskmanager and virtualise an application when running UAC.

I have been looking for a way to use this as an extra defense running 32 bits aps (virtualisation only applies on x32 aps).

I found this http://csi-windows.com/blog/all/27-...w-can-i-uac-prompt-thee-let-me-count-the-ways

So I googled a bit further with this info

On social.answers.microsoft.com/Forums/en-US/w7programs/thread/e6c7d7f2-21be-49ce-8d93-c06b1c616002 I found that the compatibility mode values are stored in the registry key

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

So I opened REGEDIT and looked what I had in. I noticed that some programs where listed which I wanted to start as admin. So I added Iron as Invoker to override the Manifest in the EXE.

Added: Reg-SZ key
Name: C:\WIndows\SRWare Iron\iron.exe
Value: RUNASINVOKER

See picture (this was on Vista x32 business)

Now it runs with low rights, no execute up in download directory, EMET2 (SAFE-Admin setup) and virtualised AND the excellent CHROME sandbox

Would any one try it on Windows 7?

@Sully something to add in safe-admin when it works?

 

Info on build in virtualisation http://blogs.technet.com/b/richard_macdonald/archive/2007/05/18/990366.aspx

Regards Kees

 

I'm running on Win7 32-bit...and so I gave this a shot but on Firefox 4 Beta 6...

Here's what I found out...

When you're on LUA, if you "Run as admin" the registry editor and tried to add the value in

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

it won't work. Firefox wouldn't start 'virtualized' in the LUA account which makes sense since the 'current user' key that was affected belonged to the Admin (as you used the 'Run as admin" to launch registry editor).

When on the default account (Admin-approval Mode), it will work. Firefox will start as 'virtualized'. As expected.

However, if you wish to have Firefox started as 'virtualized' regardless of the account used, you would have to add the value into this instead:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

Got that from the link you gave Kees...

Alternatively, a user who uses SuRun can also 'start as admin' the registry editor and add the value to the current user key. That way, Firefox would start as 'virtualized' on the LUA account since SuRun only elevates the registry editor under the context of that account and not of the administrator.

Hope I was clear in what I've written...I don't speak geek language unlike some others here so it's a bit tough on me

 

What do you say about virtualizing the newest Adobe Reader version? Following the same principle as Chromium based browsers, it would be beneficial, wouldn't you say?

 

This is included in the SAFE-Admin project. Actually, I've included RunAsAdmin, RunAsInvoker (virtualized) and Removal.

If you are using UAC on lowest setting, it is a nice feature for specific applications.

As with quite a few of these tweaks, I might have to investigate whether to use HKLM or HKCU for the best setting. Hate to code it to look for what type of account the user is logged in with.

Sul.

 

Maybe both options? If something we'd like to apply to all users, then we'd use HKLM, if something we'd like to apply of for a specific user we'd set it to HKCU?

 

It could be done. If so, it would have to be an all or none affair -- that is, if you want to apply to all users, then every requested action would be applied, always, in either HKLM or HKCU (whichever applies, it would depend). It wouldn't be too hard doing it like that.

Giving the option on demand is simply not going to happen. I have already built 1700+ lines of code into the current "worker" program. The registry structures are already made and I have included no preparations for knowing, per action, whether they take place in HKLM or HKCU. I can modify them globally with a few changes, but they will have to stay that way unless you remove SAFE and start over.

Speaking of which, what are the thoughts about, if you wanted to remove all the SAFE settings, having an option to dump to file everything that is currently set so that you have a reference for future if needed (like uninstall, or share with friend, or OS gets borked)?

I will look into it and see just how much it entails. In the meantime, can anyone provide a list of alternates? That is, the list of reg locations that could be "toggled" one way or another depending how you like it?

Sul.

 

like the idea. also if one removes SA the option to retreat to the settings prior SA, in which case no dump as the the settings getting reverted, and the other option to leave the SA settings in place plus dump

 

SAFE will allow you to roll-back to original values found at first run, and it will allow this per "action set". Example, you only want to remove any Deny Executes SAFE put in place, it will remove only those.

Also the option to reset to default values in case the original user settings are no longer desired.

Dumping it out would be really easy, some simple parsing of syntax that already exists.

Sul.