Programs running in the secure desktop vs. keyloggers, screen loggers, etc.

I've found a program that lets one run programs in the secure desktop! Download the file NET_0Setup.zip near the end of that page.

I installed Elite Keylogger. Then I ran c:\windows\Notepad.exe in the secure desktop and typed some characters into it. I switched back to the admin account and reviewed the Elite Keylogger logs; no keystrokes were recorded from the secure desktop .

To do this, refer to usage case #2 above.

Feel free to report your test results vs keyloggers, screen loggers, etc. .

I couldn't get usage case #1 to do what it claims to do.

 

A couple of notes:

Opera portable runs in the secure desktop with Internet access .

The UAC-look-alike launcher can be used to start a program as any user, not just admin users. I started Opera portable as a standard user in the secure desktop.

Maybe this is a good method to do online banking?

 

pretty interesting

but what if some sort of malware came from the browser running in secure desktop while you are surfing? I don't want my secure desktop be infected :<

 

Good point . More testing needs to be done....

 

Aha! I got usage case #1 to work now . It seems you have to specify an admin account that doesn't use UAC - I used the Administrator account. So now we have a way to start programs as admin from a shortcut while completely avoiding a UAC prompt . I'll be writing about this soon somewhere else on Wilders.... Oh, and it works from a standard account also, and with no additional services needed .

 

I do hope for an easier/safer implementation.

EDIT: If I have an antikeylogger / antivirus running in the unsecure desktop would they be able to protect programs running in the secure desktop?

 

I'm looking into that right now .

 

Some tests:

A program running in the secure desktop can launch other programs. Thus, I assume malware could be launched if you come upon an exploit in a program that you're using in the secure desktop.

Hypothesis: if you encounter malware while in the secure desktop, while it can run in the current secure desktop and also possibly infect the user account that's being used, the next time you use a new secure desktop, the malware shouldn't be running in it.

I installed Avast 5 Free with default settings. I switched to the secure desktop and tried to run an infected file. Avast deleted the file while in the secure desktop, although Avast showed no user interface notification while doing so. I also tried to download an infected file. Again, Avast stopped it, without any user interface notification. When I switched back to the normal desktop, Avast showed notification of what had happened.

Unfortunately, AppLocker doesn't seem to be enforced in the secure desktop.

 

The behavior I've seen so far supports the hypothesis. While in the secure desktop, I ran Anti-Keylogger Tester. It was able to log keystrokes within the secure desktop. I also set Anti-Keylogger Tester to start in the user's account every login. I then switched back to the normal desktop, and logged out of the account and back in. Anti-Keylogger Tester started automatically as expected. I then turned on its keylogging, entered the secure desktop, typed some keystrokes, and exited the secure desktop. Anti-Keylogger Tester wasn't able to log the keystrokes within the secure desktop.

So to summarize, it seems that:
1. Every time you enter a new secure desktop, it's clean from keyloggers, etc., even if you got infected while in a different secure desktop.
2. If you encounter malware while within a secure desktop, it can affect the current secure desktop and also permanently affect the user account being used. Depending on the permissions of the user account being used, you could get total system compromise.

Maybe turn on Returnil before using a secure desktop?

 

Interesting tests

In which case you wouldn't need secure desktop, i guess

 

Returnil would be used to cure (upon reboot) any infection you get while in the secure desktop, but any keyloggers already present in the system hopefully wouldn't function while in the secure desktop. I didn't test with Returnil yet though....

I think the closest competitors to this method might be Prevx SafeOnline or KeyScrambler.

On an unrelated note, I think I'll refer to this program as "Secure Desktop Run As," which is IMHO more appropriate than "User Account Control."

 

@ MrBrian

I see what you mean

PSOL is a major player & together with for eg Zemana or Spyshelter even better

However please see the recent posts by aigle in here

https://www.wilderssecurity.com/showthread.php?p=1772410#post1772410

 

I've tested against Advanced Keylogger from Eltima. Advanced Keylogger didn't log any keys pressed in the secure desktop.

 

Excellent

What about screenshots though ?

See my latest post in - https://www.wilderssecurity.com/showthread.php?p=1772410#post1772410

Advanced Keylogger from Eltima is a beech

 

I set my browser to always run at low integrity level, with DEP, ASLR etc with the help of EMET-2...

Will my browser running on secure desktop have all the settings?

 

Advanced Keylogger couldn't grab any screenshots from the secure desktop .

 

Right... "Hey good sir, may I make use of this application?" ... Polite malware... Who would imagine that?

Polite....

... but stupid.

Imagine I have Spybot - Search & Destroy installed, which to apply immunizations, add or remove autorun entries, etc needs Administrator rights. If I have Spybot to always run as Administrator, then couldn't malware check if Spybot is installed and just run it on its behalf (obviously, without the user even seeing it) and just add autorun entries, and delete antimalware autorun entries?

Just a tiny example.

Am I seeing the wrong picture, perhaps

 

Secure Desktop RunAs can create a new shortcut but it doesn't modify existing shortcuts or programs.

 

I tested Firefox running as a low integrity app and configured it with EMET. When I ran Firefox in the secure desktop, it ran as a medium integrity app. EMET was active for Firefox when run in the secure desktop.

 

I tested against 6 of the 7 keylogging tests of Anti-Keylogger Tester v3.0 running in a normal desktop, first with non-admin rights, and then with admin rights, while typing into Notepad in a secure desktop. Anti-Keylogger Tester was unable to record keystrokes in the secure desktop in any of the tests. I couldn't try the JournalRecord Hook test because it failed to set.

This is perhaps a fine method for online banking using a different browser than you normally use, one with no third-party addons. Activities which have too high of a chance of encountering malware should probably not be done in the secure desktop.

 

I thought so...

have you tested isolation softwares like GesWall / Defensewall or Sandboxie?
did they sandbox/isolate browsers that tries to run in the secure-desktop?

In a secure desktop session can you open 2 or more programs or just one?

Thank you for the tests.

 

You're welcome .

I didn't test isolation software. You can open more than one program in a secure desktop; in fact you can launch explorer.exe.

 

OK. But, isn't the purpose of this app to give us the chance not to receive any more UAC alerts for apps we constantly use, for example? If I understood it right, every time I want to start Spybot or some other app, I no longer will get any UAC prompts for it, if I choose that way, right Spybot will always run with Administrator rights every time it is run, won't it?

This is what I'm understanding the app does, besides the secure desktop situation.

If that's the case, wouldn't the scenario I mentioned before be plausible to happen?

 

Yes, the program has two different types of functionality:
a) secure desktop runas - usage cases #2 and #3 from first post
b) avoid UAC alerts - usage cases #1 and #4 from first post

Using your example, suppose malware happens to launch Spybot that then runs as admin. Then what? User Interface Privilege Isolation, explained at New Technologies for Windows Vista, still limits the interaction between the malware and Spybot running as admin.

 

I still can't get that to work in a LUA account (with SRP). I still get a prompt by UAC asking for my admin account credentials. I have tried both placing the program in C:\Security folder (set SRP additional path rule to allow it)
and inside C:\Program Files directory but still the same result. What am I doing wrong?