Running LUA conveniantly on XP with no extra software

Hi,

On Vista MS provided UAc on Win7 this even has improved with a sensitivity slider. So this is for XP Home users.

To start with an open door statement (nothing new, just a fact), the less extra code you add to your setup, the less software error intrusion breaches and incompatibilities you will experience.

Examples
a) see the change log of Surun, http://translate.google.com/transla...active&ie=UTF-8&oe=UTF-8&prev=/language_tools
b) see post on conflict Sandboxie and Comodo, https://www.wilderssecurity.com/showthread.php?t=256546

Surun is really the easiest way to do it, , see for Surun setup http://www.dedoimedo.com/computers/surun.html.

Making XP convienantly /upgrading it secuirty wise to XP Pro with registry hacks

But for purists who dislike adding extra code/hooks etc you can sort of achieve simular things with software providing registry hacks like

- Pretty Good Security: adds XP Pro Softeware restriction Policy to XP Home
http://mrwoojoo.com/PGS/PGS_index.htm
- Fajo XP File Security Extension, adds XP Pro security tab to XP Home
http://www.fajo.de/portal/index.php?option=content&task=view&id=6
- Registry hack to allow to use Run as .. . for window installer packages
see picture and added text file. Save txt file as .reg file and double click to change.


By the way this last registry hack, shows where MS comes from, providing a run as, only exclude MSI packages by default. See also the official MS
workaround (see http://support.microsoft.com/kb/259459), so count your blessings with an 'user friendly' UAC all Win7 users

 

Before creating your LUA user, make sure you scheduke a task for your AV update (I use A2 free on demand), see A2CMD example below.

After you have created the LUA user, remove the rights to read extra info of this scheduled task (some paranoids are afraid, malware can read the admin password stored in a task).

 

Also make sure the porgrams you use most are stored in some convienant access; most control applets can be executed directly, same with most windows utils. Just crate a short cut:

Some examples, I use

%SystemRoot%\system32\wupdmgr.exe (windows update)
%SystemRoot%\system32\cleanmgr.exe (disk cleaner)
%SystemRoot%\system32\Restore\rstrui.exe (set restore point/recover)

When I double click those short cuts, I start run as with this process.

Regards Kees

 

The PGS how to http://mrwoojoo.com/PGS/PGS_HowTo.htm

and the reason why SRP is an easy extra protection layer when using a deny execute of the user space (directory where %USERPROFILE% points to).

http://www.dedoimedo.com/computers/policies.html
http://technet.microsoft.com/en-us/library/bb457006.aspx#EMAA

Cheers Kees

 

I think there are a few here at Wilders that use XP Home like me so thanks for posting this Kees..

So in short your suggesting us (XP home users) to add

1. PGS
2. Fajo
3. the last one i don't somewhat understand.. what is the registry entry for "run as"?

 

On XP you have the run as command (right click on an executable).

Stupid thing MicroSoft did was, that run as was not possible on MicroSoft installers *installation programs with .MSI at the end, e.g. example.msi)

With this registry hack, you are allowed to do that, run an MSI installer with different rights using Run As.

The text file provided has 'Run as ...' in English, just change this text to your native lamguage when you have a native language version of XP (e.g. in Dutch it would show (in red the Dutch text for "Run as ...")

Open th etext file, change Run as to native text when applicable, save the file as .reg (e.g. runas.reg). When you double click the file, you first get a pop-up (choose ok), after this hack (and re-boot) you can run MSI installers with different rights (credentials).

Cheers Kees

 

weird that not much people replied here.. i've been reading about LUA and SRP etc but usually its more directed to XP Pro..

who else has tried these PGS and Fajo?

 

Well at least Sully, Tlu, Lucy, Zopzop besides myself

 

.
This is great work, but it is also a serious descent into geek space Now, if you can create a GUI front-end where the user can just check a few boxes to do all this you would have a marketable utility IMHO.

 

This is obviously a good solution, but RunAs command is not the best way to execute as administrator.

If you run some programs as administrator, and they write something in the local user folders (that executed them, so administrator), your user account can not read that files.

For this reason SuRun is actually one of the best solutions, cause it gives you the option to elevate your account to an user-group that has administrator rights (not to make admin execute files for you).

Regards

 

Yep, do not choose to protect your own data. Most software behaves nicely, nowadays, so you do not have to take ownership much.


Agree as said in the first post Surun is the easiest, but Surun adds code to your OS (as mentioned in Surun it had a security breach also. e.g, Windchild is opposied to adding extra code with its own software errors in it. This is a 'purist' solution for less risk surface and less potentially code to be intruded,

Regards Kees