Safe Admin & Chrome

Each extension, plugin, tab, GPU process, and the broker process run in separate processes. Set processexplorer to show path - that will show which it is.

 

I have reported this a while ago.The chrome devs claim the proces monitor software is wrong (close it and open it again and it will likely show all spawned chrome processes with low rights running). On the other hand Chrome has a delay lower token dll. So

 

Yeah, but some processes will actually run with medium/high integrity level. Those will be hosting plugins. Not all plugins will run in a low integrity level child process.

 

Thanks everyone for the info! Shown in tree view, there's the main broker process running @Medium IL, and 4 child processes, with the plug-in (ScriptNo) running @Medium IL. At least that's how I interpret it from the info PE gives.

The path shows the same for all of them; "c:\program files (x86)\Google\chrome\application\chrome.exe"

I can close/open PE several times, but the same thing shows.

 

Right-click the process in question and go to the Properties > Security tab in Process Explorer. See if it says Medium/Low mandatory label.

 

I already have the IL column displayed, and right-clicking->Properties->Security shows the same IL as those in the column.

 

I'm assuming that your two medium processes are Flash and Broker.

Go to aboutlugins and disable the flash that isn't built into Chrome. That's probably what's running at medium.

 

Actually it ended up being the Default plug-in, the one that "provides functionality for third party plug-ins.

 

OK. But, sometimes, even though you may see the column display a Medium IL, it will actually be running with a low IL, if you check the Security tab. I'm talking about non-plugins child processes.

 

I figured that's what you were getting at, so I checked them all that way, and they all matched the column IL values

 

I just used process explorer to look. All of mine are low except for broker + Flash.

EDIT: Actually they're all low except for the broker... so now I'm confused lo
EDIT2: lol >_> I had closed flash. Yep, it's flash that's running at medium for me (I don't use the built in Flash.)

 

Flash should be running in a low child process in Chrome, shouldn't it?

Anyway, mine are all low... so...

 

Yeah, I edited.

I don't run Chrome's built in Flash. I'm on 11.2 beta.

EDIT: Google Update runs at Medium integrity as well.

 

This time I was able to capture a ss with the med IL process' path...

...it is the Chrome default plug-in @Medium IL.

Flash is Low IL in mine.

 

Strange. I only have the browser process + Flash running at LI.

I don't actually have that service running. No Default Plugin that I can see.

 

The following isn't the first I've seen of Rundll32 getting involved with the Shockwave plugin...

 

Rundll32 is just used by the OS to launch the Chrome Flash .dll file, it’s not actually running as a browser process so that’s ok.

 

You don’t need to do that. You can have the latest Flash before Google updates it and still have it running at low IL. Let me explain.

If you go to C:\Windows\system32\ Macromed\Flash and rename NPSWF32.dll to gcswf32.dll you can then add that to your Chrome application folder C:\Users\(username)\ AppData\Local\Google\Chrome\Application\(Chrome Version) you’ll have the latest and greatest Flash running at low IL before Google even updates you. That’s all Google does (rename NPSWF32.dll to gcswf32.dll).

I’ve been running Chromium with Flash beta 4 11.2.202.183 for the last two weeks like this. Google only updated the Dev version of Chrome to it yesterday.

EDIT: I just made this post and now Flash Player 11.2.202.197 Beta 5 is out. lol.

 

Thankfully the Canary channel is already on Flash beta natively so I don't need to. I'll keep that in mind though thanks.

 

Brilliant, I allways thought they had a special (safer) version, rename

 

Is it enough to rename it, though?

I mean, there was such a hype around this special version for Google Chrome. If all that was required was to rename it, wouldn't we have heard about something, after all this time?

Even if you rename it and it runs within a low integrity level child process, does it mean it's making full use of the sandbox? Google Chrome sandbox isn't just about integrity levels.

 

I think the regular Flash sandbox for Chrome may purely be low integrity. There may be other tokens involved...

I'm not sure how much of Flash they actually change if anything.

 

I was told this from someone working on Google Chrome. Although they get the file directly from Adobe. There is a slight difference in filesize but I suspect it's just extra code to work with other non-IE browsers. "np" Netscape Plugin, "gc" Google Chrome.

Taken from Google Chrome

 

Good to know for the future. Do you know if there are other tokens other than the low integrity that are applied? I believe in the PPAPI Flash running in renderer it also has a separate desktop token. I'm not sure though.

 

Taken from here -https://www.computerworld.com/s/article/9199245/Google_Adobe_sandbox_Flash_for_Chrome_to_protect_users?taxonomyId=17&pageNumber=2

Now, if Adobe simply works in 1 version and then Google simply renames that version to use in Chrome, that's a whole different matter. But, it isn't all about integrity levels. XP users also benefit from the sandbox (just not integrity levels).