Sandboxie and/or SRP

easy for you to say.

i just spent an hour trying to make this work and all i get is "Syntax Invalid", "Invalid Path" and a whole bunch of other nonsense. lol
i think i'll leave this stuff to you 'wizards'.

 

Create a .bat file for each of these, then drag/drop the folder/file onto it

to set Low IL to object

Code:

icacls "%1" /SetIntegrityLevel L

to set IL back to medium

Code:

 icacls "%1" /SetIntegrityLevel M

to set IL on a directory that will inherit to ALL objects within

Code:

icacls "%1" /SetIntegrityLevel (OI)(CI)L

This probably won't work unless you are admin, as you won't be able to RunAsAdmin when dragging dropping...

Sul.

 

tnx sully!

i tried it but it does not do anything.

i see the batch file open and close briefly when i drop the file on firefox.exe, so 'something is happening, but Firefox stills runs as High in the Admin account and Medium in the limited account.

i did the same for both Mozilla folders.

 

after the line in the .bat file, just add the word (on a new line )
pause
then save the .bat file. This will pause the prompt from closing until you hit any key, which will allow you to see what happened.

Sul.

 

Won't this apply an explicit Medium integrity level, rather than an inherited one (from the account)?

 

Sully,

here's what i get:

C:\Program Files\Mozilla Firefox>icacls ""C:\Program Files\Mozilla Firefox\firefox.exe"" /SetIntegrityLevel L
Invalid parameter "Files\Mozilla"

C:\Program Files\Mozilla Firefox>pause
Press any key to continue . . .


C:\Users\moon man\AppData\Local>icacls ""C:\Users\****\AppData\Local\Mozilla
"" /SetIntegrityLevel (OI)(CI)L
Invalid parameter "****\AppData\Local\Mozilla"

C:\Users\****\AppData\Local>pause
Press any key to continue . . .



C:\Program Files>icacls ""C:\Program Files\Mozilla Firefox"" /SetIntegrityLevel
(OI)(CI)L
Invalid parameter "Files\Mozilla"

C:\Program Files>pause
Press any key to continue . . .

 

Do not place it inside ""..."", just "...". That's why it's resulting in error.

Do it like this, as an example:

Code:

icacls "%PROGRAMFILES%\Mozilla Firefox\firefox.exe" /setintegritylevel L

 

tnx moonblood!

i modified the .bat files provided by Sully.
originally the batch reads:

i got rid of the " on each sides of the 1 and that did the trick.

i'm getting real close to making this work!

i applied the .bat files to firefox.exe, the whole Mozilla folder inside Program Files and the whole Mozilla folder inside AppData/Local/ etc.

but i'm getting the "Firefox is already running but is not responding" thing.

i'm still missing something.

 

I don't use Firefox, but according to a thread started by Sully sometime ago, it would require you to apply the integrity levels to:

"%programfiles%\Mozilla Firefox\Firefox.exe"
"%UserProfile%\appdata\local\mozilla"
"%AppData%\mozilla" *
"%UserProfile%\temp" -> This one isn't correct, I think?. It should be %UserProfile%\AppData\Local\Temp. Also, don't forget when running something elevated (with admin rights), %USERPROFILE% means the current user account, which is the administrator account. So, if you wish to apply the integrity level to the standard account/limited account, then you must specify the correct path.

Imagine this is my standard account username - Standard.

I would apply it like:

Code:

icacls "C:\Users\Standard\AppData\Local\Temp" /setintegritylevel (OI)(CI)L

-edit-

* I also think this one is wrong. I think it should be %UserProfile%\AppData\ and then either Local\Mozilla or Roaming\Mozilla.

Check out which folder Firefox makes use of. Open Start Menu and type %appdata% and then press enter. This will take you to Roaming. Look for Mozilla. %localappdata% will take you to Local folder.

edit: Most likely it's in Roaming folder, considering there's already one for Local mentioned.

 

Yeah, I couldn't remember offhand if the %1 needed quotes or not. They are often surrounded in registry context menus, so I put them in.

Sul.

 

Yes it will. icacls has no feature to remove an explicit integrity level, only via .inf or chml can I do that. However, if you don't explicitly have an IL, and are using UAC/LUA, it will be at Medium by default anyway. And if you are running at High IL (because you are admin), it is probably your choise whether to set to Medium or High, but I always set them to medium.

One day I will tear into the code that chml uses to do that stuff. I know how to do it via command prompt and .inf, but haven't had the urge yet to learn what chml is doing.

Sul.

 

It works!!!

many thanks for the help Sully and moonblood!
i can't thank you both enough for spending all this time helping a newbie.

i think i'll have a cold one or 2 to both your health!

 

Don't forget to create a Downloads folder and apply it a low integrity level as well, otherwise you won't be able to download.

I hope you don't need Java to access websites. Otherwise, it will fail. Unfortunately, Java requires access to certain areas that the low integrity level restricts access to.

Other than that, happy safer browsing.

 

tnx moonblood.

i just created the Download folder, with a Low IL as well as setting the Temp folder to Low IL.

i'm allergic to Java so it's all good.

tnx again folks!

 

If you decide you don't want to use this method any more, let me know and I will help you with chml to remove it all.

Sul.

 

tnx for the offer Sully and everything else!
push come to shove, i guess i just could uninstall and re-install Firefox but i think i'm going to use this icalcs trick for a long while.

 

How can i put a restriction in my Download folder using Applocker or SRP in order that nothing can execute there? thanks

 

Just don't add it to your whitelist.

 

Sorry, what i wanted to say was:

How can i put a restriction in my Download folder using Applocker in order that nothing can execute there?

I´m already using SRP via parental controls and it allows to create a list of exe´s that are allowed to run.

I´m interested to know how to use Applocker to create a restriction in my download folder that prevent anything (being or not whitelisted by SRP) to be executed there, since Applocker rules have precedence over SRP rules.

Thanks!

 

To create global execute deny, using icacls

Code:

icacls <file or path> /deny users:(x)

to apply this to all subdirectories and objects

Code:

icacls <file or path /deny users:(oi)(ci)(x)

to remove it

Code:

icacls <file or path> /remove:g users

you might open a command prompt, run icacls /? and check out the syntax. There is a flag (/t) that you might want to use to traverse subdirectories with icacls commands.

It is not Applocker or SRP, but it works really well to stop all executions. Move files out of the downloads directory to execute them is an easy way around it if you need to.

This assumes you (the user) are a member of the Users group. Even if you are an admin as well, it applies to you if you are a member of Users.

Sul.

 

I think you'd need to change the word users with the correspondent word in your language, if you aren't running the English version of Windows?

That's how I've always done it, anyway.

 

Perhaps. Unfortunately, I am only uni-lingual, so if I see another language, I am lost I wish there was a plug-in for humans to fix that

Sul.

 

Thanks Sully, i´ll try it. Seems useful as a extra layer to prevent execution inside folders sandboxie excluded. However unfortunately my laptop hard disc is screwed (when CPU use is higher than 60%-70%, it turns off), and i´ve to take it to be repaired I´ll try it then.

 

When running Applocker with Sandboxie, I just use the default rules.. I put a specific deny on the sandbox folder, and you can put a specific deny on any other folder to. I do this because denying takes precedence, and if I screw up any rules, its still denied (even if I accidentally white list it).

These are all path rules btw..

 

How can i set UAC to "Elevate signed apps"? And if i set, will it open any signed apps or it will open trusted signed apps?