SuRun: Easily running Windows XP as a limited user

Hi Infinite Luta,
now with clearing things up in your last post we obviously had a misunderstanding. Regarding

Out of this I wrote my advice as an answer for Long View in post 214. In respect of the content it's identical.

 

EASTER, that doesn't mean that your HIPS isn't the culprit since most HIPS patch the Windows kernel and that's still the case if you shut down the HIPS. Anyway - I had some strange problems, too, when I tested Online Armor Free some time ago (like a freezing desktop) and I hadn't got any warning from OA. I deinstalled it and tried CFP and SSM - and had no problems with them.

No offense meant - but I think that's a little bit unfair. That experimental feature is explicitly called "experimental" and can be easily disabled with one mouseclick. Have you tried that? BTW: In regards of my experience with the above mentioned HIPS you could call a HIPS that has problems with SURun a very unfinished product as well if it doesn't give any warning/popup or isn't able to properly learn the specific behavior of SuRun. This doesn't mean that SuRun is error-free - but since most HIPS are deeply burrowed into the system this would not be the first example of an incompatibilty.

And a last remark: Kay is really very helpful and responsive. If we agree that SuRun is definitely a very useful tool that makes LUA a lot easier I'd really suggest to report any problems in his forum to give him the opportunity to fix them.

 

No offense taken tlu, but i must beg to differ, both EQS & Comodo D+ (HIPS) indeed offers instant warnings/popups to what SuRun is accessing.

Still, i'm not daunted, i fished out one of the first versions and that baby works EXCELLENT! So untill some more newer versions come out that solve my own issues i don't have a problem at all with the old set, it let's you START AS..........Admin and so forth and thats really all i need and use it for, that is to kill the Admin rights to LU and still able to elevate the ones needed at will with a single click and not the Run As which i despise that annoyance.

Don't ever underestimate HIPS, at least the good ones, they are very effective tools at reading the interactions of your Operating System and passing that info along for your benefit & discretion. LoL

 

Some of you, especially tlu are going think i'm off my rocker but the older version 1.0.2.9 works PERFECT! for me and does exactly what i just can't get any of the others to do, drop my Admin account down to SuRunner/User LU, and now the Start As Adminstrator FINALLY WORKS! without having to depend on the predefined list in the newer ones that for some reason just doesn't take for me or that dreaded Run As and type in a password for elevated privileges.

It took a total of 3 full reboots to get it to fully snap in as expected but once it did it's on and i'm once again a happy camper with SuRun 1.0.2.9

I like the fact you can't copy with LU rights among other things like installing or accessing the registry, which my HIPS covered anyway, but i prefer BOTH the EQS (HIPS) to indicate interactions and SuRun keeping rights pinched off.

EASTER

 

@EASTER: I'm glad that the old version works for you!

Nevertheless it would be interesting to know if you tried to disable the "experimental" option in the new version and with what result. I think it would be important for Kay to know.

Regarding HIPS. I don't underestimate them, I'm just saying that their (inter)actions are sometimes not predictable. E.g., CFP with Defense+ is causing problems with SuRun on your system but it isn't on mine. Why? Nobody knows ...

 

Interesting - but why would I do that?

BTW, I read your posts in Kay's forum. I'm glad he fixed the problem you mentioned.

 

By the way, HIPS "Will" interfere with the install of it and some additionals at first afterwards i found out, i watched closely for a REFUSE (Red) border and have had to open the viewer and re-change some rules to Allow. A kind of on-the-fly edit if you will.

Just to let you know that your concern about that is not without some valid measure of merit. LoL

EASTER

 

I recommnded several times to install Fajo XP if you use XP Home in order to get the security tab available in XP Pro.

As an alternative you can turn your Home edition into a Pro edition as described here. If you do this you won't need Fajo XP since the security tab will be available anyhow. If you have already installed Fajo XP you can deinstall it again - otherwise you would have two security tabs in explorer which I find a little bit extreme ...

 

Threats and Countermeasures
Windows XP Security Guide

 

Surun Version 1.1.0.6 is now avalible.

There are 2 groups of users, who should upgrade as soon as possible:

Those, who have version 1.1.0.5 installed. This version may have problems in some situations, that(hopefully) have been corrected.

And those who run Surun in conjunction with any HIPS. Version 1.1.0.6 has introduced a measurement, to solve possible conflicts. (Of course no one was able in the given time, to test this with all possible HIPS, so people, who make an observation, should report this here or in the Surun-Forum.)

 

Cosmo, thanks for the notification! This is the download link.

@EASTER: Could you test the new version with EQS? It might solve your problems.

 

After upgrading to 1.1.0.6:



Some I/O write (~56 kb) and read (~54 kb) issues with the latest version.


EDIT: I downgraded to 1.1.0.4 and I still have those I/O "issues", so I guess it´s a normal condition then and that I simply didn´t noticed it earlier.

Sorry.

/C.

 

Hi Thomas:
First of all I want to thank you for the informative articles you've written with respect to SuRun. I've been a believer in running as a limited user for almost 2-years now, and had been using SuDown. However, recent upgrades have not worked well. I was thrilled to see that there was not a new and better way to achieve LUA in XP via SuRun. The program installed great, and I believe that most everything is working great as well.

I am having one problem. I run a program ERUNT at startup that makes a complete registry backup and places it in a sub-folder within Windows. When I booted for the 1st time this morning, I got an error message so I went to the Startup folder and gave ERUNT Auto Backup Start as Administrator OK as well as do so in the future. Still got the same error. The error reads;

Error saving file
C:\WINDOWS\AutoBackup\5-26-2008\Security!
Continue with the next file?
[RegCreateKeyEx: 5 - Access is Denied]

I'm running XP Home and did install the security tabs. I noticed that the Windows Folder only can be written by System or Administrator, not Creator/Owner or Users.

It sounds like the fix has to do with folder permissions, but I want to look before I leap. Please advise.

Thanks Thomas. -SA Jack

If I answer Yes to Continue, I get two more similar messages that now reference software then system rather than security. It sounds like it's referencing the registry hives that are to be backed-up.

 

SA Jack, I haven't used ERUNT for a long time so I'm not sure since I'm no longer familiar with it. Have you added it to the list of applications in SURun to be always started with admin rights?

Yes, you need admin rights to write to that folder - that's why I asked above question. Isn't it possible to instruct ERUNT to save the backup somewhere else where you have write permission (as an alternative)?

Just one additional hint: I remember that I wrote about a possible problem with ERUNT you should be aware of some years ago in this forum.

 

ERUNT has been configured to run with Admin rights and is listed in SuRun. I am able to run the program to an alternate folder. The intent of putting the registry backups under Windows is to make it accessible through Recovery Console (if ever needed).

With respect to problems with ERUNT, I started using it after I ran into some difficulty with System Restore. Do you have any recommendations for an alternative full registry backup program? Thanks Thomas. -SA Jack

 

(Another Thomas here)

This is correct and out of this I would not change the place (especially not with XP Home)

I use ERUNT for some years now and I would not change it.

Coming to your original problem:
1st, the path you told with the error message is not the original one, taken from the parameters, which are set by default after installing ERUNT. (In the original version there is a folder ERDNT in Windows, where the Backups get stored.) Although is is not really a problem I wonder, if you have probably made any other change in the rather complicated parameter-line for Autobackup? It should read something like:
ERDNT\AutoBackup\#Date# sysreg curuser otherusers /noconfirmdelete /noprogresswindow

2nd: there might be a chance, that by running Autoback via Surun some of the parameters might get lost and this might be the reason for the problem. (To be true, for some jobs I do not use surun, but another program for elevating the rights, not because the other is better, but it works differently; but this would be to much to discuss at this place. Out of this I have actually not run Autoback with Surun - but with another tool and it works.) I would create a BAT-file with the complete Autoback-Command inside and Autostart this BAT-file with elevated rights. Let's see, if this works.

 

Hi Cosmo:
This is the current command that sits within a shortcut in my Startup folder.

"C:\Program Files\ERUNT\AUTOBACK.EXE" C:\ERDNT\AutoBackup\#Date# /curuser /otherusers /noconfirmdelete /noprogresswindow /days:28

The only change I made was to add "otherusers" and change the location of the placement of the backups from %SystemRoot% (Default) to C:\Erdnt\. And although I'm able to manually run the program, it does not run during boot-up. I get the error message described earlier. Originally I thought the error had to do with writing to the Windows folder, but I can manually send the files anywhere, including Windows. So I think the issue may be with SuRun executing the shortcut during boot. Is there any changes I can made that will allow the shortcut processed correctly?

Thanks for feedback and interest in this topic. -SA Jack

 

I'm having one additional problem regarding SuRun. I use Task Scheduler to run CCleaner (daily), and JkDefrag (3-times per week). Both have been running for about a year. I checked the Scheduled Task log this morning and noticed that JkDefrag is listed for a 1-second run. I manually attempted to run it from Scheduler, but nothing really happened other than a window appearing then stopped. I've elevated both CCleaner and JkDefrag to admin privileges, and JkDefrag works fine if started from the shortcut. Any thoughts as to why it now won't work in Scheduled Tasks since installing SuRun.

Thanks again. -SA Jack

 

Hi SA Jack,

I must admit, that I am a little bit confused. On the one side you posted your command line as

but on the other side you gave in post #238 a error message mentioning a Windows-subfolder. This doesn't fit together.
Besides that you did another change to the command line, which is not related to this topic, but will most likely make your Reg-Backups more or less useless: You have removed the sysreg-parameter (see my last post). So the most important part of the registry (in case of crashes or faults) will not be saved. And as you said yourself in one of your last posts: Placing the ERDNT-Folder outside the Windows-folder might lead to the result, that you cannot reach it inside a repair console (in case this is needed). AFAIK there is no way in the Home Edition to change this behavior (I have XP Pro, so I can not test this).

But back to the real problem:

1st) Are there by accident 2 Autoback-commands in the user's startup-folder and another one in the AllUser's startup folder? This would explain, why your command-line does not match with the result. In such a case you will see only the command from the Current User's startup folder in the start-menu; so you must check the folders with Explorer or another file manager.

2nd) Did you try the way via the BAT-file as I described in the last post?

We must clear this up before continuing (especially question 1), otherwise we will never know, which command makes what result. But there is a probable answer: May be, that the SuRun-Service is not yet completely loaded, when the AutoBack-command gets executed. (This is only a guess, as the statup-situation is different on every machine because of differences in hardware and software to load.) The problem of the more or less randomly order of the programs, that get loaded at startup, is a general one (not only regarding Surun). I resolve this with Startup Delayer and am quite happy with it.

Startup Delayer reads the most common startup-places (startup-folder and Run-key in the registry both for the actual and All Users) and lets you easily delay the start (for some seconds). So in the result the programs, that have to get started after entering the account, do no longer try to start at the very same time, but one after the other in a clear order. With Startup Delayer I have delayed AutoBack and it works like a charm.

Maybe the problem with the conflicting startup time is also the answer for your problem with JKDefrag. Some more: I do not know this program, but defragmenting a volume needs always elevated rights. Maybe Surun asks here, if you want to start it elevated (if you have IAT Hook enabled); in case you have answered no, obviously JKDefrag cannot execute with limited rights. So you should check your settings in Surun for this program.

 

Hi Cosmo:
Even without the sysreg command, I appear to be getting full registry backups. All the necessary hives are accounted for. I did create the .bat file as you suggested. I tested it manually, and it worked (but so did the shortcut file as well). I registered the file on SuRun settings to give it admin rights and automagically start with elevated rights. Then I rebooted, and I had the same problem as before. I get the error message regarding the file 'default'. It did create the folder for the backup, but when it hit the 1st registry hive 'default', it stopped. I also checked for another shortcut file regarding ERUNT, but there is only one and it resides in my user account.

For ERUNT, and JkDefrag, I've been running them both for nearly a year now with no problems. I've elevated rights on both programs in SuRun. In both cases I can run ERUNT by double-clicking the shortcut (and the same by replacing the shortcut with the .bat file), and I can right-click on JkDefrag in Scheduler and hit "run", and it works perfectly.

I the common denominator in both cases involves running programs in an automated environment (Startup & Scheduler), and why those 2-programs, and nothing else?

I really don't want to activate System Restore because of a couple of prior problems. That's why I switched to ERUNT.

Thomas, if you're reading this I noticed that ERUNT had two additional updates since our post back in June '05. Within the Autobackups being made from ERUNT, there is a sub-folder called Users which has 2 -sub-folders that contain the NTUSERDAT and USRCLASS files.

The mystery continues.

Thanks again Cosmo. -SA Jack

 

Cosmo:
I checked the log file under JkDefrag to see if it gave a reason for terminating the program. Access is denied was the reason.

This may be a dumb question, but are automated processes like startup and scheduled tasks controlled by my SuRun account, or something else? The key has to be what happens when the automated process controls executing these programs. -SA Jack

 

Cosmo:
A couple of points.
I noticed that when I was able to run ERUNT and JkDefrag manually, I was doing so within Windows Explorer, which I had previously created admin rights. I removed admin rights from both ERUNT and JkDefrag and was still able to execute within Explorer. However, when I removed rights from Explorer, I got the same error messages that occur during startup or a scheduled task. I went back to Kay's home page and found a section that did make reference to programs running with admin rights during startup (see below). The page is translated from German to English by Google. There are also some context menus based on highlighted text that appear to provide more info, but these are not translated. I've included a quote below and highlighted in red the reference to running with admin rights during startup.

From Kay's Homepage:
"Check the box "For this program will no longer ask," is SuRun for this program at all of the following calls with SuRun automatically elected by you "answer. In the above example would SuRun no longer ask whether the Security Center with elevated privileges may be started. Click "OK", which it started without questions, click "Cancel" is SuRun the Security Center will not start. This option is useful, for example, Windows startup programs to start the administrative rights. It is also possible that SuRun fälschlicher way to start a program administratively. example, includes "setup". Therefore, SuRun ask whether the program as an administrator should be started. Check the box "For this program will no longer ask" and press "Cancel" to the Nerverei to quit.

I don't fully understand from the translation just exactly what to do to make things work. Although it appears that the author has taken this matter into consideration. It also appears that SuRun can do a number of neat things in addition to what we're discussing here.

 

It appears, as if there are 2 different problems, one regarding Surun and another one regarding ERUNT.

At first some short (as they are OT here) remarks about ERUNT:
If you do not use the parameters as given in the documentation I cannot help. BTW: There is one more strange thing in your command line, as you use a leading slash (/) for some parameters, where this slash is not documented. I never tried to find out, what happens in such a case. - If you get a result, that does not match with the command line, I come back to my question, if there is another Autoback shortcut in All User's startup folder; you did not answer that. Side note: If a program gets used in contrary to the documentation, I would not speak about mystery.

Now to the Surun-related points: Your results lead to my assumption, that some services are not yet fully loaded, when the startup-commands for ERUNT and JKDefrag get executed, so the execution with elevated rights does not work. There is BTW a little check-option build in Surun: If you enable the tray icon (you can do that generally on the advanced settings page or specifically for every Surunner on the Surunner-Group settings page), you should see it changing the color from green to red, if a program gets started with elevated rights. Further more you can enable on the advanced settings page the third option for displaying an info, if a program gets automagically started; this info box should appear in both cases. If it does not, it would be a proof for my assumption. As already said, you can solve this problem with Startup Delayer. (It is not Surun's fault.) - In case, you have enabled the tray icon as said above, you should disable it after those tests. There is a bug in the tray icon, which may slow down your machine after some hours of running. Kay is aware of this bug and will solve this problem in the next version.

If you find a access denied in the JKDefrag log, so this will most probably be the point, that defragmenting has do be executed with elevated rights, and as we discussed above, Surun is at startup time not yet ready to execute it with elevated rights. The other question is, what setting (if at all) is made in the Surunner Group for JKDefrag? There should be 2 or 3 icons in the row for this program. Those icons belong to the program settings, which you can open by double-clicking. Which of the up to 8 options are activated in your case?

Your experiments with Explorer (last post first paragraph) do mean the following: Generally (has nothing to do with Surun, but with the OS) rights get hereditated to the child processes. So, if Explorer is executed with elevated rights, all programs, which get started from within Explorer (e.g. with double-click) have elevated rights. If Explorer is executed without elevated rights, the same programs started from within are executed with limited rights, also. So far your observation is that, what should happen. You can make settings in Surun for every single program, that it "automagically" gets executed with elevated rights in every case - and I had expected, that you have made those settings in Surun. But now I wonder: Do you have done so really? I'm starting to doubt. As Surun uses an own desktop for displaying it's dialogs there is pitifully no way to make a screen shot, so you must carefully check yourself and tell here there result. - The part, that you have Google-translated, shows a way, to fill those settings more conveniently, but this is not essential and we can skip this here. (BTW, I am German, so I know and understand the text in it's original language.)

 

Cosmo:

Hope you had/are having a great weekend.

On the Control Panel > SuRun Settings,"SuRunners Group" tab, when I highlight an item in the program list then click 'Edit', I notice that the following last 2 icon settings are inactive:

( ) User is allowed to start the program with elevated rights
(X) User MUST NOT start the program with elevated rights

In all cases, the "User MUST Not start...." is checked, and because it's inactive, I can't change that.

On all my entries for programs I've set them to:

(X) Don't ask and always start the program with elevated rights
(X) Start the program automagically with elevated rights

Could this be a factor? Is there a reason why I can't access these last 2-icon settings?

I discovered one additional problem. I use Cobian Backup to backup selected folders/files every Friday. This morning I noticed that the backup did not take place. I was able to run the backup manually by starting the program and activating the backup. I then created a scheduled backup to see what happens. The program started for a couple of seconds then stopped. The log stated "access denied". Cobian is run as a service and I've elevated both the service and interface files to elevated rights.

Thanks again for your assistance.

PS: thanks for the tip on the tray icon. I was running it, but have disabled as you suggested.

 

SA Jack

the 2 grayed out options you asked about are inactive, because of another inactive option. On the same tab you find near the top on the left side the option, that users are only allowed to start certain programs with SuRun (wording may differ a little bit, as I use the German version). If this option is set (we speak about a limited Surunner in this case), both mentioned options get availible and you will find another column with the respective icon on the program table on this dialog. As long, as the limited Surunner option is not set, the 2 mentioned options are really inactive, that means, it does not matter, which of them is "set". So you must not care about this.

The 2 active settings you have set do mean, that you will not get asked, if you start those programs (but only those in the list) as Administrator from the context menu or if you start them by double clicking. So the settings are ok. But what about the 2 options on the very top on the advanced settings tab? (Both are regarding Automagic) Which of them are set?

Regarding Cobian: I had taken a look at this program some years ago, but I did not like it, so my remembrance about it is not complete and not actual. So I remember vague, that it could be run as a service. But this should mean, that there is an "access denied" error very improbable; services should have access (read, write, execute and more) more or less everywhere. So there seems to happen strange things on your box, which needs some special investigation. This is especially true, if Cobian has worked correctly before Friday.