SuRun: Easily running Windows XP as a limited user

Discussion in 'other software & services' started by tlu, Jan 6, 2008.

Thread Status:
Not open for further replies.
  1. tlu

    tlu Guest

    Ah, Cosmo, our old dispute again ;)

    If the user has write permission (Mike's option 2) he can delete these files/folders.

    Ok, why not? On the other hand I still think that admins as owners do not cause problems in the vast majority of all cases. And even in these rare cases the problem - as far as I can see - is not the question of ownership but rather if the user has full access to these files. One example (which you mentioned yourself somewhere else): If you start an application with with SuRun's elevated rights and this app creates files somewhere, and now you start a backup app to perform a (differential) backup. This will cause problems since the backup app running with limited rights will not be able to set the archive bit. But the reason is not that admins=owner but rather that the user has no write permission.
     
  2. Cosmo 203

    Cosmo 203 Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    165
    Yep, and now with an actual example.

    That is clear. The difference between the 2 option Mike named is, that with option 1 (recommended by me) this and only this user has the write permission, and that automatically; no chance, to confuse things by mistake. Take a system with more than one limited user account. Predefined you will find in the security settings only the group of users, not the single users, as long as one of them is not the owner. So most probably people will mark the write permission for the user group and in the consequence every user can now alter those files. Remember, that in Mike's question we do speak about a place outside the profile structure, so the special protection inside the profile does not apply here.

    With my suggestion this user, who has been (re-)made the owner, has write access, no other limited account. (In other words: With my suggestion I gave the user back, what the user belonged to already.)

    Even problems in a minority are too much, if they can get prevented.

    Of course you are right, it is at first a question of write accesses. Now, dealing with documents (in contrast to executables) as here, the next question is: Why should the user get write access? Because he is a limited user: No. Because he is the creator: Yes. Making or leaving him as the owner is the logical solution, the other way is a workaround.

    If a PC user decides to leave the old admin-way and go the LUA way, he still does expect that things go (as far as possible) in a logical way, that is predictable from the kind of usage. In my understanding it is predictable, that I am the owner of my documents. If I am not the owner on the LUA approach - but have been the owner on the admin-way - things are getting unpredictable (Or do you anybody except experts do predict that?), and that does never make feel comfortable.
     
  3. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    SU RUN

    Hi

    Have just started to use SU Run and am very much finding my way

    I have it set up as follows:-

    1)The original admin account

    2) Limied user Account for internet facing applications ie Web Browser mail clients etc.

    Office suites and all else is on the original admin account.

    Is this the best configuration?
     
  4. smity

    smity Registered Member

    Joined:
    May 13, 2008
    Posts:
    33
    As an impartial observer there are a couple of points I would like to make

    1. In my situation I am the only user of my PC so there is no confusion as regards ownership As I have set the permissions up so I know what is happening This may well not be appropriate if I had all my family sharing the same PC and I can see the advantage here of setting ownership to the each LUA Account concerned

    2. As I need to run one of my Apps with Administrator privileges I do not want to encounter problems should I subsequently need to write to files thereby created when running subsequently as the LUA. In this case setting Admin as the owner but with my LUA Account having full privileges takes care of that situation Again if all my apps ran without the need to be a Surunner it may well make more sense for the LUA to be the owner (no need to add extra permissions)

    So to sum up I think it all depends on the particular circumstances of each individual and that there is no single correct way to do things The main thing is to understand what I am doing

    Mike
     
  5. smity

    smity Registered Member

    Joined:
    May 13, 2008
    Posts:
    33
    When upgrading Surun to the latest version should I first uninstall the old copy or can I upgrade over the top of the original

    Thanks

    Mike
     
  6. colinp

    colinp Registered Member

    Joined:
    Feb 9, 2008
    Posts:
    46
    Just install over the old one. During the install, you are asked if you want to keep the same configuration, for program permissions.

    Colin
     
  7. Cosmo 203

    Cosmo 203 Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    165
    Yes
    No, you are asked if you want to leave to SuRun shortcuts. It's a little bit confusing. Anybody, who has not done special changes for SuRun in the registry should not check this option.

    BTW. There have been found some glitches in the new 1.2, version 1.2.1 is in RC-state and will be out shortly (I think), so I would wait a few days (or download the actual RC from the forum, but the beta forum is in German only).
     
  8. Cosmo 203

    Cosmo 203 Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    165
    Re: SU RUN

    Not at all.

    Office (just as image-viewer, codecs and so on) are potentially vulnerable and so must be used in a LUA to get the safety that you expect. Besides of that: Specially for office-documents there is the possibility of active contents (macros), that may be harmful.

    Further more, I cannot imagine a less comfortable arrangement than this. 1 example: How will you make a investigation in Internet and write at the same time with your office? Everytime switch the account?

    No, the LUA approach means:
    Do all - and that means: all - inside a LUA, that has nothing to do with administrating your computer.
     
  9. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    Well i had to remove surun, lua and srp from one of my systems, here is why:

    The system is a download/upload server and mediacenter.

    The following problems occur:
    -All media and download applications need admin rights
    -most security applications for downloading need admin rights
    -Moving files around multiple harddisks requires admin rights for all programs involved.

    And on top of that.
    -files removed by an admin rights application can not be removed from the recycle bin by the limited user
    -Even with admin rights utorrent is constantly getting limited causing downloads to fail(my download folder is on a different harddisk than my profile)

    Basically using multiple harddisk is a big problem for lua,srp,surun
    Having to use 90% of my applications with admin rights completely defeats the purpose..
     
  10. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    Generally this security configuration is setup for a user account that is primarily used for accessing the Internet. If you're having problems with certain applications, you might want to keep an Admin account and run them from there. Usually a LUA with SRP is special and kept separate from other admin accounts. Try MakeMeAdmin instead of SuRun and see if you like that better.
     
  11. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    Its not surun per-se, but the whole lua+srp thing just isn't working out.

    The HTPC is more like a server and lua+srp isnt really fit for that, but the internet also gets accessed on it thats why i tried it.

    No worries though because i will use hips instead, but it would have been nice to not have to use one.
     
  12. Cosmo 203

    Cosmo 203 Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    165
    Maybe, you use the wrong apps?. I know some of them and all that I know (WinDVD, PowerDVD belong the most common ones) do work inside a LUA account. So, maybe most of the apps, that you use (how should I know them?) need admin rights, but most of those ion the market do not.

    Regarding "moving around": If you do not give exact(!) infos, than nobody can give you advices. In this case I do not know, what this post does here. There are situations, where this canhappen, but there are - mostly easy - solutions.

    Ah, and the fact, that most security apps do not work inside LUA does not say anything against the LUA approach, but against those "security" apps. The best is: You do not need them and save resources.

    Has nothing to do with Surun, but belongs to the privacy principles of the OS. If you investigate further you will find, that also a file, that has been put into the bin from a LUA cannot get removed by an admin.

    If it does not work with admin rights, which rights are sufficient? Obviously a different problem.

    LUA approach and Surun do not bother, if there are 1 or multiple harddisks. BTW: Having to use admin rights in 90% makes it very likely, that there is some general misconfiguration in the OS, but even in this (not good) case the purpose does not get "completely defeated", as the shell still runs limited.
     
  13. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    hi thanks for your reply, i will try to answer your questions:

    Media players, they ALL need Admin rights if you want to use the DXVA features of the videocard, the don't need admin rights in software-only mode. I always need DXVA so these application always need Admin rights.

    Download applications. I Use Utorrent, it downloads to one of my other harddisks, the problems its running into even with admin rights are the same as mentioned below in the moving files section.
    Utorrent can run without Admin rights if you use My Documents as the download folder.

    Security software, Although my virusscanner does not need Admin rights Peerguardian does because it uses a driver. And no i will never stop using peerguardian. I can live with one app always running in admin mode. Also some files can only be cleaned by applications like CCcleaner and spyware scanners when they run in admin mode.

    Moving files/multiple harddisks. Even with the other harddisks set to "unrestricted" i constantly get errors when i try to move, rename or delete files. This probably has to do with the fact that some of those files where previously created with an admin account.

    Recyle bin, it's really annoying to constantly have to change between admin/lua to remove all the files in the recycle bin.


    Lua and surun and multiple harddisks. You're right that it isn't suruns fualt. but it is LUA's and SRP's they restrict write/delete access based on several rules.

    -------

    A possible solution to most of these problems would be if i had some kind of application that would check all my files and give them Full admin user rights, for both admins and users. (not on C ofcourse) The point is that except for C my LUA accounts needs to have full access rights to all files on all drives. Maybe then utorrent wont need admin rights and i wont have problems with the files it creates.

    That would leave me with all my mediaplayers and peerguardian running as Admin, that wouldn't be too bad.

    ------

    Maybe this could also be an option in surun, files created by surunners in directorys XXX have full access rights for limited users
     
  14. tlu

    tlu Guest

    Are you sure? I'm not familiar with DXVA - but when doing a quick search I couldn't find any document on the web that said that admin rights are necessary.

    So why aren't you using that folder? Or any other folder where the user has write permission?

    As a matter of fact most security software do work in a limited account, like, e.g., Comodo Personal Firewall, Online Armor, SSM etc. And regarding Peerguardian, a solution is suggested here.


    Of course they can't if the user has no write permission to these folders. But why is it a problem to start CCleaner with elevated rights via SuRun?

    Grant your user account write permission to these folders or to these harddisks and you won't have any problems.

    Again - just give write permission to the user for these harddisks. And SRP only comes into play if we're talking about executables outside c:\Windows and c:\Program Files. In this case you need a New Path Rule. Documents/mp3s etc. are not affected.
     
  15. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    I'm sure, if i run as a limited user i get a black screen. Its a low level hardware feature so that might be the problem?

    Because my other harddrive has many gigabytes and my C drive does not.
    I gave the limited users rights to do everything on other disks with SRP settings(without that i cannot do anything except read)

    the problem is that its not so easy to change permissions especially with 100's of folders and thousands of files

    Yeah those work fine, i will try the Peerguardian fix, thanks!
    Nod32 is the smartest i have tried as it actually runs in limited user mode greying out admin only settings (Avira allows everything but shows a popup that it won't save any of the changes)


    But even with admin rights CCleaner cannot delete some things that are locked to the user

    As far as i know i have already done this, however it might need more than gpedit to get it to work accurately

    Actually SRP blocks a lot more than just EXE's on other harddisks, i could not touch them untill i create thee unrestricted rule(probably has to do with the fact that they where admin disks before)
     
  16. tlu

    tlu Guest

    tesuo55, I still don't understand your problem. First of all, you have to differentiate between folder/file permissions and SRP. Changing permissions to many folders/files is actually rather easy - keyword: inheritance. E.g., if you want to change permissions for a whole drive just go to the root directory of that drive, security tab and press the Advanced button - now you can control if the permissions for the parent folder are propagated to all subfolders and files.

    And regarding SRP: If only documents/mp3 etc. are affected SRP doesn't prevent anything. Only if that drive contains executables/scripts to be executed by the user you would have to create a new path rule.
     
  17. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    then there must be a BUG or something in SRP or LUA

    I create a rule, Unrestricted acces to D:\
    My limited account is now able to read/write and change/delete non-admin files.

    I remove the rule
    My limited account is limited to read only for D:\

    Strange huh?
     
  18. Arup

    Arup Guest

    SRP in x64 XP has a serious bug indeed which I had discussed in earlier posts about LUA and SRP. If I set it up, I would boot into a blank screen in the LUA account but admin would work fine. Whats worse is that even if I create a new LUA account and delete the older one the same issue would persist.
     
  19. Cosmo 203

    Cosmo 203 Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    165
    No, DXVA is a DirectX Feature, very dependend from the supporting driver-versions and the correct settings (decoder, renderer, ...)

    Very strange: What does it mean: "I'm sure, if I run ..."? Either you have done this (in this case you would not write "I'm sure") or you answer, what you believe is happening, without really trying. But this subject cannot be discussed by believes.

    In this case CCleaner would not be able to do the job inside the admin account. Either admin rights or no admin rights, there does not exist any difference, except you made them manually by will - in this case it is your part, if something went wrong. On a healthy system an admin (every(!) admin) can delete nearly everywhere (System volume information not).
     
  20. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    I AM 100% sure that LUA is causing the problem.

    Open media player with DXVA as LUA = black screen
    Open media player with DXVA as Run as.. = Perfectly working
    Open media player with DXVA in admin account = Perfectly working

    It's clear that LUA also blocks DXVA, its true that i do not know how or why.

    Now for my other problems.

    They are being caused by files having mixed rights user-only/Admin
    There are more little issues.

    The most important being Slow WWW, even when run as admin from the LUA account.

    I am now using an admin account and everything is working perfectly, this system can almost be called a server so its obvious that LUA would cause problems.

    (LUA works perfectly fine om my regular Non-DXVA systems)
     
  21. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  22. tlu

    tlu Guest

    While that site is not bad in general, the remarks about limited account is nonsense. The linked Microsoft site was updated in March 2005 - a lot has changed since then.

    I've been doing LUA successfully for years, my children have been doing it for years and many more users. And if there is really an application that still requires admin rights because its programmers still live in the age of Windows 9X - well, there is SuRun.
     
  23. Arup

    Arup Guest

    That site is a joke, MS recommends running LUA as a safe and effective practice to prevent getting infected. Its a contradiction in itself. Also no matter what he thinks or says, Windows 2000 is far more hardware friendly and runs faster than XP on comparable hardware.
     
  24. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    hum, nonsense or a joke ? Having read the reference and noted the source I think it is quite clear that he refers mainly to old programs and to a situation before SuRun was an option. As a home user I have to agree that most will never put up with the requirements of limited user accounts and SuRun. As enthusiastic promoters of SuRun and Limited users accounts perhaps you need to give more consideration to the problem of old programs and normal home users ? Reading this thread will convince most homw users that the last thing they want to do is move away from the easy life of admin.
     
  25. Arup

    Arup Guest

    So far I have implemented LUA on myriads of PC along with full DEP, not one of them give any problems regarding programs, of course, those using older unpathed programs are at risk on the whole anyways as there might be vulnerabilities that can be exploited.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.