SuRun: Easily running Windows XP as a limited user

Hey there guys,
I am new to the whole LUA,SRP and SuRun combo and i'm really impressed at how sturdy protection such a simple setting provide!However i have come across one or two problems over the time and i'd like some advice.

First problem i have encountered is that,Everything (a great search machine, http://www.voidtools.com/ ) don't work as it should because SRP won't let it access Everything.db which is in the same program file folder as the main executable.I tried giving admin rights to the executable but it didn't work out.I added an exception for it's path upon group policies (as pictured below) but didn't work out either.

[img=http://img690.imageshack.us/img690/4023/gpedit.th.jpg]

Then i noticed those unprotected registry keys,should these be allowed?

Last problem i encountered is at modifying txt files in places other than my desktop.If i try modifying a txt file on my D:\ drive i get an error message saying "You will need to provide administrator permission to save this file".Is there any way to exclude certain file types?

Thanks for your time,help is greatly appreciated!

 

I just instituted this yesterday. Works great. I have a router firewall, System Safety Monitor, Script Sentry and use Sandboxie with Chromium and Opera and plan once a week on demand scans with SAS, MBAM, asquared free and ESET online scanner (tough to find on-demand virus scanners these days that don't also run in the background). I was afraid SSM wouldn't work with this but after reading that it would in the thread I went ahead.

I have run into a single minor inconvenience that is baffling to me though.

I use Gizmo5 with GV for calling when I'm in front of my pc and it has worked fine with SSM and SS in the past but with Sunrun for some reason it won't remember the password on the account it always comes back as client failed to register. When I look at the account inside gizmo app the password is missing. Running it as an admin user makes SunRun turn bright red like a warning and since gizmo is a chat im program I suppose its possible to be compromised through it so I don't do that and the ONLY way I have found to start it is to remove the account data from the app and uncheck remember password. Setup that way it starts as if its just after a new install every time. I enter the user name and password and it works for the session. This is a very very minor inconvenience but I am trying to understand the process at work here. The gizmo forum is usually a dead end for any type of technical question so I thought I'd ask here to see if anyone can point me to why this happens - not a solution just an overview.

Thanks and many, many thanks for the work put into this thread by tlu.

 

I have SuRun installed on my Vixta x64 PC allowing me to use my standard user account more comfortably.

Great application and very informative thread.

 

The path rule you made isn't needed. Look at the rule directly above it and you'll see that the whole Program Files directory is allowed to execute.

These aren't unprotected registry keys, these are the rules for where files are allowed to execute. This is OK.

The problem that you're having is that your application can't write to it's directory in Program Files when it has limited privileges. What you have to do is modify the rights of Everything.db so that your limited user account has write privileges.

If you can't create or edit and save a text file on your D drive then you don't seem to have write privileges there, so you should log on to your admin account and give yourself write privileges for your D drive (and also your user profile). How to do this could vary depending on which OS you have.

 

Thanks for your help johny,really helped me out there.Thing with SRP is that some programs tend to malfunction under SRP,sometimes granting the correct privileges works out well,sometimes it doesn't.

I was thinking,is there something similar to a the SRP approach,an anti-executable program which works like SRP on a simple LUA acc?

 

If your apps are installed in the default installation path, i.e., %Program Files%, then they should work fine unless they save data to the program directory instead of your user profile. In that case you have to figure out what file that is and give it write permission.

If the app installs itself in non-standard places then you have to make a rule for it with gpedit.msc. Also, if you use Vista or Win7 64 bit, you will also have a Program Files x86 directory for 32 bit apps. You'd have to make a path rule for that as well.

When you made the SRP rules, did you select all software files or all software files except libraries (such as DLLS)? I have the one except libraries because I had a couple of things that didn't work right with all software files checked. You might try that and see if it makes a difference.

I'm sure someone will chime in and point out that it isn't as secure, but sometimes there's a trade-off for usability. The fact that you are using a limited account is, in my opinion, the more important measure you've taken.

Personally I wouldn't bother with any of these anti-executable things. The nice part of LUA and SRP is being safe without having all of these resource hogs running and driving you crazy with popups.

 

In conjunction with utilizing SuRun and an LUA account: If you were the only person who had physically access to your computer...


Is there a safe and secure way to utilize automatic windows log in into your SuRun Limited User Account?
http://support.microsoft.com/kb/315231

Example: Possibly create a script / variable that would point towards a different file in a different directory to contain the password (VS having the password be in plain text inside the registry).

But if your administration password was different from the Limited User Password, and you didn't use that password for anything else, would it even matter since nobody has physical access to your computer?



Also if your Admin account + Limited User account have the same password, would SuRun + LUA still work as effectively as if they were different passwords? Or is it recommended to have different passwords for each account?
(We are still assuming that nobody has physical access to your computer)

 

I set up auto logon using control userpasswords2 in the admin account. I don't see the password in plain text in the registry, maybe I'm missing something. You can also set up auto logon using TweakUI.

I would say that the strength of the password is the most important thing, assuming no one has access to the computer. If someone has physical access then it doesn't matter, they can just blow away your passwords using Ophcrack. I don't have any password at all for the admin account, a suggestion made by Aaron Margosis (Microsoft). In theory you can't logon to an account remotely that has no password.

 

anyone tested it / been using it successfully with win 7 x64?

 

doesn't work over here on Win7 Pro x64.

Nothing happens when I double click the surun installer.

 

Sad...or not?

Any supporters or opponents of the idea of being able to use it under win 7?

 

Your best bet is SuRun's forum.

 

Haven't tried it on Win 7 Pro. Can't see the need for it. I did try the latest update SuRun version on XP one last time. It turned out to be just that, the last time. For whatever reason, it would not work. Even though I was listed in user accounts as being limited, SuRun showed everything as being run as full blown admin. I really wanted it to work but it wouldn't.

 

Hi

I have a special program to type in our local language, which only runs under administrative accounts.

I was until now running it with runas command with administrator account but recently I saw surun and very quickly gave it a try.

Everything went well, the program now starts and runs without any errors and warnings, but surprisingly,

the type face is not changing, i.e., the program is running but not working ( I don't understand how this happens).

I can select my local language in program panel, start typing but it does gets typed in English only as usual.

When I tried my usual run as administrator (Windows default) it works.

Please guide me to solve this issue.