A question about Windows XP LUA

I made a search on the forum for the key words "limited user account", but so many threads appeared, it would be like searching for a needle, to seek my answer.

I, truly, apologize if the question has been asked before, and if so, and if you know where, please, point me to that thread. Thank you.

So, my doubt with Windows XP LUAs is the following:

I know that, until Windows Vista came along, software developers really didn't care about testing their application in LUA. The result would be that users would have a hard time working with them, under LUA, if they required elevated rights to do pretty much everything.

Windows Vista came and started to change that. Working experience in Windows Vista LUA's is as smooth as a feather.

My question is: Did the fact that software developers started to make their applications work fine under Windows Vista LUA, also made them to make them work fine under Windows XP LUA? Or, not at all? Do you, Windows XP users, still have a hard time working with your applications, under a limited user account?

(I know there's, for example, SuRun. But, I want to know just about the Windows XP LUA's and applications. If you no longer see the same problems you've dealt with in the past.)


Thank you

 

My answer would be "no." But that's just because my applications worked perfectly well under LUA long before Vista was even beta. I've never had a hard time working with my applications in XP under a LUA.

Only the poorly coded software had trouble running in limited user accounts before Vista, and I've steered clear of poorly coded stuff. Now it seems that even the poorly coded apps are getting better because Vista's UAC is somewhat forcing them to, or risk annoying their users with those UAC pop-ups, so even more software will work correctly in LUA. Good thing, of course, but I wouldn't use software from anyone that has just now learned that Windows NT also has other types of user account than administrator.

Historically, some LUA-unaware software has been many games, and a whole host of security software (which should raise some questions about their makers, really) from software firewalls to anti-viruses and others. Many of them have gotten better due to Vista.

So, perhaps a more useful answer would be that "yes, Vista has made running as LUA 'easier' for all Windows NT based operating systems including XP, because UAC is half-way forcing developers to make better, safer software." But I find it important to stress that it was already very easy, and more than easy enough, long before Vista - if one did not run crappy software coded by people who obviously aren't too security-minded.

 

The answer is, it depends on what sort of software you are using. Take 2 perfect examples: Unlocker and RivaTuner. Both require admin rights. Unlocker requires debug rights, whether or not tha is a requirement intrinsic to functions of code I have no idea. Perhaps the author could have gotten around that, but he did not choose to if that is so. Unlocker does not work from a User account, even with SuRun.

RivaTuner requires that a .sys file I believe be loaded as admin. You can elevate it to admin with SuRun etc, but it is flaky at best. I have searched how to load a driver with alternate credential, but to no avail.

With UAC, AFAIK, you need to have code in place to handle the fact that UAC is present. Without the proper code as I understand, apps will cease to function. I am not so sure how many apps using UAC are really coded that much differently. It seems to me, (a guess) that the code is the same, but that new programs need to adhere to some standard for UAC to be triggered to do the elevation. Once UAC elevates a program to Admin rights, it is admin, so no differnet than on XP. I am pretty sure that's how it works anyway.

I think peeps who use LUA with few issues probably run applications as admin or they are the type of application that really does not do much to the system. I know for myself, I am constatnly messing with or coding things to mess with areas of the system only an admin is allowed to mess with. So for me, LUA is nothing more than a great big hassle. Like I said, I think it depends what you do with your computer more than anything else.

My laptop I take when I go somewhere uses LUA, and SRP etc, and I have no issues because I don't do much other than surfing or research or entertainment. In that respect LUA poses no problems at all.

Sul.

 

Sully is certainly right in that certain programs just require admin privs, and have valid reasons to. Anything that makes system wide changes or monitors the inner workings of the OS obviously needs admin rights, and there is no getting around that. However, his post also reminded me of one thing that I often say.

First I would like to say that no, I don't run applications as admin. For example, right now, I'm logged in with a LUA, have 55 processes running, and none of those are running in an admin account (obviously a lot of them are running as NT AUTHORITY\SYSTEM, but that's just Windows' own stuff). But that wasn't really what I was meaning to say.

Note how Sully said people who use LUA with few issues probably run applications as admin or "they are the type of application that really does not do much to the system." He is right, of course. As said, some things obviously just need admin rights to work, no matter what. But, what I was going to say is...

I don't run applications so that I can do things to the system, I run applications so that I can do things with the system! For example, I don't run stuff so I can change registry settings without any real reason beyond just testing things, or so I can shut down services and see how many it takes to make Windows useless. That is, I don't mess with the system, except occasionally, and on a system that is reserved for such use. I run stuff so that I can do useful or entertaining things: write, read, listen, watch, engage in conversations, occasionally play games, create content like webpages or music or graphics and save and manipulate data and so on and on.

The point of saying that is simply this: using limited user accounts is easy if you are the kind of user who uses a computer to do things with it. Using limited user accounts is hard if you are the kind of user who uses a computer to do things to it. Browsing, email, office work, properly made games, creating content etc - all easy in a LUA context. Messing with the system, uninstalling, installing, hacking, modding - not so easy, and often impossible.

The differences exist for a reason.

 

I've run across two apps that will not work correctly with LUA, even with Admin rights applied. WinPreviewer which is an older app and pretty much expected not to work, the other is SearchGT. SearchGT acts like it's searching but never finds anything even though I know it's on the drive.

 

Depends on what you want to do. As Sully rightly points out, there are some apps that just won't work in LUA. If you're not the type who tweaks it until it breaks then a LUA is absolutely no problem. If you have "security" software that requires you to run as admin then it isn't really very secure, is it? Apps that don't have to make any system changes that still require admin rights get uninstalled, I look for something else that works properly.

That said, LUA with a software restriction policy, DEP and no autoruns for users (google "kafu.exe") make my system pretty boring as far as malware goes. I have IPCop on an old IBM ThinkCentre as a firewall (no desktop firewalls here) and all unnecessary services turned off. I have Avira on one crate and Avast on another without realtime scanning just to check files I download. Every once in a while I do a system scan but they never find anything.

This is very easy to set up and you don't have all of that performance-deprecating security software. When I see how much garbage some people here have on their systems it seems like the idea is to not have enough resources left for the malware to be able to execute.

BTW, SuRun is excellent, makes using an LUA just as easy as a normal user account in Linux.

 

Thank you for your answers.

I knew that some applications, if properly coded, wouldn't malfunction while running them in LUA, but, I also knew that quite a few others, would. Mostly, because they always tested their applications under Administrator accounts, rather than testing them in LUA as well.

I know that, for older applications, there isn't anything one can do, unless use the administrator account.

Windows Vista, sort of, came to change that. They had to keep the pace, if they didn't want to risk loosing ground or some ground, due to UAC, even if users would be running in their administrator accounts.

I'm guessing the problem, nowadays, using application in a LUA, under Windows XP, would be with older ones. New ones wouldn't cause no troubles.

The reason I'm asking is because I'm considering to install Windows XP in a machine, for a family member. I never actually used it that much before, hence my doubts.

I truly appreciate your feedback.

 

Yes, some apps just don't work properly under LUA. A general idea, I already had.

I also agree that LUA + SRP + DEP make one hell of a security wall. That's what I've applied to every family member running Windows Vista. But, in this case, I'm perfectly aware whether or not there will be some sort of limitation.

I've installed Windows XP in a virtual machine, and will be giving SuRun some testing. I never worked with it before, and won't be installing it and handing over the computer, without knowing myself how it works.

I really love the concept of SuRun.

 

LOL. Well said! Running all the anti-malware software and HIPS from here to there can be an enormous resource hog. And that isn't the bad part. The bad part is all that software tossing all kinds of kernel hooks over the place, creating system instability. And then of course all the security vulnerabilities in these softwares, which only add to the number of Windows vulnerabilities every Windows user already has to deal with...

About KAFU (disabling autostarts for the limited users), though - I find that to be redundant, if SRP is applied. If SRP is applied in whitelist mode, then I wonder how any autostart for the user is going to be able to actually run. The executable the autostart attempts to start has to be somewhere, and if your file permissions and SRP rules are configured correctly, there is nowhere in the file system where the user can write where he can also execute from. Executable saved into %UserProfile%\Start Menu\Programs\Startup\ for example? SRP prevents execution, autostart useless...

 

If you haven't already seen it, check out mrkvonic's excellent tutorial on SuRun here. Here's a good guide for SRP.

The only apps that I have that require admin rights are things like Revo Uninstaller, StartupCop and the like. Makes sense that they would need admin rights. OTOH, these aren't things that are used very often and are easy enough to start with elevated rights using SuRun. SuRun is what I would consider a "killer app" since it makes LUA so easy to use.

 

That guide doesn't seem to mention that it's important to check the file permissions while creating a SRP. Contrary to popular belief, limited users can write to some subfolders in the Windows folder, and can even write and execute in some subfolders - by default, in some versions of Windows and with certain software installed. For example, in Windows XP as it comes out-of-the-box, limited users can write and execute in Windows\Temp, meaning that if you have the kind of SRP rules that guide in the link recommends, any limited user (or malware encountered by said limited user) can just write stuff in Windows\Temp and execute it, and bypass the SRP. Because, SRP by default allows everything in the Windows folder. And then there's all the other stuff, like using the runas command ( http://technet.microsoft.com/en-us/library/bb490994.aspx ) to change trustlevel to bypass SRP, but that is much less likely to be encountered ITW. That is just to say that SRP requires some work to set up, but works very well after that.

 

Yup, all of those different apps with their drivers and hooks and sometimes rootkit-like activities are something I can live without. If I get a BSOD then I can almost be 100% certain it's hardware and not some HIPS, firewall and an AV biting each other in the ass.

Good point about kafu.exe, if you look at that way than it certainly would be redundant. I know that this was recommended by tlu (who started that very long thread about SuRun). Maybe I read something wrong there. However, I think it would definitely be useful for XP Home which doesn't have gpedit, which you need for srp.

 

To experiment I just tried to copy an executable file to C:Windows\Temp to see if it would run, but I was denied permission to even open the directory. Now I'm confused

 

Requires Windows XP or lower to work, "fixed" in Vista if my memory serves me correctly.

Also, use the command line instead of Explorer
( copy filename "C:\Windows\Temp\filename.exe" ) to copy some file there and then
( start "bypassingyourSRP" "C:\Windows\Temp\filename.exe" ) to execute some file.

 

Now that is probably the best way of describing it I have seen yet. And precisely what I do, lol, I do things TO my computer, rarely WITH it. Great analogy.

Sul.

 

OK, I'll try that tonight. BTW, your example may be a use for kafu.exe after all. A baddie sitting in the Temp directory gets started by an autorun each time. Disk cleanup probably won't delete it because it's being used. If it doesn't autorun with Windows, then it would most likely be able to be deleted when temp and junk files are cleaned up (theoretically).

At any rate, someone posted a link to a site called Spycar, where you can test your system to see how exploitable it is. He was concerned because the AV he was trialing missed a few. I tried it out to see what would happen and none of them were successful on my setup, so it seems to work pretty well.

Edit: One thing I forgot to mention is that the "runas" trick doesn't work on my crates because I don't have passwords for any of the accounts. If the admin account has no password, you can't use runas. You also can't remotely login to an account that has no password. Of course this is only advisable if you're the only one who has physical access to the computer.

 

Yeah, for that kind of use, admin is pretty much the only way to go.

I wouldn't trust disk cleanup for that. And having the file autostart isn't necessary, either. As long as the file runs once, at the point of infection, it can already accomplish a lot - such as deleting data the user can write to or sending away data the user has read access to. If it can't make an autostart, then it can't persist after a reboot, so some things like becoming a spam/DDoS bot can't be done. Preventing the user account from making autostarts to its own account could therefore offer some benefit, if file permissions aren't configured tightly to prevent bypassing SRP. This type of attack, though, I find more likely to be attempted by a malicious local user, such as one might find in the workplace, school or any other public or semi-public location where people have computers around to use, and places like this often use SRP for security. But yes, other than some weaknesses, SRP works very well.

You might be surprised about the runas issue, as well. It does not require you to authenticate as another user, such as the admin, or type any passwords in. You can use runas to change the trustlevel of an executable you want to run in the context of your own currently logged-in user account, without having to present passwords for any account. Like so: runas /trustlevel:"Unrestricted" filenameofprogramyouwanttorun.exe For "Unrestricted" you may have to substitute whatever term the Windows version in your language uses for it - you can check by using runas /showtrustlevels. This doesn't even require the Secondary Logon (former RunAs in Win2k) service to be running, which is quite surprising - I didn't know about that until a couple of days ago.

But, I digress. My main point in this thread being, that running as a limited user (in XP or Vista or whatever) isn't at all difficult.