How to avoid typing UAC (User Account Control) credentials for selected programs

Discussion in 'other security issues & news' started by MrBrian, Mar 9, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Scenario: a user wishes to avoid typing UAC credentials for commonly-used programs that need to run with admin privileges.

    Solution: use one of the various RunAs tools that can store user account credentials in an encrypted manner. I recommend using RunasSpc. RunasSpc and other similar tools are covered here. RunasSpc has a /quiet switch that is useful and not on by default. RunasSpc encrypted credential files can be associated with RunasSpc in Windows if desired, so that double-clicking a RunasSpc encrypted credential file (or a shortcut to it) starts RunasSpc and processes the given encrypted credential file. Furthermore, the Open verb for the RunasSpc encrypted credential file association can be modified to use the /quiet switch, for quieter operation. If anyone wants me to provide further details, feel free to ask.

    What are the security considerations of this technique? Let's suppose that we made a shortcut to a RunasSpc encrypted credential file that launches the command prompt with admin privileges. Let's also suppose that we are running as a standard user. Let's suppose that malware is running in the standard user account, and launches the command prompt from the filesystem (but not from the shortcut we made). In this case, the malware would get a command prompt with just standard user privileges. Only if the malware happened to run our shortcut itself might it get a command prompt with admin privileges. Another security consideration of this technique is that when launching a target program with admin privileges, the admin credentials may at some point be in standard user-accessible memory unencrypted, depending on which RunAs tool was used.

    When running elevated programs along with non-elevated programs in the same desktop, whether using this technique or with UAC prompts, please be aware that "UAC elevations are conveniences and not security boundaries." See section "Elevations and Security Boundaries" in the paper "Inside Windows Vista User Account Control" for further details. It's safer to completely avoid using UAC elevations, including this technique, and instead use Fast User Switching to switch between admin and standard accounts.

    Other possible solution: the Task Scheduler technique, as described at http://www.howtogeek.com/howto/wind...ortcuts-without-uac-prompts-in-windows-vista/, didn't work for me when elevating from a standard account on Win 7 x64; I got an "access is denied" error. It worked though when elevating from within an admin account. Anybody have any experience with this?

    Another possible solution: Norton UAC Tool. I didn't try it, because I believe it's for Vista only. Correct?

    Another possible solution: use Microsoft Application Compatibility Toolkit as described at http://blogs.techrepublic.com.com/window-on-windows/?p=635. I haven't tried this yet.
     
  2. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    In further testing, unfortunately it looks like I was wrong about being able to avoid a UAC prompt by using the technique I mentioned. However, all is not lost. If you run as a standard user, use of this technique will allow you to avoid typing admin credentials, but you'll still get a UAC prompt that you'll have to approve with a single click. You can also use the existing Windows feature of always running the target program as admin at program launch, so that you get just one UAC prompt that you have to approve with a single click.
     
    Last edited: Mar 11, 2010
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The technique I mentioned will also allow you to run programs requiring admin privileges at startup by using a shortcut to the given runas program in the appropriate user's startup folder. You will still get a UAC prompt though.
     
    Last edited: Mar 11, 2010
  5. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I did try Microsoft Application Compatibility Toolkit. It didn't help in avoiding a UAC prompt in the several programs that I tried it with on Win 7 x64. Did anybody else try it?
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I just found out about new freeware Privilege Authority:
    Privilege Authority is currently only for those who use Active Directory.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I've found a method to avoid all UAC prompts for commonly used programs, with the exception of a UAC prompt (without asking for password) at logon. In a nutshell, Folder Menu is run elevated at logon using a RunasSpc shortcut in the desired user's Startup folder. Any program run from elevated Folder Menu will also run elevated without a UAC prompt, provided that no instance of the given program is already running. Your favorite programs are accessible with a left-click of the Folder Menu tray icon, or via a customizable hotkey. Also, your favorites are available via middle mouse button click from several programs, including the desktop and Windows Explorer. I advise removing URLs from the Folder Menu items, because they may launch a browser running as admin.

    This method works with both standard user accounts and admin accounts. You could instead use your favorite program launcher instead of Folder Menu. You could also use a different program than RunasSpc - see the first post.

    If anyone wants further details, feel free to ask.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Continuing the thought from the last post...one of your Folder Menu programs can be a third party file manager such as Q-Dir. When you want to install a program, launch the third party file manager from Folder Menu and execute the installer with it.
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    If I understand this correctly, you are trying to get UAC prompts to be remembered? For the ones you don't want to constantly answer yes to?

    If this is the case, would it not be just as easy to turn UAC off and use SuRun? At least it can easily remember your answers, and unlike the Norton UAC utility, is easy to remove entries you have made.

    And I have to ask, what is the point of having UAC enabled if you are trying to bypass it? What is the point of remembering to run specific items as admin if they can run whenever they want as admin? You assume that a rogue program will not also attempt to start and use those programs? It is the same question I ask of using SuRun... if you are a user, and you have a program helper remember to elevate something to admin, and the auto-elevated program can be used in a negative way, why do you bother to be a user? You have just given root to the bad guys.

    Sul.
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Sorry that I didn't specify - I'm not actually using this method, because indeed it's more secure to switch to an admin account when doing admin activities. But I know that some others don't like to switch to an admin account to perform admin activities. And I know that others are not using a standard user account at all. This method lets you run as a standard user, while also being able to run certain programs elevated without UAC prompts.

    I haven't used SuRun in awhile, so I can't answer specifically about it.

    Regarding malware being able to take advantage of programs running elevated:
    a) UAC prompts are bypassed only when launching programs via Folder Menu, not in general. Is it likely that malware would take advantage of this? I doubt it, but maybe I'm wrong.
    b) Malware could indeed try to take advantage of programs already running elevated. User Interface Privilege Isolation, introduced by Vista, doesn't protect against everything. This is also the case for any program that's running elevated - i.e. it's not limited to this particular method.

    My intention was to give folks who are currently always running as admin a vision of how to instead run as a standard user without the hassle of switching to an admin account to do admin activities. Assuming UAC is enabled, I believe that this method is likely to be safer than always running as admin, but isn't as safe as using a standard account with user switching to do admin activities. It would be great to hear others' opinions on this.
     
    Last edited: May 27, 2010
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    It is a good goal. There are probably a lot of people that feel 'inconvenienced' by UAC and user rights. Most of them probably don't really need to be admin, but like the lack of "do you want to do this" prompts.

    I don't know really if remembering is the best thing. For responsible users, it likely poses no real risk, or very little. But I think so many are just lazy and would have it remember everything. And at that point, what is the difference?

    For me, I hope there comes a time when I can run as a user day to day, and will not miss all the tools I use that do require admin. I spend too much time futzing and not enough time computing, as it were, to be under the RunAs/LUA gun. I have spent too much time and energy as it is setting up sandboxes or running virtual machines or tweaking the rights or making fancy drop-my-rights approaches to ensure that I don't become a victim of "I am admin" syndrome. Nowadays my scheme is pretty fine-tuned, and with my imaging I really don't think I would even be inconvenienced by some virus/trojan/malware. 5 minutes is all it takes to restore my image, and I my data is safe to boot.

    Keep up the obscure line of thought, it provokes ideas and that is a great thing.

    Sul.
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If a user decides to run Internet Explorer or Adobe Reader from an elevated Folder Menu, for example, well that wouldn't be a good idea....

    I'm not sure if I was clear enough on how this method works, so I'll recap it here. When you login to your account (standard or admin), Folder Menu starts automatically, requiring an OK from UAC (but no password is asked for). Folder Menu is available in the system tray, running elevated. When left-clicking on the Folder Menu tray icon, a list of programs that you previously configured pops up. Because Folder Menu is elevated, anything launched from Folder Menu also runs elevated, without a UAC prompt. When you want to install a program, launch a third party file manager - such as Q-Dir - from Folder Menu. If malware tries to compromise your system, you'll get a UAC prompt, unless it somehow is able to use Folder Menu or any other elevated program to do its bidding.

    Although this method works with either an admin or standard account, from a security perspective, it would be best to use a standard account for the same reasons that have been discussed in other threads, such as https://www.wilderssecurity.com/showthread.php?t=215470.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Those running as admin can use the Task Scheduler technique to launch Folder Menu at login with no UAC prompt. The Task Scheduler technique doesn't work with a standard user account though.
     
  15. tlu

    tlu Guest

    Sometimes you don't have a choice. For example, the often recommended Secunia PSI requires admin rights. Thus, starting it automatically in a limited account would fail unless you start it with SuRun (and make it remember this decision). It's a sad example, indeed, since Secunia PSI is aimed at improving Windows security. Actually a contradiction in terms.
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Too true.

    After thinking about how a linux repo can give access to so many applications that will be deemed as "safe" to use, I wonder why there is no such thing for M$. Surely it would work to submit your program to the "safe windows software foundation" and once they (whoever they are) determined it to be "non malicious" it could be added to the library of other "approved" softwares. Wouldn't that be a novel concept, to actually have one place to go, where everyone who develops a software actually wants to submit it so that potential consumers can try it without fear of it being a malware.

    UAC, SuRun, RunAs, any elevations that are needed, are always subject to the integrity of what they are elevating. Why not, as it sounds like linux does, create a place, a global place, where all of those worries are laid to rest.

    How many average users who try out new software on a regular basis would then be spared infection? How many advanced users could just tell thier novice friends, "get program XYZ from the library, it is what you need" and rest assured that thier friend will get a safe download? The more I think about that, the more it sounds like one of the best first line of defenses one might use. Something like "TrustTheSource dot com" would fit nicely.

    Nice pipe dream anyway ;)

    Sul.
     
  17. tlu

    tlu Guest

    Indeed, and they would get all necessary updates for these apps via Windows Update automatically.
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Another method: for those programs that unnecessarily request admin privileges, use VistaUACMaker.
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Another method: UAC Trust Shortcut. Works in admin accounts only, not standard accounts.
     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Not free: RAAC.
     
  22. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    There is. It's called Download.com, or MajorGeeks, or Softpedia, or the handful of other reputable software libraries out there.

    Linux-style software repositories are an idea that sound good on paper, but very problematic in most distros I've seen. But that's a topic for another thread.
     
  23. tlu

    tlu Guest

    Yes, it is. Nevertheless let me just say that the statement in the first sentence is utterly wrong, IMHO.
     
  24. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    What are some of the problems you're having?
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
Loading...
Thread Status:
Not open for further replies.