New program Runasil starts a given program with a given integrity level

http://blog.didierstevens.com/2010/12/01/runasil/

One possible advantage of using Runasil instead of Chml or Icacls to set the integrity level directly on a given program is that one doesn't need to worry about setting the integrity level of the given program every time the program is updated.

 

Good point, hadn't thought of that one myself ;-) .

 

Cool. I was unaware of that registry key and its functionality. Sounds like a little trip around the web is in order.. again

Sul.

 

We have a triumvirate ...

 

What do you mean?

I have never faced a problem such as that. Once the object is assigned an integrity level, it keeps it.
Well, until you delete it, that is. Is this what you're talking about? In case an update substitutes (as in deletes and replaces) the original object?

 

it looks very interesting

 

Yes, but for Vista, and onwards...I am still with XP.

 

Correct. As an example, I run Firefox as a low integrity app. Every time I update Firefox, the new firefox.exe is no longer low integrity, and thus I've had to use chml to set firefox.exe as low integrity.

 

OK, thanks. I was wondering if you'd be also seeing that behavior with just replacing, without the previous object being deleted as well. Something would have to be wrong if that was the case.

 

How is this different than Prio aside from the fact Prio is a Task Manger add on.

 

Prio is for process priorities, not for integrity levels. My tool is for integrity levels:
https://secure.wikimedia.org/wikipedia/en/wiki/Mandatory_Integrity_Control

Unlike process priority, you can't change the integrity level of an existing process. It is set at process creation time.

 

Would this work?
win 7 standard user... one application on \\server\share\apploader.exe

This application requires admin privelages to run. Would setting the integrity level on that make it not require admin rights?

 

Not exactly sure what you mean...

When you use a non-admin account on Windows 7 to start a program with "Run as administrator", you need to provide credentials because you are starting a program to run with the profile of another user (the admin in this case).

Programs you start with "Run as administrator" run with a high integrity level.

 

Thanks.
in this case I've had to set the user as a local admin for this 1 application to run.
ideally we don't want the users to be admins but they do require access to this application.I was wondering if your application could allow this? But seems its something different.
thanks

 

I understand, it's better to use LUAs. But you still have UAC enabled?

You could try something else: in stead of adding this user to the local admin group, give this user just the necessary rights and privileges for this application to run.

This will require some trial and error. I know Microsoft has some tools to find out why an application needs admin rights, but I'm not that familiar with them.
Personally, I would use Procmon to analyze this application and find out what it requires.

Then I would set the necessary ACLs (files, registry) just for this user, and maybe set some privileges in the local/group policy.

 

If that app doesn't actually need admin rights to function properly, you could try VistaUACMaker. If the app really does need admin rights to function properly, you could create a shortcut to run just that app with admin rights by using the program mentioned in this thread.

 

Also see Tools that allow one to run a program as other user without giving password each time.

 

I'm wondering... imagine you set an integrity level either with chml or icacls. If you use runasil to keep the integrity level... would it cause any problems?

Would it be better to just use runasil? I like what runasil does, but chml has more features.

Would they "work together" just fine?

 

By the way, if you'd like to keep your integrity levels, you don't need Runasil, at all.

If you're like me, then what I'll mention will suffice.

In MrBrian's example, he uses Firefox as his browser and everytime the browser upgrades, it will loose the low integrity level.
I don't use Firefox and I don't know what's your approach, but I only upgrade Chromium at the end of the day, when I'm no longer using it.

My approach is a bit different with Chromium because I have created a batch file to automatically apply the integrity levels. But, I'll mention Windows Live Mail which I've set to an explicit medium integrity level.

To be sure that WLM is always with an explicit medium integrity level, just in case it gets updated in my relative's system, via Windows Update, I've created a batch file, and then I scheduled a task that will reapply the integrity level each session logon.

I used the tool chml to apply the integrity levels, because I'm making use of the flags NoReadUp and NoExecuteUp. Otherwise, Windows tool icacls suffices.

If you're running a standard user account, just make sure the task is set to execute regardless of the administrator being logged in.

This does the trick pretty well.

Maybe something you'd like to try... or not...

 

Rather than schedule a task, you could use a login script, or possibly even autoexec, but I haven't played with autoexec in years and don't know if it behaves in vista/7 the way it used to. You could also put the script in the users startup directory, which will be run on login too. Many ways to do this. The task you made, is it on a certain timetable?

Sul.

 

Yes, we can achieve the same goal using different techniques...

I could create a script to verify what's a given process's integrity level and reapply it, and all that. If the process is running, then either give me a message, to give me the choice to terminate it or silently wait for the process to end and reapply the integrity level. And, I will do it, but I'll create a PowerShell script for that. When I get enough knowledge. I try to learn a little bit each day. I'm not that great with batch files. Never really learned batching that much, only very basic stuff. On the other hand, PowerShell is something that I do want and am learning, and it's the future.

Anyway, the batch file is scheduled to run each session logon, regardless of the administrator being logged in.

 

I've been using a batch file for this for the past month. I run it manually after updating Firefox.