SuRun: Easily running Windows XP as a limited user

I´ve now read the pages at TechNet containing information regarding ownership, and as far as I understand this, the ownership only affects how permissions are set on the object and to whom permissions are granted. Therefore, If you install/update an application as a limited user, you can as an user decide the level of permissions for all the groups of the folders/files/keys belonging to that specific application. But since you "can´t" install/update an application as an limited user (not without problems anyway), there shouldn´t be any security risk AFAIK. So in summary it doesn´t add any real security improvement to set the admin as the only owner of all the objects (with the exception of installed/updated applications), even if it doesn´t break anything if you should choose to make this global ownership change. It´s up to everyone to make the decision about the necessity of this action.

If someone find something wrong in my reasoning regarding this issue, then please correct me .

/C.

 

I'm quoting this from http://www.pcguide.com/ref/hdd/file/ntfs/secOwn-c.html : "The significance of ownership is that the owner of a file or folder always has the ability to assign permissions for that object. The owner can decide what permissions should be applied to the object, controlling others' access to the file or folder."

Well, you can do it with SuRun but this tool takes care of this problem as mentioned.

Cerxes, this problem not only applies to the Program Files folder but also to %windir% and some registry keys if you followed the procedure presented in post #34. If you navigate to, e.g., c:\windows and execute dir /Q you will probably see that at least for some subfolders the owner is different from Administrators.

Just to clarify: I recommended the procedure in post #34 for users that have already Windows installed with umpteen applications. With those steps you can avoid to reconfigure every application again for the limited account (as it is in fact your old admin account). The drawback is that you had probably installed applications before with that old admin account with the consequence that it gained the ownership for the repective Program Files subfolders, for some Windows subfolders and different registry keys. So this ownership for important objects is an unwanted remnant from these old days as well as the other problem regarding folder and file permissions. They should be corrected as recommended in post #146.

It's a completely different situation if you do a fresh installation of Windows! In this case I would really recommend to create a new limited account before installing any software. The next step would be to install SuRun (with the default option that Administrators become the default owners enabled, of course!). From now on everything is as it should be as the two problems mentioned are avoided from the beginning.

 

Yes, but since the restricted user only can change or assign permissions to objects he himself owns, then from a security aspect it´s therefore not a critical file, folder or key.

Yes I know Thomas, but here SuRun are elevating the rights for the installationpackage to be able to install/update with admin rights. Therefore in this case I agree that it´s important to check that the admin is the owner of the object (which SuRun does automatically by default).

In person, after a new installation of Windows I always create a new restricted user account before installing any software, and when I´m installing/updating any applications after that, I always login to the admin account for avoiding any installationproblems just in case. I use this SuRun tool for one thing alone, and that´s to be able to run problematic applications (in my case some games) that contain LUA bugs, so I don´t need to waste time on manually changing permissions by using Filemon/Regmon.

/C.

 

That's true. But as metioned, this also affects, e.g., Windows subfolders or files if the limited account was used as an admin account before.

I'm installing any software with SuRun without problems. There are only very few exceptions. For example, I remember that I installed Outpost Firewall some ago. After installation a reboot was necessary, and after log-on a configuration window popped up automatically. If I had installed it with SuRun (or MakeMeAdmin at that time) I guess I would have been run into problems. So, yes, I install system utilities that heavily influence the interiors of Windows in my admin account just to avoid problems. But 99% of all other apps can be installed with SuRun (even Kaspersky AV).

 

OK

I am missing something with the newest 1.1 release. I run the installer and set the preferred context menu items, then logged off, NOTHING!

Ok, i re-installed again and then proceeded to perform a complete reboot, after entering the GUI and checking PrivBar, the ADMIN (Red) account showed instead of USER'S group (Green).

I subsequently reinstalled the previous version and everything showed up as expected, so i'm at an impasse here. I either missed something entirely or else more was required that i don't follow ATM.

 

Greetings,

Just out of curiosity, from your experience, how does it compare/fare from sudowin?

I ask since, unless I missed some threads, SudoWin was only briefly mentioned on wilders, here :
https://www.wilderssecurity.com/showthread.php?t=173011&highlight=SudoWin

It seems closer to SuRun than Sudo, from what I can read on its homepage, e.g. :

- Regards,
- IVV.

 

I dunno if it can be successfully done or not but if i get my way with it, i like to run the newest SuRun on top my existing ADMIN account and thus chop it's privileges to USER but still be able to run COMODO D+ and EQS along with Returnil when needed in Session Manager.

"THAT" will be the coupe de gras of FULL COVERAGE for my uses.

So far, SuRun is proved outstanding!!

Sorry i can't offer some comparisons because this is my very first attempt at ever running a Limited Account.

 

NP, and thanks for this anyway. I'm also kinda new to it, actually.

Sometimes, I think that, once, tools like DropMyRight had lured me in the complacency of Admin account risky business But no more.


Regards,
- IVV.

ps: btw, perhaps did you meant "Coup de Grâce", no? ("coupe de gras" would translate as "cup of fat" , lol ).

 

Nice find tlu. I've been wanting to start using a Limited User Account rather than Admin for a while now, and SuRun definitely takes it more comfortable. I've yet to give SRP a whirl, but it looks promising.

I'd normally agree, but it looks like SuRun was made with security and possible pitfalls in mind.

For example, SuRun stores it's settings in a sub-key of HKLM/Security/, where the Users group has NO rights at all, not even read access. An app would have to have at least Admin privileges and modify a few permissions (or run as SYSTEM) before even getting access to the settings. After factoring in prompts being in a secure desktop and a few other odds and ends, there's no obvious security holes I can see.

It's probably better to just avoid software that needs to be Admin, but it is possible. Ironically enough, you can use SuRun to do it in the same way you'd use DropMyRights (except that it obviously does the opposite).

For example:
%WINDIR%\SuRun.exe C:\Program Files\Example Folder\ExampleApp.exe

The easiest way I can think to do it is to find the existing start-up entry with Autoruns, and edit it so it's launched by SuRun. The first time it's launched, the prompt comes up, you can tell it to not ask again (if desired), hit ok, and you're good to go.

You'll probably want to enable "Never ask real Administrators to become members of 'SuRunners'" in options so if you log in to a normal admin account, the autorun won't trigger a prompt to become a SuRunner. Instead, it'll silently launch the app as it will detect that you're already an admin.

 

SuRun running very well and is added another huge obstacle for any unwarranted attempt to make trouble on the system.

Combined with some usually simple apps like Returnil, SandboxIE, or HIPS, this pretty much rounds out a better safe approach. Don't forget SRP too.

 

Supposedly tomorrow the new stable version 1.1.0.3 will be out. Kay did some hard work to make some more improvements.

Some highlights:
Tray icon for quick info about the rights of the actual prgram window
Easier access to the settings page
Different settings for the user accounts are possible (tray icon, balloon tips)
More exact settings for apps, which get started with elevated rights
Warning about admin accounts with empty passwords
RunAs-replacement (optional)
and more

 

Thanks for the info, Cosmo. I had tried the newer version but had a few troubles so went back to the older version. Haven't had a problem with it.

 

Tell more about your problems, perhaps there is aolution.

 

Same here. The newest version posed some issues for me when i tried to use my regular Admin account to have SuRun drop it's permission level, just wouldn't take for some reason so i reverted back to the version that did install and run perfectly. However that older version would freeze up on the settings screen.

Looking forward to trying this new one, maybe this one will be the keeper without issues.

 

Hi Cosmo

I forgot what the problem was now. Something when I logged off and back on I think. The old version did all I wanted it to so I never bothered playing with the new to see what was going on. It might be were I am not on a domain and just a regular computer user.

 

V. 1.1.0.4 is out. 1.1.0.3 contained errors.

 

Thanks tlu. I might grab it sometime over the weekend and see if it works any better. I'm happy with the way things are working now but I can't resist a good test run.

 

THANK YOU tlu FOR THE UPDATE NOTICE!

I'm off to d/l and install it now. (Fingers crossed) This be the one.

EASTER

 

Need guidance tlu

I may have too many security apps clashing.

The newest SuRun installed like a champ but i have to let you know i also am running BOTH comodo D+ AND EQS and theres a noticable slowdown taking place because of this.

Is it of your opinion i should drop either one or the other or both so that SuRun can assume it's functions correctly?

I'm getting pretty excited over this version of SuRun and don't want security apps getting in the way with exception of just maybe EQS.

Thanks for any advice you can offer on this. Brilliant security app!!!

 

I apologize for heaping posts so close together but i'm actively testing newest SuRun and i have another report, good one. So far i have disabled Comodo D+ and allow EQS to run and everything is proceeding fantastic so far.

Please let me get this perfectly clear. SuRun is more an INSTALLER monitor, is this correct? Because on any install apps that require Admins permissions to initiate SuRun comes up in wait for an answer.

So if i'm correct in this purpose of it, it's performing admirably as a great stand in preventing installs untill given permission to eithr proceed or abort.

This is new ground still for me because i long simply depended on security apps to watch and monitor as HIPS alerts displayed it's findings in wait for an answer to proceed or not.

Thanks for your patience and pls pass along my regards along to the author of this very engenious method and app thats been provided for us users in an effort to better maintain complete control over potential sneak installs.

UPDATE

In EQS, There is a endless loop of "Modifying Memory Of Other Processes" from C:\Windows\SuRun.exe, is this something i'm going to have to deal with it? And why is that?

 

This program keeps getting better and better. Even though I have had no problems whatsoever with past versions, I really like this newest one.
Running XP SP2, Avast, OA free and CMF, and so far all seem to get along.

Colin

 

EASTER, I'm not using either applications so I'm not sure if they can cause a slowdown. I had tested CFP some time ago (with D+ enabled) and it I didn't have the impression that it conflicted with SuRun. (I had to temporarily shutdown CFP during installtion/update of SuRun, though, but that might have changed in the meantime).

Hm - I would rather call it a comfort option since an installation process started with user rights in a limited account would be stopped very soon anyhow. Thus, it's not SuRun but the OS itself that prevents an installation. The new option in SuRun just makes installations more convenient as the SuRun window pops up automatically..

Which version are you using? V. 1.1.0.3 had such problems that should be fixed in 1.1.0.4. If they aren't Kay should know about them. Have you considered to participate in his forum?

 

Hi,

It´s a cool tool, but on my VM I´m having minor problems, and I also don´t like the fact that apps starting as admin will have a small delay, but I´m extremely picky when it comes to this stuff. I wonder if some other method could be used to speed up this this process. Also, I have noticed that svchost.exe still runs as admin, the same goes for the SuRun service. Wait a minute, every service is running as admin, is this normal? And I still can´t install apps sandboxed via SBIE, is this even possible?

 

In addition to that, maybe you find it helpful:
The purpose of Surun is to give the limited user the option to start any application via right-click menu with elevated rights. That is the original function. In addition to that Kay has added a functionality (which can be disabled, BTW), which tries to find out, if an application, normally started via double-click, does need elevated rights; installer usually do, but there are also other programs. If Surun thinks, that elevated rights are necessary, it pops up and the user can decide, if he accepts the proposal.Although Surun tries it's best, to find that out, you cannot tell, that this is proposal is always right: There might be applications, where Surun suggests using elevated rights, although it is not necessary and there might be apps, where Surun does not pop up, although elevated rights are necessary.This is not restricted to installers and those suggestions are only an additional comfort build in into Surun, so I join tlu by not calling it a installer monitor. (But in practical result it works as this.) Perhaps an example can make this clear: If you use Thunderbird or Firefox, you would and should normally not start it with elevated rights, but if you get informed, that an online-update is achievable, than you must do that for upgrading. So in the end Surun is more than an installer monitor.


@Rasheed:
I have done much testing in the last days with surun, using an old testing machine with an 1 GHz Athlon and only 256 MB RAM; so a machine, which far from being up-to-date. I have not noticed slowdowns, so I believe, that there might be another reason.

Regarding the processes that get started "as admin" (inclusive Surun): Surun does not change your OS. Services, that have to work as SYSTEM process (I think you mean that) have to that further on, otherwise your OS would break. Also the Surun service has to run as a SYSTEM service, otherwise it would not be able to elevate rights of the applications. But that is not a security problem. If you log on as limited user, the shell and all programs you start via double-click have limited rights.

BTW: Did you manage your problems with Maxthon, that you described some weeks ago?

 

GOOD NEWS!!

I just can't explain it, but seems it takes just some time for the new SuRun, almost like a HIPS to "Learn" the activity going on. I since have BOTH Comodo D+ & EQS running with it perfectly with no more delays. Guess it just needed to run awhile first to establish a fluid movement again.

Tlu, i do however continue to get this in EQS v3.41 alerts at the lower bottom of the notify screen:

Modifying Memory Of Other Processes
Action: Allow
Process Path: C:\windows\SuRun.exe
Target Path: C:\Windows\SuRun.exe

Since logs are set, it consistently is being looped in the logs of EQS every single microsecond because as soon as i clear all logs in EQS, they immediately fill up again.

FYI: I get this same behavior anytime i run the Theme enhancer Styler and only stops when i shut Styler off, but i don't want to shut SuRun off of course.

I like that GREEN smiley tray icon, nice touch to access settings. LoL

BTW, XP Professional SP2

EASTER