SuRun - SUDO in Windows - Tutorial

Hi all,

I've updated the tutorial, following advice by tlu and Kays. I've changed a few sections, namely the password protection and the use of program lists. One, I clarified the necessary for password protection. Two, I fixed an error in the explanation of the program list functionality.

Hope you like it ...

Cheers,
Mrk

 

Installed on one machine and trying to get it work.
Context menu works. Windows Explorer, etc works. Some other executables work.
In a limited user mode, I am unable to get Avast virus checker to work fully. Tried to place into program list, the files shed.exe, ashSimp2.exe, ashQuick.exe. None of these work, therefore Avast is unable to be sheduled, it can do a scan but some files cannot be moved or deleted. The SuRun icon in the system tray do not turn red.
Can anyone help with this?
Thanks

 

Mrkvonic you are doing a great job with the tutorial.
I must admit that I was confused about the program list. I am a new user and I guess, your target for the tutorial. In fact without you tutorial I would not have tried SuRun.

Unfortunately, I am still confused about the description of the program list. I have difficulty following the double negatives, references to the 'option' and whitelist/blacklist analogy.

My understanding of the option:
"Users can only run predefined programs with elevated user rights"
Ticked - User can only run programs in the program list with elevated user rights. The user cannot select programs with the context menu in explorer.
Unticked - User can run the programs in program list as well as select programs with context menu in explorer.

I think that a better description for the option could be " User may select programs using the context menu in explorer" and have it selected by default. This is because the programs in the program list may be executed with the option selected or not. this is also why I didn't follow the whitelist/blacklist analogy. Maybe the option text lost something in the translation from German - I don't know.

This is not meant to be a criticism of the tutorial, just my understanding of the option and program list. I hope my understanding is correct.
Keep up the good work.

 

I just noticed something. The files above are launched by Avast and not explorer. Could this be the problem? Does SuRun only launch application with a higher user rights initiated by explorer?
Thanks

 

I think I found the problem. Actually there are two.
1) Under settings Execution Hooks, the second option is 'Set a hook into all processes that directly execute applications'. There is note to say that if this option is not selected some programs will not execute. Unfortunately, I think that this is the case with the option selected also. For example:
In a batch file a program is executed. Place this program into the program list and set up to always execute automatically. Run the batch file. It will be found that the program specified runs but Not under elevated rights.

2) If a program is added to the program list and then it needs to be operated with different command line switches, it will Not have elevated rights.

These are major failings in SuRun for some people like me. This means that for me, the main reason for using SuRun is to have Avast virus checker fully operational, doesn't work due to problem 1. Unfortunately, there appears no way to overcome the problem. Maybe in a future revision.

 

Thanks for writing the tutorial. Unfortunately I'm in a mental mess right from the start.

I have an admin account - set up just the way I want it. when I set up SuRunner and log off - nothing is there. I can't open outlook for example.

when everything is set up am I going to be running on a daily basis with the SuRunner account or the old admin account ?
Is there anyway to Copy the old admin account before starting ? so that I can then have all my programs running and use use SuRun to then remove admin rights ?

sorry but I've lost the plot here in act 1

 

If you use your own account and convert it to be a surun account, it will become limited. Or you can create a new one and start from scratch.

I recommend you practice on a new account, get things started and working, add apps, install etc ... and then try on your productivity account.

Mrk

 

Thanks Mrk

I have installed SuRun on my original Admin account and given the following admin rights. account now shows as limited aprt from these programs. Seems to be working.

0=""C:\Program Files\Secunia\PSI\psi.exe" --start-in-tray"
1=""C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe""
2=""C:\Program Files\Shadow Defender\Defender.exe""
3=""C:\Program Files\DiskTrix\UltimateDefrag2008\UDefrag.exe""
4=""C:\Program Files\Java\jre6\bin\jqsnotify.exe""
5=""D:\Storage\Programs Installed\D Temp\DTemp.exe""
6=""D:\Storage\Programs Installed\CoreTemp\Core Temp.exe""
7=""C:\Program Files\jv16 PowerTools 2007\jv16PT.exe""
8=""C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup"
9=""C:\Program Files\Secunia\PSI\psi.exe""
10="C:\RegSeeker\RegSeeker.exe"

 

OK so having played for a few days I have now:

installed SuRun
set up settings password
converted my original admin to Standard User with the exception of the following

[WhiteList]
0=""C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup"
1=""C:\Program Files\Secunia\PSI\psi.exe" --start-in-tray"
2=""C:\Program Files\Java\jre6\bin\jqsnotify.exe""
3=""D:\Storage\Programs Installed\D Temp\DTemp.exe""
4=""D:\Storage\Programs Installed\CoreTemp\Core Temp.exe""
5=""C:\Program Files\Secunia\PSI\psi.exe""
6=""C:\Program Files\jv16 PowerTools 2007\jv16PT.exe""
7=""C:\Program Files\DiskTrix\UltimateDefrag2008\UDefrag.exe""
8=""C:\Program Files\Shadow Defender\Defender.exe""
9="C:\RegSeeker\RegSeeker.exe"
10=""C:\Program Files\IObit\Advanced SystemCare 3\AutoSweep.exe" /all"
[WhiteListFlags]
0=3
1=3
2=3
3=3
4=3
5=3
6=3
7=3
8=3
9=3
10=3

Everything seems to work fine

3 questions:

(1) User can only run predetermined programs with elevated rights is still unchecked - and yet the 10 programs above are listed as whitelist. Don't understand why I as the only user of the machine might want to check "user can only run pre........rights"

(2) 2 programs (Secunia PSI and Advanced System care appear to need to be in this list. The others could be used with Start as Administrator. would it be safer to not have these in the list and click start as admin everytime ?

(3) The way I see it I have allowed 10 programs to operate with elevated rights and nothing else ? so if I am ever lucky enough to come across something bad, and it manages to get past FF No scripts, and to survive a Shadow Defender reboot then provided it requires admin rights it will do no harm ?

anything else obvious that I should do ?

 

There is a big difference between setting up a machine for a single user and a multi-user environment. If you must have untrusted users on your machine, then you should whitelist. If you're the only user, then you can go with the defaults.
Mrk

P.S. Nothing will get past FF with Noscript ... even without Noscript

 

You should probably close up those other autostart entries that aren't covered by simplying converting to a limited account as explained by tlu in the following post

https://www.wilderssecurity.com/showpost.php?p=1156834&postcount=25

You can also do it by using kafu in the following post

https://www.wilderssecurity.com/showpost.php?p=1190510&postcount=93

 

Yes - I know, I know. It's just that without any software firewall, A/V, A/S or Hips to go wrong I have to play with something to keep busy.

 

I started to do this but gave up when I found that I didn't have:

c:\documents and settings\<user>\start\program files\autostart
c:\documents and settings\all users\start\program files\autostart

I wonder if the latest version of SuRun has taken care of this ?

 

I have a little problem.
I have installed SuRun on my Windows XP SP3 machines and appears to work.
I have an Admin account with full rights and a limited user account controlled by SuRun.
When I boot the machine I get a warning message from SuRun:

"WARNING!: The following Administrator accounts have no password:
ComputerName\Administrator
Using SuRun is useless if you do not set a password for these accounts!"

In the Control Panel User Accounts there is no such user as Administrator.
There is a folder C:\Documents and Settings\Administrator with a Local Settings folder under that, but all empty.
I tried to delete this folder, but it gets recreated.

Is there a way of getting rid of this Administrator folder so that it doesn't get recreated?
Thanks

 

I think administrator is there automatically.
if you reboot and instead of entering your user name you enter Administrator and no password. then go to user accounts you will find the Administrator account and can then set up a password. Don't think you can kill it off. There has to be an Administrator account I believe.

hope this helps - sorry if wrong.

 

Thank you Long View for your reply.
I have an administrator account called Admin. There is also a folder called "C:\Documents and Settings\Admin" with lots of subdirs used by Admin. I can log into this account, but cannot find an account called "Administrator". So, I cannot log into this account and therefore cannot set a password.
Still need help.

 

If you go into user account and then change the way users log on and change so that you get a log on screen. Then reboot and type in the word Administrator instead of your limited account name I would hope that this takes you into the Administrator account ?

 

During the installation process of Windows an Administrator account is created (which is normally not visible in the XP Home edition unless you start Windows in safe mode by pressing the F8 key at the beginning of the boot process and selecting safe mode). In addition at least one account is created that has administrator rights - that's the account you have been working with so far. (Note, that there seem to be some OEM editions of Windows that do not create such a default Administrator account.)

 

It might be that the folders are called a little bit different depending on the language version you're using - see this post. Kafu should work in any case.

And no, SuRun doesn't take care of this - that's not its business

 

Long View, that did the trick.
I managed to get into the Administrator account and setup a password. It should work now.
Thanks a lot.

 

i always get this error. i dont know why, please help...

http://img242.imageshack.us/img242/6333/surunerrorzf1.jpg

 

Just for kicks, try a different name ...
Mrk

 

Thanks...im just put "default" user name and it works...

 

Bob's your uncle! And mine too!
Mrk

 

Hi,
Just noticed on both my computers that I don't have "Open control panel as administrator" in context menu on the desktop.
Checked the setting in Common Settings, Shell Integration and it is ticked. So it should be working.
Is there anything else I should be setting as well?
Thanks