Windows 10 & limited account - edit startup programs

Discussion in 'other software & services' started by Mrkvonic, Sep 13, 2017.

  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,935
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,073
    Location:
    Toronto, Canada
    @Mrkvonic Great article and such a gem of a tool. I noticed that the latest stable release is quite old now, however, it is good to see many recent commits to source code with lots of great features and fixes coming.

    ToDo:
    ---------------------
    * Handle \??\C:\Windows\System32\conhost.exe* make Tray Windows for automagically started apps configurable
    * Hooks must directly write to Service pipe
    * on Win x64 detect x32 Executables on x64 hook (ShellExecute32->WoW->CreateProcess64)
    * On ShellExec/IAT-Hook: Create Process suspended! Hooks must resume process.
    * Create Inline Hook instead of IAT-Hook
    * GUI for SwitchToUser
    * Create a "Default" SuRunner for users that are not in "SuRunners"
    * MAP network drives
    * Checksums for "Always Yes" programs
    * use IContextMenu2/IContextMenu to implement an Icon/Popup menu
    * Console SuRun support
    * LOG-File for SuRun activity

    To be done in future:
    ---------------------
    * Use Radio-Buttons for (normal/elevated) Auto-Magic
    * Hide/Show all context menu entries consistently
    * make all context menu entries dynamically with ShellExt
    (E.g.: msi with popup-menu)

    Deferred Whishlist:
    ---------------------
    * icons for SuRuns context menu entries
    * Intercept CreateProcessAsUser in services and check for programs started
    with limited rights that need to be started as admin

    ------------------------------------------------------------------------------
    SuRun Changes:
    ------------------------------------------------------------------------------

    SuRun 1.2.1.3b3 - 2017-08-20
    ----------------------------
    * NEW: SuRun detects renamed computer and imports user's settings
    * FIX: User Bitmaps for Domain Users were not shown

    SuRun 1.2.1.3b2 - 2017-08-09
    ----------------------------
    * NEW: Moderated Restricted Surunners. ("User can only run predefined programs
    with elevated rights")
    If a restricted SuRunner tries to run a non validated Programm with
    elevated rights, SuRun will now ask for Administrator credentials to
    launch the program elevated in the user's context.
    * FIX: Fixed Spanish Resources

    SuRun 1.2.1.3b1 - 2017-03-11
    ----------------------------
    * NEW: SuRun Executables are digitally signed
    * CHG: Changed SuRun's Context Menu Strings from "<...>" to "SuRun: <...>"
    * FIX: Members of "Power Users" and "Backup Opeators" could not use SuRun
    * FIX: Bug in IAT-Hooks made Internet Explorer Crash on Windows 10

    The SuRun Changes, in particular, is a nice ChangeLog for what is coming up in the next release.

    I've tried building this from the most recent source code but far too many errors to compile. It would be great if the developer would share binaries for us to test those recent betas.
     
  3. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,296
    None of that for me. I limit the Administrator account with SRP. That prevents dangerous changes from being made to the system while at the same time still allowing me to drop restrictions temporarily when necessary.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,149
    I didn't know that you can use SRP to prevent dangerous changes from being made to system. I thought it can be used only to control what can execute. Personally I use LUA to prevent dangerous changes to my system.
    Can you share your SRP configuration and rules?
     
  5. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,296

    I use SSRP. Simple Software Restriction Policy. I only unlock the policy for software upgrades and to install new programs. I have edited the shipped software policy ini.file to allow certain programs to run from locations normally disallowed by the SRP.
     
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,064
    I doubt that this will offer a level of protection you would get if you applied an approach as suggested by Mechbgon which is still the way to go, IMHO. With your approach you still have to rely on UAC if an application which you allow in SRP tries to write in a folder/registry branch where admin rights are required. As often discussed here, UAC is not a security boundary (although setting it to max improves the situation) whereas a limited user account is: You don't have write permission to critical folders/registry branches. Period. Hence, the combination of a LUA with SRP is ideal. Besides, I don't see any reason why one should not implement Mechbgon's advice: I haven't used my admin account in ages as I've been able to perform everything (without any exception I can remember) in my LUA with UAC.

    Back to the topic: What advantages does SuRun offer over UAC in Windows 10? I guess it was certainly very useful in Windows XP/2000 - but in W10? Perhaps I'm missing something ...
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,149
    Yes but SSRP probably won't block "dangerous changes made to system". It will only block execution of non-whitelisted applications. That's not the same as preventing dangerous changes from being made to the system, as you said it.
    LUA OTOH can.
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,064
    Exactly. You said it in better words than I did.
     
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,935
    Summerheat, it offers the ability to execute some apps/processes you cannot do with the standard admin privilege elevation prompt. Like the example above. You can also whitelist apps for auto-elevation, and a few other neat tricks.
    Mrk
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,064
    Thanks - I hadn't read thoroughly enough. My bad ...
     
  11. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,296
    SRP blocks execution of executables from locations from which they shouldn't run. I do have to whitelist applications from there that do need to be allowed to run. That why it blocks ransomware because of where its dropped to. And if it can't run, it can't encrypt Windows folders and their contents.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,149
    Yes that's true but ransomware is only one part of dangerous changes that can happen to system. If whitelisted app is abused it can do harm to your system also. And SRP won't protect you here (application is whitelisted and SRP doesn't care what it will do once it's run). Dangerous changes to system don't come only from new (unknown) executables, but from known (whitelisted) also. LUA can help you there.
    SRP and LUA offer different kind of protection. One doesn't substitute the other but they rather complement each other.
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,064
    Exactly! That's why Mechbgon rightly says: "it's a Catch-22 for the bad guys".
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,059
    Location:
    Canada
    I could never understand why people won't run as a Standard User the majority of the time. Only when I've changed permissions on directories have I needed to run as Administrator.

    Default-deny is a great enhancement for sure to an LUA. It can get tricky in some cases, however, when you come across user-space executables or a DLL that require a lengthy Path rule such as:

    Code:
    %OSDRIVE%\USERS\*\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\*.DEFAULT\EXTENSIONS\SUPPORT@LASTPASS.COM\DATA\NPLASTPASS64.DLL
    A Hash rule is a bit more secure but then it needs updating whenever the DLL changes via an update.

    EDIT

    ...even better, I was able to create a Publisher rule off the DLL :)

    Code:
    NPLASTPASS.DLL, version 4.1.0.0 and above, in NPLASTPASS, from O=LASTPASS (MARVASOL INC), L=FAIRFAX, S=VA, C=US
     
    Last edited: Sep 17, 2017
Loading...