Windows XP turns 20: Microsoft’s rise and fall points to one thing — don’t fix what isn’t broken

Discussion in 'other software & services' started by mood, Oct 25, 2021.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,500
    Location:
    Italy
    Guys it's a shame to disperse these excellent topics in this thread.;):)

    The protection must be different and specifically designed because it depends on the browser used.
    In Edge with the renderer processes* at IL "AppContainer" probably no other protection is needed.

    https://blogs.windows.com/msedgedev/2020/09/30/microsoft-edge-multi-process-architecture/

    With Chrome with "Untrusted" renderer processes you need to take an extra precaution.
    Firefox with IL "Low" the precautions to be taken are even greater.
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,590
    Location:
    Canada
    I think you can only get AppContainer IL when using Application Guard, which is available in only Windows 10/11 Pro or above.

    EDIT

    Something is running Untrusted in Firefox...

    Firefox IL.png
     
    Last edited: Nov 28, 2021
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    I honestly didn't know it was possible to completely disable UAC. To me, setting UAC to ''never notify'' means disabling it and 99% of all people will think the same. Seems like setting the EnableLUA regkey to 0 will fully disable UAC, see link. But the question that comes to mind is, what difference would it make? So will this cause all processes to run with high IL, including browsers? And I don't see why home users would want to use this setting.

    https://superuser.com/questions/1013702/completely-disable-uac-in-windows-10
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    I see this has already been explained. In a real life attack, the browser would have loaded it from a server, and obviously SRP and other AE tools won't interfere with website loading. This was simply a demo of the exploit.

    If I'm correct, the old Edge that wasn't based on Chromium also made use of AppContainer for sandboxing.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    BTW, seems it was explained in the How User Account Control works article, my bad. However it doesn't explain any possible benefits or disadvantages from fully disabling UAC. It does mention that certain UWP apps won't work correctly.

    And as mentioned before, you don't need Windows Pro for this, you can simpy do it via the registry. This is one of the few articles that explain it clearly, but they don't explain that this is not the same as setting UAC to ''never notify'', weird stuff.

    https://www.tenforums.com/tutorials/112488-enable-disable-user-account-control-uac-windows.html
     
  7. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,500
    Location:
    Italy
  8. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,500
    Location:
    Italy
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,714
    Location:
    Outer space
    Yes, I also noticed Firefox has an untrusted process, not sure why they still keep most of them on low IL instead of untrusted.
    And Edge does indeed not use AppContainer by default.

    Yes everything wil run with high IL by default and from your link it seems that windows explorer can write to files/folders that it can't with even UAC on never notify, not sure what else will change. It's indeed a setting you wouldn´t want to use.
     
  10. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,500
    Location:
    Italy
    It is possible to enable AppContainer in Edge 96 by adding, from the administrator account, a key to the registry.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    OK, my bad. So this caused a lot of confusion in the beginning of this discussion. But does this also mean that browser sandboxes are disabled by completely disabling UAC? I don't see why M$ would even give such an option, it doesn't make any sense.

    Like I said, to me it's all about getting rid of the dumb UAC alerts, that's all that matters. And AFAIK this is the same as running as admin as it was on Win XP, but apparently Win 8/10/11 keeps blocking stuff when UAC is set to never notify, but what's the point if malware can auto-elevate anyway?
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,590
    Location:
    Canada
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,714
    Location:
    Outer space
    Yes, but the thing is even though Firefox'es parent process is Medium IL, it cannot save inside the windows folder when UAC not disabled and just set to never notify.
    I just confirmed this. With UAC set to never notify, Firefox cannot save inside the Windows folder, but when UAC is disabled, it can. MicEnum shows the Windows folder as Medium IL though. My User folders such as Downloads, Documents etc also show as Medium IL though and there should definitely be a difference between them, so maybe MicEnum is wrong. The MicEnum page says it is a graphical alternative to icacls.exe, but when I use that to check the folders, it shows no IL at all. According to the Didier Stevens blog that means that the folder has no explicit IL. So maybe MicEnum just assumes Medium IL when it doesn't see any IL.

    Even though the browser content processes still run with Low/Untrusted IL, the parent runs as High instead of Medium, that might weaken the sandbox. Only Firefox seems to change it back to Medium IL after a few secs, but as I stated above, it seems folder permissions are screwed anyway, so if someone hacks the browser they can just dump a malicious file or driver in the Windows folder without escaping the sandbox.
     
  14. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,163
    Location:
    USA
    This all started with Vista and back then you could disable it entirely by moving the slider to disabled, which would give you one last prompt to approve the change. For anyone using Windows that long, disabled is disabled. I feel Microsoft has created some confusion by changing the functionality of the settings.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    OK, so in other words, UAC set to never notify might still block malware even when they get high IL? I guess that's what they mean with being a protected admin. And I still think it's weird that you guys didn't understand that setting UAC to ''never notify'' basically means disabling it. I mean completely disabling UAC isn't even possible via the Windows GUI.

    OK, so this would then perhaps somewhat weaken the sandbox and most likely that's why they removed this option way back in Win 8.
     
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,163
    Location:
    USA
    As I stated, in the early days of UAC setting it to it's lowest setting literally disabled it. Folder virtualization was disabled, no prompts were given, and anything you did not have permission to access failed. In current OSes it does not seem to fully do so. When someone says they disabled it, I take that to mean they literally disabled it. I guess any confusion would come from whether we change the definition of disabled. I can't seem to find any screenshots of Vista to see that it said "Never Notify" back then, but dragging the slider all the way down shut it off completely and prompted a reboot. I'm not looking to offend or insult anyone, but to me "disabled" is taken to mean disabled and not silenced. People still say disabled when it is no longer the same. It becomes a matter of "what I said" vs. "what I meant". Working in IT I go with the "what was said" and if that is not what is meant further clarification is needed.

    As for the current functionality, as I do not use that setting I have not looked into the extent of what it does at this point in time compared to back then. It certainly lowers security else there would be no options, it would always be set that way. I really have to assume it does nothing to stop any malware. Many would argue it never did as the prompt makes it user dependent.

    Here is the latest article from Microsoft as to how it works. I'll be looking it over myself as time allows.
    https://docs.microsoft.com/en-us/wi...ccount-control/how-user-account-control-works

    -Edit:
    Looking it over, I think this is worth posting...
    The slider will never turn UAC completely off. If you set it to Never notify, it will:
    • Keep the UAC service running.
    • Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
    • Automatically deny all elevation requests for standard users.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,590
    Location:
    Canada
    It's called Protected Admin because the Administrator is running in the same security context as a Standard user. It's explained in the link posted above (which happens to be the same one I posted in #97).

    Bold font added by me. Of course when you run as an Administrator with UAC set to "Never notify", you are not prompted for consent or credentials when an app requires administrative access. The other likely important takeaway when running with UAC set to "Never notify" under an Admin account is:

    • Not freeze other tasks until you respond.

    this video explains it well too:

    https://itfreetraining.com/70-640/protected-admin/

    EDIT

    I would also like to extend a heartfelt thank you to the forum Administrators for allowing (so far) this thread to go a bit OT. For myself and I'm sure for others who have participated in it, it's been a highly worthwhile "deep dive" into an important topic.
     
  18. Hadron

    Hadron Registered Member

    Joined:
    Apr 1, 2014
    Posts:
    1,817
    Exactly. :thumb:
     
  19. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    18,801
    Location:
    UK
    ..and is the same link as I posted back here

    https://www.wilderssecurity.com/thr...x-what-isnt-broken.441518/page-4#post-3051757

    I think it has turned out to be an interesting discussion for all of us.
     
  20. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,714
    Location:
    Outer space
    As said before, it does not disable UAC, so setting it to never notify does not basically mean disabling it. It may appear so on the surface, but it is certainly not the same.
    You could have known yourself. It literally says 'never notify', which means it does not notify, which implies 'it' is still running. The setting is not called 'off' or 'disabled'. When someone is knowledgeable enough about Windows to use HIPS, knows about integrity levels, kernel patch protection etc, people can assume that that person does not limit himself to a standard settings window, especially when a lot of Windows settings discussed here on Wilders(for example disabling telemetry) are also not available in the standard GUI settings. That you blame your mistake on others is rather rich.
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,590
    Location:
    Canada
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,714
    Location:
    Outer space
    Very true. Because of this discussion, I am now using a Standard User Account. Everything works fine. The only issue so far is that Firefox just fails to update from SUA, instead of requesting admin access like other applications. Does anyone using SUA have the same issue?
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,590
    Location:
    Canada
    No issues here.
     
  24. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,714
    Location:
    Outer space
    Oh maybe it is because I never activated background updates for Firefox, so they always needed an UAC prompt on the admin account.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    No worries and to clarify, I didn't mean it in a harsh way. But AFAIK, since Win 8 (or Win 7), which was launched in 2012, the ''never notify'' setting was introduced, and this is known as ''disabling UAC'' in general. So I was actually surprised that you guys misunderstood me, that's all.

    To clarify, I'm trying to figure out if when you run as Protected Admin with UAC set to ''never notify'', will it still interfere with certain actions from malware? Because apparently, even when UAC is set to ''never notify'', you're still not running with full admin rights.

    Yes sorry about that Stapp, I guess I should have read it better, because you did indeed mention it earlier in the discussion.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.