Permitting a specific exe to run in standard user mode.

[Philip Roberts]

I hope that there is a way that this can be achieved...

New vista home premium pc. Me as administrator, son (4 yrs old) as
standard user.

One of his games (Mr Men) needed my password to install it (which is
fine) but still requires my password every time he runs it. A major
major pain.

There is a specific executable that needs approval.

How can I set the permissions on this executable so that it will run
under a standard user?

If not are there any workarounds?

Thanks in advance

Phil Roberts

 

[Darrell Gorter[MSFT]]

Hello Phil,
Try creating a shortcut to the Game.
Then right-click the shortcut and choose properties.
Choose the shortcut tab and then the Advanced Button
Try selecting the run as administrator option.
Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
|>Date: Sat, 17 Feb 2007 22:11:26 +0000
|>From: Philip Roberts <pjr@keane_getridofthisbit_roberts_andthisbit.co.uk>
|>User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
|>MIME-Version: 1.0
|>Subject: Permitting a specific exe to run in standard user mode.
|>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
|>Content-Transfer-Encoding: 7bit
|>Message-ID: <#[email protected]>
|>Newsgroups: microsoft.public.windows.vista.security
|>NNTP-Posting-Host: keaneroberts.demon.co.uk 83.104.171.225
|>Lines: 1
|>Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
|>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.vista.security:1863
|>X-Tomcat-NG: microsoft.public.windows.vista.security
|>
|>I hope that there is a way that this can be achieved...
|>
|>New vista home premium pc. Me as administrator, son (4 yrs old) as
|>standard user.
|>
|>One of his games (Mr Men) needed my password to install it (which is
|>fine) but still requires my password every time he runs it. A major
|>major pain.
|>
|>There is a specific executable that needs approval.
|>
|>How can I set the permissions on this executable so that it will run
|>under a standard user?
|>
|>If not are there any workarounds?
|>
|>Thanks in advance
|>
|>Phil Roberts
|>

 

[Rock]

I hope that there is a way that this can be achieved...

New vista home premium pc. Me as administrator, son (4 yrs old) as
standard user.

One of his games (Mr Men) needed my password to install it (which is fine)
but still requires my password every time he runs it. A major major pain.

There is a specific executable that needs approval.

How can I set the permissions on this executable so that it will run under
a standard user?

The game is not coded properly for Vista. It is asking to run in an
administrator context, hence the request for elevation. From the standard
user account that means supplying an account name and password. Were you to
run it from your administrator account it would still ask for permission for
the elevation. There is no way around this. The options are supply the
account name and password, turn off UAC (not a good idea) or see if the
program author has a new, Vista aware version.

 

[Philip Roberts]

Thanks for the info

The game (an educational title for 4 to 6 year olds) probably isn't even
coded properly for XP.

The chances of the publisher doing an update are less than zero.

So as I understand it, in the real world, my only options are:

1. Upgrade my 4 year old to an administrator account and teach him a
password (different to mine) then he can authorise the prgrammme (and
anything else he wants)
2. Leave things as they are and type a password in every few minutes
when he wants to change from program a to program b. - A right royal
pain in the backside and not good for stress levels in the family.
3. Disable UAC - impact is probably same as 1 above in terms of security
but gets rid of the annoying prompts.

I understand the concept of UAC but question whether sufficient
usability testing was done for the impact on legacy programs which are
huge in the (cash short) educational sector.

If any MVP's have an influence on what happens in Service Pack 1, please
try to get a workaround for this issue - It has to be safer for
specific applications to be authorised to 'run silently' (even if there
are an appropriately large number of hoops to jump through to enable
this) than to drive the users to disable UAC.

Regards

Phil

 

[Philip Roberts]

Thanks for the idea, it part works.

When I am logged in as an administrator I get prompted to say I've run
the program before and I trust it - which is fine.

When I run the program as my son I get the "an unidentified program
wants access to your computer" message and have to enter an
administrator password to continue.

Does anyone know a way of making this program 'idenitified'?

Regards

Phil

 

[Rock]

Responses inline.

Thanks for the info

The game (an educational title for 4 to 6 year olds) probably isn't even
coded properly for XP.

The chances of the publisher doing an update are less than zero.

So as I understand it, in the real world, my only options are:

1. Upgrade my 4 year old to an administrator account and teach him a
password (different to mine) then he can authorise the prgrammme (and
anything else he wants)

If he's running in an admin account then once logged in no password is
needed for elevation, just click ok at the elevation request. Of course if
he's conditioned to do that then any malware that tries to run and triggers
this prompt will likely get permission as well.

An admin account is running as a standard user. The difference is when
elevation is requested from an admin account it just takes clicking on Ok,
from a standard user account the user has to specify an admin level account
name and give the password.

2. Leave things as they are and type a password in every few minutes when
he wants to change from program a to program b. - A right royal pain in
the backside and not good for stress levels in the family.

3. Disable UAC - impact is probably same as 1 above in terms of security
but gets rid of the annoying prompts.

It's worse, becaues then permission is not needed for elevation. Any
nasties can do what they want. As said above an admin account still runs as
a standard user.

I understand the concept of UAC but question whether sufficient usability
testing was done for the impact on legacy programs which are huge in the
(cash short) educational sector.

A huge amount of testing was done on this and during the Beta program many
changes were made to reduce the number of UAC prompts.

If any MVP's have an influence on what happens in Service Pack 1, please
try to get a workaround for this issue - It has to be safer for specific
applications to be authorised to 'run silently' (even if there are an
appropriately large number of hoops to jump through to enable this) than
to drive the users to disable UAC.

I have to chuckle here. MVP's don't have any particular influence on MS OS
development. It was the combined input of the thousands of Beta testers
during the TechBeta that resulted in the changes that were made to UAC
reducing the # of promts. It's unknown what changes might be made in SP1.

 

[Rock]

What about setting up a computer for his use that doesn't have internet
access, is set up in XP and runs his games. Image the system, then he can
do all the damage he wants and you restore the image as needed.

 

[Philip Roberts]

Thanks

My best option is making him an Admin then

Regards

 

[Philip Roberts]

Good idea, thanks. It is close to the solution that I intend to implement.

Our internet connection runs through a hardware firewall appliance that
I will configure to allow access to the bbc (so that he can get to the
cbeebies site and nowhere else) - I can disable the restriction
periodically to get any updates etc.

Then I can make his account an administrator and he can authorise his
own games.

Imaging the machine is a good idea, once he has admin rights he could
potentially do other things and I may have to do a restore from time to
time.

Regards

Phil

BTW - if anyone has small kids and hasn't visited the cbeebies website
at the bbc I can higly recommend it.

 

[cquirke (MVP Windows shell/user)]

On Sun, 18 Feb 2007 08:44:47 +0000, Philip Roberts

The game (an educational title for 4 to 6 year olds) probably isn't even
coded properly for XP.

When was it written?

I understand the concept of UAC but question whether sufficient
usability testing was done for the impact on legacy programs which are
huge in the (cash short) educational sector.

Most of the thrust of UAC is to live with legacy-written apps.

If any MVP's have an influence on what happens in Service Pack 1, please
try to get a workaround for this issue - It has to be safer for
specific applications to be authorised to 'run silently' (even if there
are an appropriately large number of hoops to jump through to enable
this) than to drive the users to disable UAC.

I don't think so. We've had 5 years of XP, where it was manifestlyy
obvious to programmers that they should write software to work without
needing admin rights, and most of 'em stayed fast asleep at the wheel.

Vista's bending over backwards to cater for these apps, but I think
it's time badly-written apps got Darwin'd off the platform. I think
Vista's currently as far bent for pre-XP-mentality app writing as it
is going to get, and if anything I expect SP1 may tighten things
further, especially if compromises made for such apps get exploited by
malware. Any app that is written since 2003 for 4 year olds that
needs admin rights is long overdue for the thresher.

--------------- ---- --- -- - - - -

Saws are too hard to use.
Be easier to use!

 

[Philip Roberts]

The app is copyright 2003. I have contacted the publisher, though I
doubt that there will be an update available.

While I accept that UAC has some benefits for the future and that in x
years time all applications might conform to the vista spec, there are
going to be a huge number of legacy applications that won't. Ever.

The present UAC model gives a choice a) don't use the app, b)use the app
but be plagued by authorisation requests or c)disable UAC or in some
circumstances d) upgrade the user to an administrator.

People being people are likely to opt for c) which defeats the purpose
of UAC (but lets microsoft off the hook if there are problems with the
'they disabled our protection' excuse) or d) which introduces other
problems (but is better than c)

In practical terms I feel that a register of 'authorised apps' including
a MD5 checksum and other protections would have been an appropriate
solution to the situation I find myself in. Yes, there is a remote
possiblity that an application could be replaced by malware, but this
risk has to be weighed up against the disadvantages of creating
administrator accounts for people who should be to be standard users or
disabling UAC.

I suspect that we will have to agree to differ (not that there is much
chance of Microsoft changing their position).

I read that Vista take up is significantly lower than XP. I will be
warning fellow parents of my own experiences advising them to stick with
XP or 2000 for the time being.

Regards

Phil

 

[Wayne McGlinn]

The app is copyright 2003. I have contacted the publisher, though I doubt
that there will be an update available.

While I accept that UAC has some benefits for the future and that in x
years time all applications might conform to the vista spec, there are
going to be a huge number of legacy applications that won't. Ever.

The present UAC model gives a choice a) don't use the app, b)use the app
but be plagued by authorisation requests or c)disable UAC or in some
circumstances d) upgrade the user to an administrator.

People being people are likely to opt for c) which defeats the purpose of
UAC (but lets microsoft off the hook if there are problems with the 'they
disabled our protection' excuse) or d) which introduces other problems
(but is better than c)

In practical terms I feel that a register of 'authorised apps' including a
MD5 checksum and other protections would have been an appropriate solution
to the situation I find myself in. Yes, there is a remote possiblity that
an application could be replaced by malware, but this risk has to be
weighed up against the disadvantages of creating administrator accounts
for people who should be to be standard users or disabling UAC.

I suspect that we will have to agree to differ (not that there is much
chance of Microsoft changing their position).

I read that Vista take up is significantly lower than XP. I will be
warning fellow parents of my own experiences advising them to stick with
XP or 2000 for the time being.

Regards

Phil

<snip>
The other alternative is to download a free copy of Microsoft's Virtual PC
and install your old version of XP into a virtual environment. It's very
simple to setup and is in fact a really good way to "sandbox" your child's
computer environment away from yours. If you have any questions, please ask


Wayne McGlinn
Brisbane, Oz

 

[cquirke (MVP Windows shell/user)]

On Sun, 18 Feb 2007 20:44:32 +0000, Philip Roberts

The present UAC model gives a choice a) don't use the app, b)use the app
but be plagued by authorisation requests or c)disable UAC or in some
circumstances d) upgrade the user to an administrator.

Compare that with XP: a) don't use the app, or d) upgrade the user to
an administrator. At least UAC gives you more choices.

BTW: Some things that may help are the compatibility settings, i.e.
setting the app's Properties to run as if in XP, Win98, etc.

People being people are likely to opt for c) which defeats the purpose
of UAC (but lets microsoft off the hook if there are problems with the
'they disabled our protection' excuse) or d) which introduces other
problems (but is better than c)

We're already hearing prissy folks claim "if you were not running as
administrator..." as a mitigating factor, e.g. in exploit
documentation, ignoring the reality that XP in anything less that
admin rights simply can't run most consumer apps and games.

So, IMO we're on the right track. Vista gives you more choices,
forces app writers to get with the program (as they have failed to
respond to being "asked nicely"), lessens the risks of the most of us
that run as admin all the time... and as these pressures Darwin sweare
writers into shape, it will be more and more practical to limit user
accounts short of admin rights in the real world outside pro-IT.

In practical terms I feel that a register of 'authorised apps' including
a MD5 checksum and other protections would have been an appropriate
solution to the situation I find myself in. Yes, there is a remote
possiblity that an application could be replaced by malware, but this
risk has to be weighed up against the disadvantages of creating
administrator accounts for people who should be to be standard users or
disabling UAC.

UAC is the first security technology from MS that puts the interactive
user above software automation in terms of power. As such, any
programmaticly-possible way to white-list an app against UAC alerts is
going to undermine the main purpose for UAC.

I do see the problem, though; for me, the ickiest bits are:
- startup apps that need admin rights (no workarounds)
- editing the "All Users" Start Menu (nag, nag, nag)

OTOH, you're ahead of me, trying to use non-admin rights in the real
world. I tried that once in XP Gold, and when I saw that dropping
rights re-duhfaulted the UI back to MS settings (hiding file name
extensions etc.) I thought I'd rather have a safer UI than whatever
notional advantages limited rights might have offered.

I read that Vista take up is significantly lower than XP. I will be
warning fellow parents of my own experiences advising them to stick with
XP or 2000 for the time being.

I wouldn't accept delivery of a new PC with XP, as it's like being
1-year-depreciated from Day Zero. But I wouldn't upgrade XP to Vista
either, and if I could hold off getting a new PC awhile, I might do
that too. It's always hard with new OS and drivers etc. but I don't
subscribe to the "wait for SP1" mentality either.

And yes, there's much to like in Vista, and I'm not just talking
eye-candy either. Try new functionalities like the Reliability
Monitor, the WinRE built into the installation DVD, etc.; all expand
XP's placeholder stubs into real and useful functionality.

--------------- ---- --- -- - - - -

Saws are too hard to use.
Be easier to use!

 

[Knox]

Hi,

Sorry to be late jumping in here. When an application doesn't run right, it
may be worth investigating what the app is doing that causes the failure.
Olden programs, especial games, frequently do "bad" behavior like writing to
the C:\program files\Badgame folder. Or a little worse, the C:\Badgame\
folder.

You might try setting the NTFS rights on the badgame folder to allow your
son to have read and write (full) privileges. Does it weaken security by
doing this? Yes, but only a tiny fraction compared to making your son an
administrator.

There's other bad behavior the game could do like writing in the windows
folder, or writing to system registry settings. But that seems less likely.

If the above suggestion doesn't work and you're really willing to dig, then
try the tool
http://www.microsoft.com/technet/sysinternals/utilities/Regmon.mspx

It will you what type of files and registry settings the program is
accessing. Perhaps we can change the privileges of whatever the program is
doing so that it will work as a standard user.

To see an example of how Lee Holmes cracked programs so they would run as
non-admin's under XP, take a look here:
http://www.leeholmes.com/blog/CrackingSoftwareToRunAsNonAdmin.aspx


Good luck!

Knox

 

[Guest]

We're already hearing prissy folks claim "if you were not running as
administrator..." as a mitigating factor, e.g. in exploit
documentation, ignoring the reality that XP in anything less that
admin rights simply can't run most consumer apps and games.

Beg to differ here, Chris - this is not ignoring reality, it's trying to
change behaviour.

Not running as administrator is a mitigating factor, except in the case that
you run as administrator.

The reality that most consumer apps and games run as administrator is cause
to chastise the authors of consumer apps and games, who should not be
insisting that you run as the computer administrator when you are totalling
up your cheque book payments, or trying to teach your kid how to add.

Reality ... that's telling your software vendors "this behaviour is
unacceptably dangerous, and is the reason I keep getting viruses - I refuse
to use your software, because your software forces me to cut my arm and
apply the wound to the sewer."

Alun.
~~~~

 

[Guest]

My best option is making him an Admin then

No.

Your best option is to have the game's authors fix its bad behaviour.

Your second best option is to return the game for a refund, and buy a
suitably safe game instead.

Your third best option is to find a way to fool the game into thinking it
has the admin rights it thinks it needs.

Making your kid an admin is way down the list of options, and by no means
appears as one of the "best".

Alun.
~~~~

 

[Guest]

My best option is making him an Admin then

No.

Your best option is to have the game's authors fix its bad behaviour.

Your second best option is to return the game for a refund, and buy a
suitably safe game instead.

Your third best option is to find a way to fool the game into thinking it
has the admin rights it thinks it needs.

Making your kid an admin is way down the list of options, and by no means
appears as one of the "best".

Oh, and quit being so coy. Name the app. Submit it to
http://www.threatcode.com/admin_rights.htm - it's in good company, given the
list there and at http://www.microsoft.com/kb/307091

Alun.
~~~~

 

[cquirke (MVP Windows shell/user)]

"cquirke (MVP Windows shell/user)" wrote

Beg to differ here, Chris - this is not ignoring reality, it's trying to
change behaviour. Not running as administrator is a mitigating
factor, except in the case that you run as administrator.

We're saying the same thing.

It's interesting that we talk of big monopoly vendors having power
over the industry, but it often doesn't work that way. IBM declares
the PC obsolete, to be replaced by thier PS/2 systems; the industry
tells them to get lost. Intel trumpets RAMBus as a must-have; the
industry tells them to sod off. MS says "all device drivers should be
signed" and "sware should work with limited-rights user accounts" and
the sware dudes just shrug and carry on doing the same old stuff.

After 5 years of QuickBooks needing admin rights, just about every
game needing admin rights, etc. clearly the mountain had to move
towards sware bad practice. What's the alternative; wait another 5
years for sware vendors to get a clue?

Hence UAC, and a lot of behind-the-scenes smarts that we haven't seen
since the Win95 mission-impossible brief to run DOS and Win3.yuk apps
better than the native platforms (Win3.yuk could barely run DOS apps
at all, especially games) plus do all the 32-bit stuff. In 4M RAM.

Vista-64 is the place to dig in the heels; new platform, no
compromises. Sign your drivers or die. Run with limited rights or
die. Stay the hell out of the kernel, etc.


Mind you, I always thought it was ridiculous to graft NT's
corporate-orientated user-based model to consumerland in the first
place - it's as irrelevant as oars on a bus. Why should I pretend to
be different people with different job descriptions to use my own PC?
Why should I have to log in and out just to do different things?
Makes no sense, from a consumer's perspective.

So we didn't see consumers asking sware vendors to get it right, and
we still don't... except that as new apps emerge that work better with
Vista, folks will say "I want some of that". It won't be "work with
lowered rights", it will be "work" - the mechanics of why it doesn't
work will no longer be an incompatibility with an option feature
no-one really likes or understands, as limited user accounts are.

Also, no matter how limited an account is, it always has the right to
write (and therefore, to destroy) the user's data - which is the most
important thing for the user, even if it's irrelevant to the vendors.

The reality that most consumer apps and games run as administrator is cause
to chastise the authors of consumer apps and games, who should not be
insisting that you run as the computer administrator when you are totalling
up your cheque book payments, or trying to teach your kid how to add.

Yup. We tried beating the sware dudes, for 5 years of XP, and it
hasn't got us an inch closer to being able to use limited accounts in
consumerland. Time to try a different approach.

Frankly, I'd stop trying to make everyone pretend to be an MSCE
bullying a herd of headcounts on behalf of a non-existant boss.

Instead, I'd re-abstract a model based on what we actually want.

What we want is for sware to state upfront what it will do, and then
be limited to doing that and nothing else.

"Hi, I'm a cute screensaver!"

' Fine, then you have no business snorting my data or accessing the
Internet. Here's your box; screensave your ass off, but if I catch
you groping my data or calling home, you WILL get stomped '

"Hi, I'm your friendly media player! I call home all the time, to
send out 'anonymous traffic statistics' !"

' That sucks. Next! '

"I'm also a media player, but I can just play audio files and CDs
without having to call home or wave adverts in your face!"

' Cool, you got the job '

"I'm an accounting app, so I need to access your data"

' That's fine, but that means you don't get to call home. Ever. '

Internet access. Data access. Pick one.

IOW, abstract application categories according to data and Internet
access, automation, whatever else we're interested in and want to
maintain a watch over. The app has to state upfront in language that
the user can understand, and isn't allowed to do anything else.

Breaking those barriers is a clear breach of faith, actionable by the
FTC with a minimum of evidence required (i.e. cleap to sue).

Of course, sware vendors would hate this, because they're used to the
OS colluding with them. Write a crappy little mouse driver; sure, you
need to poll for "updates" every six hours, and browbeat the user to
"register" so their asses can be sold to "business partners".

It would be nice to see an end to those slimeball games...

--------------- ---- --- -- - - - -

Saws are too hard to use.
Be easier to use!