Aaron Margosis' "Non-Admin" WebLog

Info about LUA Buglight 2.0

I recently did a TechNet webcast about the upcoming LUA Buglight 2.0.

You can view the webcast here, and download the slides here.

I'll be speaking at Tech*Ed in June

I'm speaking at Tech*Ed North America 2008, during the "IT Professionals" week, June 10-13.  I'll be presenting SIX (6) sessions, all on non-admin / least-privilege and the resulting application compatibility issues that arise.  (When I started my "non-admin" blog back in 2004, it was all about security.  Now that least-privilege has increasingly become the default, it has become much more about application compatibility.)

Specific dates/times and session numbers to be determined:

• Finding Permissions Issues with LUA Buglight 2.0
  I've been working on an update to LUA Buglight and will discuss/demo it.  (I hope to have something you can download and run by then -- can't promise, though.)
  
• Fixing "LUA Bugs" (Admin-Permissions-Required Bugs)
  Similar to the "Fixing LUA Bugs" series on my blog, but updated with more info pertinent to Vista and additional information regarding app-compat shims
  
• Identifying "LUA Bugs" (Admin-Permissions-Required Bugs)
  Comparing/constrasting Sysinternals Process Monitor, Standard User Analyzer and LUA Buglight for identifying root causes of LUA bugs
  
• Windows Vista App-Compat Topics: MIC, UIPI, Protected Mode IE
  Mandatory Integrity Control, User Interface Privilege Isolation, Protected Mode Internet Explorer, what they are and how they impact application compatibility
  
• Miscellaneous App-Compat/Architecture Topics: Terminal Services Sessions vs. Logon Sessions; Where Mapped Drives are Defined, and More
  Some really nerdy deep-dive stuff that is actually worth knowing.
  
• How We Got Where We Are: Why Windows Has Traditionally Required Admin Rights
  Vista makes a big shift in how users interact with their computers and how developers have to write code for those users.  Why couldn't "least-privilege" have been the default from the beginning?  This session explains the decisions that were made and why those decisions made sense.  (Most sessions talk about current or near-future technologies -- this is all history stuff.  I'm really looking forward to this one.)

All of them are 400-level, except the last which is a 200-level session.

Why apps have security bugs ([attempted] humor)

One reason why apps have security bugs -- because we developers were trained to focus on and typically only ever focused on how legitimate users will use the product -- we never used to have to think about misuse!

A couple of years ago I wrote up a little skit.  It’s a software developer and a Quality Assurance (QA) guy, circa 1993.  I play the developer and Steve Riley plays the QA guy.

QA Guy (imitating Newman from the TV show "Seinfeld"):  Hello, Jerry.

Dev (imitating Jerry Seinfeld, with derision):  Hello, Newman.

QA Guy:  How are you today?

Dev:  How am I?  I was fine.  But now I have a QA guy in my cubicle.  The only clearer sign I could possibly receive that my life was about to take a downward turn would be to receive an invitation to appear on the Jerry Springer show.

QA Guy:  Good guess!  I found a serious bug in your program.

Dev:  Serious?

QA Guy:  Yep.  I found that if I entered a last name of 33 characters or more, the program crashes.

Dev:  That’s serious?

QA Guy:  Yes, it’s serious.  The program crashes!

Dev:  Yeah, but it will never happen.  No one has a last name that long.

QA Guy:  Someone could.

Dev:  OK, I’ll make the buffer 40 characters instead.  That should be more than enough.

QA Guy:  Yeah, but then a 41 character name will crash it.

Dev:  So put something in the manual that says that last names can’t be more than 40 characters!  Jeez!  It will never happen, OK?  These edge cases don’t matter.

QA Guy:  Of course they do – someone could crash it on purpose.

Dev:  What?  Why would anyone do that?  First of all, our customers are paying good money for our product.  Why would they then deliberately misuse it and make it crash on purpose?  And second of all, it’s running on NetWare – it crashes all the time on its own anyway, without any help!

QA Guy:  Well, that’s true – maybe we ought to switch to Windows NT. (laughs)

Dev:  (laughs) Oh, yeah, Windows NT 3.1, there’s a pillar of stability.

QA Guy:  Uh huh – and performance.  (laughs)  What a joke!

Dev:  Yeah.  But you know, I’m seeing more RFPs lately that specify that "the server platform must include Solitaire".

QA Guy:  Ha ha!  Windows NT will never amount to anything.  A dozen years from now no one will even remember that it ever existed.

Dev:  Yep.  The future obviously belongs to NetWare. 
OK, so are we done here with this so-called bug of yours?  No one’s going to crash the server on purpose, OK?

QA Guy:  Sure they would.  They could take advantage of your buffer overrun to inject code into the system.

Dev:  Oh, now this is an advance in computing that I was hitherto completely ignorant of.  I’ve seen computers that ship with monitors, and keyboards, and even tape backup, but I had never heard of one that ships with a syringe!

QA Guy:  It goes like this:  The attacker sends more data than your buffer can hold, thus overwriting the return address on the stack with a pointer back into the buffer, which now contains malicious code sent by the attacker.  The attacker now runs code of his choosing on your server.

Dev (stares at QA guy for a while, before replying):  I think that hair dye has leached into your brain.  Gee you know, it’s hard enough to get our code deployed – maybe we should use “code injection” instead.  Look, Steve, we’ve got a ton of features we still have to implement and a ridiculous deadline.  The server’s only got 2MB of RAM – we can’t afford the time to code up all these extra checks, and we can’t absorb the performance penalty of running them either.  This isn’t a bug.  The program works as designed.  If you want to go find real bugs, why don’t you go after that new guy we hired, Jesper Jo-whatever-his-name-is.

How to cleanly stop Explorer.exe on Windows Vista

This is the first time I have blogged here about something other than running with least privilege. It's about a neat trick, though, that can be useful for some people.

If you need to shut down the main Explorer process, you could just kill it from Task Manager or Process Explorer. But undesirable and unpredictable things can happen when you abruptly kill any process, particularly one as central as Explorer.

In Windows XP, you can get Explorer to exit cleanly by getting to the shutdown dialog (e.g., Start / Turn Off Computer, or Start/Shutdown), then hold down the Ctrl+Alt+Shift keys and click the "Cancel" button. (Ref: JeffDav's blog.)

In Windows Vista with its standard Start Menu, click on the Start button. Hold down Ctrl+Shift and right-click on any empty area of the menu or on the power/lock buttons at the bottom of the right half of the menu. One of the context menu choices is "Exit Explorer". Choose this and the main Explorer process will cleanly shut itself down. (Thanks to Mike Sheldon and Raymond Chen for this tip.)

If you are using the "Classic Start Menu" option in Vista, the XP Ctrl+Alt+Shift+Cancel method still works.

OK, so chances are right now you're looking at nothing but wallpaper and the Sidebar and wondering, "What do I do now?" There's no Start menu anymore, and Win+R doesn't display the Run dialog. Answer: press Ctrl+Shift+Esc. This starts Task Manager. In Task Manager, choose "File / New Task (Run)", type "Explorer" and click OK. The shell will come back to life.

Note that on both Windows XP and Windows Vista, only the "main" Explorer process exits – that is, the process that manages the Start menu, taskbar, and desktop. With default settings, all Explorer folder windows are managed by that process as well, and so they will close too. However, if you have configured Explorer to "launch folder windows in a separate process", then those folder windows will not close when you apply this trick. Furthermore, when I tried this on Windows XP, I needed to manually close all those folder windows before running a new instance of Explorer would display the taskbar, etc., instead of just displaying yet another folder window.

Why is this hidden nugget even there? Its purpose is to help developers and testers who work on shell extensions to be able to stop and restart Explorer quickly and cleanly without having to log out.

Obviously, though, this trick can also be used to launch Explorer elevated. If you've exited the shell process and start Explorer from an elevated context, the entire desktop shell will run elevated. I cannot say this without adding caveats. If you do this, everything you start from this point on will run elevated. Shell extensions will run elevated, including the ones with serious security flaws. If you shut down Explorer again, any child processes that were launched will continue to run elevated, including browsers, IM clients, etc., with all the risk that incurs. IE Protected Mode does not operate when IE is running elevated. Less important but also significant is that any processes running at Medium IL will not be able to interact with the elevated shell – for example, to display taskbar notification icons. In general, because Explorer was neither designed for nor tested with this kind of elevated execution, you should not assume that anything will work correctly, including something as fundamental as user logoff. If you really need an elevated Explorer window on Vista, you can try the unsupported trick I described in this post instead of elevating the entire shell.

Scripting Elevation on Vista

[Added 2007-07-02, 16:41 Eastern Time:  I was thoroughly and inexcusably remiss in failing to include a reference to Michael Murgolo's excellent TechNet Magazine article, Script Elevation PowerToys for Windows Vista.  I'm rectifying that now.]

As I mentioned recently, although the RunAs.exe console utility still exists on Windows Vista and will let you run a program as another user, it will not run that program with elevated privileges. So if you use RunAs.exe to start a program with an administrator account, the program will run with that account's profile and settings, but with standard user privileges only, not with the power to do computer administration. You can't get an application to run with elevated privileges unless you go through the UAC elevation prompt. And RunAs.exe on Windows Vista (RTM, anyway) will not invoke that prompt.

What if you have batch files for XP or Server 2003 that called RunAs when administrative tasks needed to be performed? E.g., say there's a line in your batch file to start CMD.EXE with elevated permissions that looks like this:

runas /u:Administrator "cmd.exe /t:fc /k cd /d c:\ && title *** Admin console *** "

Is there another way to script the "run this program with elevated permissions" that RunAs gave you on XP/2003? Yes. First, create a small script file called "elevate.js" and put it in a folder in your PATH. (*) The contents of elevate.js should look like this:

// elevate.js -- runs target command line elevated
if (WScript.Arguments.Length >= 1) {
    Application = WScript.Arguments(0);
    Arguments = "";
    for (Index = 1; Index < WScript.Arguments.Length; Index += 1) {
        if (Index > 1) {
            Arguments += " ";
        }
        Arguments += WScript.Arguments(Index);
    }
    new ActiveXObject("Shell.Application").ShellExecute(Application, Arguments, "", "runas");
} else {
    WScript.Echo("Usage:");
    WScript.Echo("elevate Application Arguments");
}

Then replace "runas /u:Administrator" with "elevate": (**)

elevate cmd.exe "/t:fc /k cd /d c:\ && title *** Admin console *** "

Important note: the elevate.js script invokes the UAC prompt, but it will not let you bypass it. User interaction is still required.

With the default settings, the elevation prompt will prompt you for simple consent (click "continue") if you are a member of the Administrators group, and prompt you for admin credentials if you are running as a standard user. If you are a member of the Administrators group, but would like to use a different account for the elevated task, you can change the computer's security policy for the behavior of the elevation prompt for admins to "Prompt for credentials". When the prompt appears, you can enter the credentials of a different administrative account.

Thanks to John Stephens of the Windows team for this script.

(*)  I highly recommend that scripts and other programs that may be used by elevated apps or are part of elevation sequences be kept in a folder that standard users cannot write to. I have a Utilities folder under %ProgramFiles% for this purpose.

(**)  Note that the quoting in this case needed to be rearranged a little as well: the first item passed to the script is the application to elevate; everything after that forms the rest of the command line for that application. If the quoting had been kept as-is, Windows would have tried to elevate an application called "cmd.exe /t:fc /k …", which doesn't exist. The quotes are still needed here so that the "&&" and everything after it remain on the command line to the elevated application. Otherwise the current command shell will parse it as part of the command it is running.

FAQ: Why can’t I bypass the UAC prompt?

The frequently asked question, "Why can't I bypass the UAC prompt?" is often accompanied by statements like one or more of the following:

• "We want our application to run elevated automatically without prompting the user."
• "I don't get why I can't authorize an application ONCE and be done with it."
• "Unix has setuid root which lets you run privileged programs securely."

The designers of Windows Vista's User Account Control expressly decided not to incorporate functionality like setuid/suid or sudo found in Unix and Unix-like OSes such as Mac OS X. I think they made the right decision.

As I'm sure everyone knows, large parts of the Windows ecosystem have a long legacy of assuming that the end user has administrative permissions, and consequently a lot of programs work correctly only when run that way. (I'm not going to delve into that history here, nor will I entertain any finger-pointing on the topic at this time. One of these days I'll post my thoughts on that subject.) As computer security has become increasingly important, breaking that cycle became absolutely imperative. It is with the release of Windows Vista that the first major move in that direction is achieved. Indeed, the primary purpose of the technologies that comprise UAC is to make the "standard user" the default for Windows, encouraging software developers to create applications that do not require admin. It's not perfect by any means, but changing the ecosystem will take a long time, and UAC is a good first step.

Pre-approving code to run with elevated permissions without going through an elevation prompt, as described in the bulleted scenarios above, seems at first glance to be both useful and convenient. However, the negatives far outweigh those benefits. In particular:

• The "standard user by default" vision would become impossible and ultimately never happen;
• Elevation of privilege (EoP) would be trivial – any compromise could lead to full system compromise.

If it were possible to mark an application to run with silently-elevated privileges, what would become of all those apps out there with LUA bugs? Answer: they'd all be marked to silently elevate. How would future software for Windows be written? Answer: To silently elevate. Nobody would actually fix their apps, and end-user applications will continue to require and run with full administrative permissions unnecessarily.

What if the application could not mark itself for silent elevation but instead had to be marked by the consumer or enterprise administrator installing the application? Answer: the developer of the installation program (which necessarily runs with admin/system permissions in order to install machine-wide) would figure out where the setting lived, and set it. (Several major ISVs told us directly that they would in fact do exactly that.) There would be no real way to protect that setting from anything running as admin. This would be especially true if it were settable via Group Policy (which would be expected, if not demanded).

"Well, so what? We're only talking about applications I approved!" OK, let's say that's true, but how do you ensure that a malicious user cannot use the application for purposes other than those for which it was intended? And at least as important – how do you ensure that malware that has infected the user's session cannot drive a setuid application programmatically to take over the system? Ensuring strict behavioral boundaries for complex software running with elevated privileges is (at best) incredibly difficult. And ensuring that it is free of exploitable design and implementation bugs is far beyond the capabilities of software engineering today. The complexity and risk compounds when you consider how many apps have extensibility points that load code that you or your IT admin may not be aware of, or that can load code or consume data from user-writable areas with minimal if any validation.

Privilege escalation due to setuid and sudo has plagued Unix-like systems for many years, and continues to do so. In fact, several of the bugs in the recent Month of Apple Bugs fell into this category. Follow these links for lots more references: (*)

• Secunia items re SETUID and local privilege escalation
• Secunia items re SUID and local privilege escalation
• MOAB posts involving privilege escalation
• Symantec write-up on how easy it is to subvert sudo
• Ease of exploiting a sudo authn "grace period"

In the past, elevation of privilege has tended not to be noticed in Windows – there is no real "elevation" if you're already running as admin. (**) With the Vista shift toward "standard user", EoP threats become much more important, and it is vital that Windows do as much as practical to mitigate them. That is also why Windows services are no longer able to interact with the user desktop. Taking on the setuid headaches that *nix has had to live with does not seem like a profitable deal.

We expect that in ordinary day-to-day usage, users should rarely, if ever, see elevation prompts, since most should rarely, if ever, have to perform administrative tasks – and never in a well-managed enterprise. Elevation prompts are to be expected when setting up a new system or installing new software. Beyond that, they should be infrequent enough that they catch your attention when they occur, and not simply trigger a reflexive approval response. This will increasingly be the case as more software conforms to least-privilege norms, and as improvements in the Windows user experience reduces prompting further.

Having said all that, there is a Local Security Policy option to change the behavior of the elevation prompt for Administrators to "elevate without prompting". With this option selected, anything that requests elevation gets elevated without prompting the user. (The default setting is "prompt for consent"; the third option is "prompt for credentials". Note that "elevate without prompting" is available only for members of the Administrators group. The options for standard users are "prompt for credentials" and "automatically deny elevation requests".) While "elevate without prompting" may be useful in well-constrained, secure environments for automated testing and possibly for initial system setup, having this option selected otherwise is very risky and strongly discouraged. (Note also that Vista's Home SKUs do not include the policy editor.)

Nitpicker's corner (***)

(*) Pointing out the obvious: local privilege escalation by definition means that the bad actor is already on your system. However, there's a huge difference between malware running as you (non-admin) and malware running with root privileges.  If there weren't, there would be no point (from a security point of view) in running with least privilege.

(**) "Elevation of privilege" in this context means "unauthorized elevation of privilege". Technically, yes, Administrator is not as powerful as System (in that there are operations that Administrator will get Access Denied where System will succeed), and System is not as powerful as kernel-mode code (in that there are operations that fail for user-mode code running as System that succeed when called from kernel code). However, two of the things that Administrator is authorized to do include: 1) configuring arbitrary code to run as System, and running it; and 2) loading arbitrary code into the kernel, and running it. Hence, if code is running as admin, there is nothing it is not authorized to do.

(***) "Nitpicker's corner" might be a trademark of The Old New Thing.

And so this is Vista…

What becomes of all my earlier non-admin tips, tricks and recommendations vis-à-vis RunAs, MakeMeAdmin, PrivBar and their interactions with IE and Explorer? The short answer is that Vista changes just about everything with respect to running with least privilege.

Windows Vista makes running as a standard user (non-admin) much more pleasant, feasible and secure than it was on XP. I'm not going to drill into all those improvements here. Instead, the focus of this post is to update my earlier posts about running on XP as a standard user (the "Running as Admin Only When Required" posts in the Table of Contents) as they pertain to Windows Vista. To save some space, I'll assume you've spent at least a little time running Vista.

MakeMeAdmin

Let's start with MakeMeAdmin. Vista renders MakeMeAdmin obsolete. On XP/2003, MakeMeAdmin lets you run as a standard user, and temporarily elevate your standard account to run a selected program with administrative privileges. Vista gives you the same ability, but with more convenience and more safety than MakeMeAdmin could provide.

If you are a member of the Administrators group on Vista, it's effectively the same as being a standard user, as long as you never run anything elevated: all your admin rights and privileges are disabled. Elevating an application does essentially the same thing that MakeMeAdmin did, but more conveniently, and more securely. Here's why:

• The convenience is that by default it's a simple one-click confirmation in a "consent" dialog, rather than having to enter two passwords in two console windows.
• Elevating an application using "consent" requires non-spoofable user interaction. By non-spoofable, I mean that malware with normal user privileges can make a UI look like the consent prompt, but it can't elevate anything. Further, the consent prompt appears on the secure "winlogon" desktop, which cannot be seen or manipulated by unprivileged code. Even if low-privileged malware steals your password, it can't get anything to run elevated without the interactive user going through the elevation UI. On XP, malware that obtained the password for an admin account could run programs with full admin privileges at any time.
• "Elevated" applications on Windows XP running on the same desktop with lower-privileged programs were subject to "shatter attacks" – the lower-privileged programs sending window messages to the windows of higher-privileged applications and driving them programmatically, or exploiting buffer overflows to run arbitrary code in the "elevated" context. With Windows Vista's Mandatory Integrity Control (MIC) and User Interface Privilege Isolation (UIPI), this becomes more difficult. (See Mark Russinovich's recent TechNet Magazine article for more information.)

You have to be careful about what you choose to elevate, but the same was true with MakeMeAdmin, too.

RunAs

Windows XP provided two interfaces for "RunAs" – the "right-click" dialog version, and the runas.exe console application. The dialog version has been replaced by the "Run as administrator" option. The console utility is still there, but it has limitations.

The Windows Shell team probably knows for sure, but I'm willing to guess that the main reason people used the "Run As" dialog on XP (probably only a tiny percentage ever used it anyway) was to run a program with admin permissions, and that for this purpose, "Run as administrator" serves as a superior substitute. With the default settings, a member of Administrators can use it as a MakeMeAdmin replacement (see above); a standard user gets a dialog that lets them enter the credentials of any admin account and run the target program with those credentials, also gaining the security improvements of UIPI as well as the secure desktop UI. One complaint I have seen in my blog's comments is that a member of Administrators can't choose to run as a different admin user, such as a Domain Admin account. This can be addressed by changing the elevation behavior for administrators from "prompt for consent" to "prompt for credentials".

The runas.exe console utility still exists, and it will let you run a program as a different user, but not with elevated permissions. If you specify an admin account, for example, you get the "filtered token" for that account, with admin groups and privileges disabled. As mentioned earlier, you'd need to go through the elevation UI to get the "full token".

Runas.exe is not as secure as the elevation UI. Runas.exe runs and collects credentials in the security context of the logged-on user, and so any malware running as that user can take control of that process, monitor the keystrokes going into it, changing the target program, etc. By contrast, the elevation UI collects credentials on the secure "winlogon" desktop (by default), which is accessible only to code running as System.

One thing that hasn't changed with runas.exe is that it still requires credential entry at the keyboard – you can't pipe in a password through stdin or in the command line. This is to help discourage the insecure practice of putting plain-text passwords in script files. (Answering one of the most commonly-asked questions in my blog's comments.)

Browsing the file system with Internet Explorer, and running IE and Windows Explorer as a different user

Internet Explorer used to be able to browse the file system. Beginning with IE7, that became history, both on XP and Vista. If you enter a file system path into the IE7 address bar, it will open a new Windows Explorer window to that path. From a security perspective, it seems like a pretty good idea not to allow the main program that interacts with that hostile world known as the Internet to also interact with your file system in the same way.

This change broke scenarios for a number of people who had found IE to be more "RunAs-friendly" than Windows Explorer for browsing the file system with elevated privileges. Windows Explorer on XP can be made more RunAs-friendly – see the SeparateProcess advice I posted here.

On Vista, however, there are more changes. Neither Internet Explorer nor Windows Explorer is willing to entertain multiple accounts on the same desktop. If you try to run IE under a different user account from that of the desktop, it will display an error message: "The RUNAS command is not supported." As I understand it, the primary reason is that with Protected Mode Internet Explorer, which runs at Low Integrity Level, IE also launches a Medium IL broker process (ieuser.exe) which runs as the desktop user and which gates selected Medium IL operations for the Low IL process. Allowing multiple identities into that mix would have introduced significant complexity best avoided. If you try to run Windows Explorer as a different user, you'll see nothing – the new process starts but exits without displaying a window.

However, I have found that it is possible for a member of the Administrators group to run both IE and Explorer with elevated privileges. With IE, right-click its icon in the QuickLaunch or in the All Programs menu (not at the top of the Start Menu) and choose "Run as administrator". One thing you'll (hopefully) notice is that the UAC elevation prompt for Internet Explorer shows it as "an unidentified program" from an "unidentified publisher", rather than as a Windows component or other signed program from a trusted publisher. As I understand it, the reason for this is because systems will quite often have IE plug-ins that are not signed and which may introduce more risk than the user may be aware of. Hence, the "unsigned" prompt is intended to discourage running IE with full admin privileges.

Explorer is a little trickier. Directly applying "Run as administrator" won't do it, but running it from an elevated command shell often will. I find that a command line like "explorer /e,c:\" will work, while just running "explorer" might not. But as before: if it works at all, it is an unintentional side effect of the current implementation, and is subject to change at any time.

How can you tell whether it worked? PrivBar still works on Vista, both for Internet Explorer and Windows Explorer.

Follow-up on "Setting color for *all* CMD shells based on admin/elevation status"

[Updated, 2007-06-27] 

This is the (overdue) follow-up to my earlier blog post about setting the color and title of all CMD windows based on the admin/elevation status of that window.

First of all, as some commenters noted -- and as I had discovered as well -- having the COLOR command run in the CMD autorun causes strange build failures in Visual Studio (at least in C++ projects) when it invokes commands via CMD.  My workaround is to specify the COLOR command only in the branch that I don't run Visual Studio in.  E.g., I always run Visual Studio as a non-admin, so I keep the "COLOR FC" statement in the admin branch, and don't run any COLOR statement in the non-admin branch.  If you always build as an elevated/admin, then you should reverse that so that the COLOR statement runs in the non-admin branch -- or don't use COLOR to differentiate and instead just use TITLE.

[Added 2007-06-27]  It turns out that following COLOR with a single ampersand and another command makes the build problem go away!

Second, Pavel suggested a more portable test than bootcfg/bcdedit:  cacls.exe %windir%\system32\config\systemprofile.  That folder grants access only to Administrators and the SYSTEM account; cacls.exe fails with "access denied" unless you're running as elevated/admin.  I don't know whether that folder exists on Windows 2000, but the test definitely works on XP, 2003, and Vista.

[Added 2007-06-27]  But as "anonymous" points out in the comments below, FSUTIL works, too, and is a lot easier to type.

Third:  CMD on Vista already prepends the word "Administrator" in the window title if it's running with an enabled Administrators SID in its token, so it's redundant for the autorun to append it.  (Not true on XP/2003, of course.)

Fourth:  why not put the current username into the title as well?  Good idea!  I've added that to my current config.

So, now my current CMD autorun looks like this: [Updated 2007-07-05 with full path to FSUTIL]

%windir%\system32\FSUTIL.exe > nul 2> nul && (color FC & title %USERDOMAIN%\%USERNAME%) || (color 07 & title NONADMIN - %USERDOMAIN%\%USERNAME%)

One minor point is that unlike the CMD /T option, COLOR sets only the current color -- not the default color -- for the current window.  If you run the COLOR command in that window, it will revert to the default color for the window -- either the user account's default setting or that set by a /T option when the CMD was started.

So... let me go on record by saying that while Microsoft has made a lot of fine products, Windows PowerShell is the coolest and most revolutionary technology we have shipped in a very long time.  (But that's as off-topic as I'm going to get on the subject.)  PowerShell is gradually becoming my default command shell, so naturally I'd like to be able to distinguish between elevated and non-elevated instances, both with color and with the window title.  Starting with what commenters wrote on my previous post, here's what's in my $profile now:

function Get-AdminStatus
{
    $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
    $p = New-Object System.Security.Principal.WindowsPrincipal($id)
    return $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
}

$AmIAdmin = Get-AdminStatus
if ( $AmIAdmin )
{
    cmd.exe /c COLOR FC
}

# Make the window title follow the current directory
function prompt
{
    'PS ' + $(Get-Location) + $(if ($nestedpromptlevel -ge 1) { '>>' }) + '> '
    if ( $AmIAdmin )
    {
        $host.UI.RawUI.WindowTitle = "Administrator: " + $(Get-Location)
    }
    else
    {
        $host.UI.RawUI.WindowTitle = $(Get-Location)
    }
}

LUA Buglight and drive mappings: Action Required

LUA Buglight creates an alternate security context representing the current non-admin user but with admin/elevated privileges.  Because that context is created in a separate logon session, none of the network connections, drive mappings or SUBST assignments of the original context are present.  LUA Buglight tries to copy as many of those to the alternate context as possible.  In the current version, the only ones that are not copied are those in which alternate credentials were used -- e.g., you're logged in as USER1, but connecting to network drive P: as USER2.  Copying those connections would require prompting the user for passwords, etc. -- extra work that did not make the cut for version 1.  All the mappings, etc., are displayed on the LUA Buglight "Credentials" tab, with the ones to be copied in the upper text box and the ones not to be copied listed in the lower text box for informational purposes.

Some users have reported cases where drives are listed in the "won't be copied" text box, showing "alternate credentials" with the same username as the logged-on user.  I never saw that issue in my own testing, and haven't been able to reproduce what these users have reported.

If you have run into this issue and are willing to test a new build that tries to address the problem, please contact me via this blog's email link.

Thanks.

Setting color for *all* CMD shells based on admin/elevation status

In my RunAs... and MakeMeAdmin posts, I recommend making your admin command shells visually different to set them apart from non-admin ones.  You can change the default console window color on a per-account basis, but that doesn't help when the same account may be used in both admin and non-admin contexts (such as with Vista's UAC admin-approval mode).  You can use the cmd.exe /T command-line option, or its built-in COLOR command, but it works only if you remember to use it each and every time.

Here's a way to make the differentiation happen with a one-time, one-line configuration change on your system, that will work on all CMD.EXE shells you run.  The idea is to run a non-destructive command that requires admin privileges from a CMD autorun location, test for success and set the console's color accordingly.  You can also change the title at the same time.

This can probably use some refinement.  For the non-destructive admin operation on Windows XP/2003, I suggest "bootcfg /query"; on Windows Vista, I suggest "bcdedit /enum".  The autorun location I've been playing with is:

    [HKLM\Software\Microsoft\Command Processor]
    "AutoRun" (REG_SZ)

The command syntax you can set the "AutoRun" value to for Windows XP/2003 is:

    bootcfg /query >nul 2>nul && (color FC && title ADMIN) || (color 07 && title NONADMIN)

and for Windows Vista, set it to:

    bcdedit /enum >nul 2>nul && (color FC && title ADMIN) || (color 07 && title NONADMIN)

Any output or error message is redirected to "nul" so you don't see it.  If the command succeeds (&&), you're running with admin/elevated privileges; the console color will change to bright-red-on-white (FC) and the title changed to "ADMIN".  If the command fails (||), the console color will be white-on-black (07) and the title changed to "NONADMIN".  Feel free to change the colors or titles to suit your taste.

All that stuff works only for CMD.EXE.  For Windows PowerShell, take a look at these:

http://www.interact-sw.co.uk/iangblog/2007/02/09/pshdetectelevation
http://www.leastprivilege.com/AdminTitleBarForPowerShell.aspx

Also for PowerShell -- Staffan Gustafsson converted MakeMeAdmin to a PowerShell script:

http://groups.archivesat.com/Windows_PowerShell/thread246430.htm

[2007-06-25:  Update posted here.]

LUA Buglight updated information

I've meant to provide more info and follow-up regarding LUA Buglight, the tool I wrote to help identify "LUA bugs".  "LUA bugs" are the issues that cause a program to work only when run as admin (elevated).  Here are some quick notes...

1.  Internationalization:  there is an issue when LUA Buglight is used on non-English systems -- the XML is ANSI-coded, but there is no processing instruction indicating what encoding the LuaBuglightReporter should use, so the Reporter may report an error if the system's default encoding doesn't match up.  This will be fixed in the next version.  In the meantime, the workaround is to open the resulting XML in Notepad, and add the following line at the beginning of the file:

<?xml version="1.0" encoding="windows-1252" ?>

You can then open the XML file with the LuaBuglightReporter.  From everything I have heard, that fixes this particular issue.  Please let me know if you still run into problems.

2.  Cisco Network Assistant and a pretty cool, non-intrusive fix method:  JohnCKirk asked here and here about issues he ran into testing Cisco Network Assistant v4.1.  I downloaded it and tested for myself.  I ran the installation program as Administrator in an up-to-date Windows XP SP2 image on Virtual PC.  I then switched to a standard user account, and ran the program using LUA Buglight, using the target process name and startup folder specified in the shortcut that had been placed on the desktop.  I was able to run the program using LUA Buglight without any problem.  It reported two issues, both involving files called "LOCK" in a couple of its installation folders under %ProgramFiles%.  In one case, it just tried to create the file; in the other case it tried to create the file, change its attributes, and delete the file.

When I ran the program without using LUA Buglight, the splash screen came up, and after a short while it just became stuck on one initialization step.  Process Explorer showed that it was consuming lots of CPU, and Process Monitor showed it in an infinite loop alternately hitting an Access Denied trying to create one of the LOCK files and writing that fact to a log file in the current user's profile.  I had to kill the process.

In order to create a file in a folder, the user needs to have permissions on the folder.  However, changing ACLs on folders is much more dangerous than changing ACLs on files.  What a lot of programs do when writing "test" files like LOCK is that they verify whether the file Create/Open succeeded, but don't verify whether the subsequent Delete succeeded.  So, logged in as admin, I created the two LOCK files in the folders where the program tries to write them.  I then granted the non-admin user "Read & Execute", "Read", and "Write" permissions on those files.  Note that these permissions do not include the "Delete" permission.  When I ran the program again as a non-admin user, it started up without a problem.  As long as an admin doesn't delete those files, the non-admin should be able to run the program.  The Create/Open always succeeds, and the Delete silently failing keeps the files there for the next time the user runs the program.

3.  LUA Buglight limitations on Windows Vista:  When I wrote LUA Buglight, I focused almost entirely on getting it to work on Windows XP and Windows Server 2003 -- the platforms most of my customers were using and probably will continue to use for a while.  (US Federal government -- not always the quickest technology adopters.  Some of them have rotary cell phones. :-)  (Just kidding.)  LUA Buglight works very well on XP and 2003.  At the very end I spent some time building a version that would run on Windows Vista.  It does, but with some limitations.

Windows Vista introduces Integrity Levels.  With User Account Control, members of the Administrators group typically run with only Standard User rights, and most programs run at the Medium Integrity Level.  When the admin user chooses to elevate a program (e.g., with the "Run as administrator" context menu option), it runs at High Integrity Level, with "Administrators" enabled in the access token, and powerful privileges like "Backup", "Debug", and "Load Driver", available for use.

When you test a program with LUA Buglight on Windows Vista, LUA Buglight launches an elevated helper process in order to get the "this-user-as-admin" token for use when the target program hits an "access denied" error with the normal token.  The elevated helper process duplicates its token back to the Medium integrity LuaBuglight.exe process.  However, a Medium integrity process cannot impersonate a High integrity token, so it won't help get past the access denied errors.  So, before it duplicates it back to LuaBuglight.exe, the helper process marks it as a Medium integrity token.  One side effect I discovered later is that the resulting token also has some of the more powerful privileges stripped.  The "this-user-as-admin" token does have "Administrators" enabled, but it is a Medium integrity token and with some admin privileges missing.  So, when the target program hits an access-denied or privilege-not-held error and the this-user-as-admin token is impersonated and the operation retried, it will succeed and be logged if the access-check depends on membership in Administrators or on any of the remaining privileges, but will fail if the access-check requires High IL to succeed or any of the missing privileges.  If the operation fails when impersonating the "this-user-as-admin" token, the operation is not logged, and the app will see the access-denied error and possibly fail as a result.

The next version of LUA Buglight will address this, somehow -- but I haven't decided how yet.

4.  Network drive mappings:  There were some issues involving network drive mappings that were posted as comments to the original LUA Buglight blog post.  I'm working on resolving those and will provide an update when I can.

The SysInternals tools are now on microsoft.com

The SysInternals tools -- including Process Explorer, Regmon, Filemon, and many more -- are now available here on microsoft.com.  A couple of major highlights include Process Monitor, a new tool that supersedes Regmon and Filemon, and the SysInternals Suite, which combines the whole set of SysInternals tools into a single download package.

In addition, check out Mark's new TechNet blog, and the SysInternals blog.

URLs:
http://www.microsoft.com/technet/sysinternals/default.mspx
http://blogs.technet.com/MarkRussinovich/
http://blogs.technet.com/sysinternals/

MSDN webcast: LUA Buglight

I'll be presenting an MSDN webcast and demoing LUA Buglight next Tuesday, October 17, 2006, 11:00am US Pacific time.

Click here for more information and to register.  Make sure to install the Microsoft LiveMeeting client prior to showtime.

[Update, 18 Oct 2006]  The webcast is now available for on-demand viewing here.

LUA Buglight public [pre]-release

"Problems of Privilege: Find and Fix LUA Bugs" in TechNet Magazine