Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

Larry Osterman — Fri, 10 Sep 2004 08:19:00 GMT

Ok, I'll see if I can get some of them written for next week.

re: Running restricted -- What does the "protect my computer" option mean?

KJK::Hyperion — Sat, 11 Sep 2004 20:34:00 GMT

Hi Aaron, I think you may be interested in this...
I've written a sandboxing tool that, IMHO, manages to be at the same time powerful (certainly, much more configurable than Run As) and intuitive. I've called it I Am, it's a non-interactive command-line application and it's open source (MIT license). It's pretty hard to use as it requires a fairly strong technical background, but it currently lacks any documentation (apart from an article about it - in Italian - I wrote for an e-zine). But you sound very informed on the topic and should be able to figure it out easily (try "iam -help").
It also emulates the "Run As" sandbox as closely as possible (iam -wincompat) - but I haven't tested either in a domain, so expect problems (bug reports are welcome! just google for my nickname to know my e-mail address) - the only relevant difference being the requirement of a group without members called "IAM", which the command uses in addition to the standard sandbox SID (S-1-5-12, "RESTRICTIONS"), because the latter can't be specified in the ACL editor (a real pity, since, as you noted, the "Run As" sandbox has the effect of making the user profile directories inaccessible, and not being able to specify that group in ACLs makes this limitation unescapable).
It lacks polish (for example, sandboxed programs inherit the TMP and TEMP variables, which will generally point to an unwritable directory, so you have to redirect them by yourself) and real-world testing, but it works great - from a purely technical standpoint, much better than "Run As" in fact. The only pity is it's a bit too easy to forget running programs in a sandbox, but I'm looking into a suite of shell extensions for that
The URL is http://spacebunny.xepher.net/hack/iam/ and the filenames should be pretty intuitive. Let me know what do you think about it, I value your opinion!

re: Running restricted -- What does the "protect my computer" option mean?

David Candy — Mon, 13 Sep 2004 20:51:00 GMT

cacls can give restricted full control over a file object.

cacls apppath /e /g restricted:f

processed dir: C:\Documents and Settings\David Candy\Desktop\AppPath

And the GUI permissions now list restricted as full control (or read only or whatever you tell it to do).

Remember to use quotes if anything contains a space.

re: Running restricted -- What does the "protect my computer" option mean?

Sean McLeod — Wed, 15 Sep 2004 23:40:00 GMT

Would be useful to have all attachments that are launched from email run using this "restricted token".

Currently as of XP SP2 there is an IAttachmentExecute interface to be used by email programs etc. when they want to save and/or execute an attachment. IAttachmentExecute::Execute() may run a virus scan on the attachment before executing the attachment etc.

If it also allowed you to execute the attachment using this "restricted token" then an email attachment virus would have a more difficult time since the registry would be read-only, large parts of the filesystem would be off-limits or read-only etc.

Is there an easy way to set up a SID/ACL to prevent a process from getting any network access? Would help prevent certain virus's from spreading if you could easily add this restriction to untrusted code.

re: Running restricted -- What does the "protect my computer" option mean?

Aaron Margosis — Thu, 16 Sep 2004 05:44:00 GMT

Sean, yes, it would seem useful, but since a lot (most?) apps just completely break when run with the "protect my computer" option, it would probably be pretty much unusable. E.g., let's say it's a Word doc. First, Word wouldn't be able to read a copy of the doc cached in your %Temp% folder, since it wouldn't have access. Likewise, Word wouldn't be able to save it (as-is or edited) to your "My Documents" folder. Word wouldn't have access to your user-specific normal.dot or other config info stored in the file system in your profile. And on and on.

AFAIK, there is no ACL that prevents an app from creating a TCP/IP network connection.

re: Running restricted -- What does the "protect my computer" option mean?

Aaron Margosis — Thu, 16 Sep 2004 08:39:00 GMT

BUT - that reminds me of something else I meant to mention. A "protect my computer" restricted token cannot authenticate on the network using your Windows identity. So while you can still connect to remote resources that allow anonymous connections, the restricted app cannot act "as you" on the network.

re: Running restricted -- What does the "protect my computer" option mean?

Ayman AlRashed — Mon, 20 Sep 2004 10:46:00 GMT

IMO, while an ambitious option, it's still not usable in it's current form due to app compat issues.

re: Running restricted -- What does the "protect my computer" option mean?

Sean McLeod — Mon, 20 Sep 2004 14:35:00 GMT

Network wise I was thinking more of worms that propogate by searching the network for vulnerable hosts and/or email themselves out. If you could limit the process to having no network access then the worm wouldn't be able to propogate itself in this fashion.

While XP SP2 has some network changes to limit the rate of outbound connections when it detects lots of incomplete network connections it doesn't completely prevent the propogation, rather just slows the rate.

What sorts of apps/code did MS have in mind in terms of running under this restricted token?

As mentioned if there are too many compatability issues then it won't be able to be used for running 'suspect' code in such a way that it is not able to do any damage but at the same time is able to do enough to be useful, especially for non dangerous code.

The other option I thought of was to have suspect code/attachments run in a virtual machine session, e.g. using some lightweight flavour of VirtualPC. In this environment the app would get a snapshot of the current host environment and have read and write access to all the necessary files. But network access would be blocked so suspect code couldn't read your data and forward it out via the network.

Any writes in the this virtual environment would be visible to the app running in the VM but wouldn't make it through to the host's file system and would be discarded when the app exited.

When the app exited the VM would also pop-up a report listing any portions of the registry and file system that were written to and any attempted network access as a way for users (although probably only for advanced users, there would also be heuristics used to determine a suggested pass/fail for regular users) to determine whether the screen saver attachment that some mate had sent is really just a regular screen saver or whether it's really a virus/worm.

The heavyweight implementation would be to use a full virtual machine in which to run the suspect code. A more lighter weight approach may be possble using some combination of a restricted token, network filter to block network access and a file system filter driver interacting with the volume snapshot service to provide a temporary writable volume for the suspect code that then gets discarded when the process quits.

re: Running restricted -- What does the "protect my computer" option mean?

Puri — Thu, 30 Sep 2004 22:30:00 GMT

Hi,
I couldn't agree more about running with Limited/Restricted user account. Thats how I always run at home. I don't run a virus checker on my PC. But at work, I found that it doesn't work. The problem is most corporate ITs run Sematic AntiVirus as part of login startup tasks. I think they have something in the domain startup script that checks whether anti virus dat files are up-to-date or not. It failed to run with limited user account. So they forced me to add admin privileges to my login.

But ur blogs are full of information. Good to hear from an MS guy.

puri

Running Windows as limited user

Dot Wind — Fri, 21 Jan 2005 03:31:00 GMT

A very interesting serie of postings over at Aaron Margosis' WebLog showing the advantages of running as a limited user. A special interesting entry is the "Protect my computer" option, and the priviliges toolbar....

Table of contents, Aaron Margosis' non-admin blog

Aaron Margosis' WebLog — Tue, 19 Apr 2005 03:22:43 GMT

Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.

Spread the LUA joy

tonyso — Fri, 10 Jun 2005 19:12:45 GMT

Get your friends and family, all those folks that come to you for computer help once their machines have...

Run as and Protect My Computer

Dan Crevier's Blog — Tue, 28 Jun 2005 06:49:07 GMT

Today I got a bug report that the app I'm working on doesn't work with work when launched with Run As......

re: Running restricted -- What does the "protect my computer" option mean?

James Gerber — Thu, 01 Jun 2006 04:00:51 GMT

I tried this with IE and Firefox and neither launched at all (XP Home).

re: Running restricted -- What does the "protect my computer" option mean?

Aaron Margosis — Thu, 01 Jun 2006 04:07:27 GMT

James Gerber: If IE didn't launch, my guess is that you have an IE add-in installed that failed with the restricted token and caused the process to exit. No idea about Firefox.

re: Running restricted -- What does the "protect my computer" option mean?

Doug Woodall — Thu, 01 Jun 2006 21:02:34 GMT

Sadly, I thought I would ask all my coworkers if they knew how to do this.
Guess the outcome.
I wish I wish I could educate with a lasting effect. It seems people just dont care until they lose their Identity or are scammed out of money. Then they come around. Too late.
Great Post !

Take care,

Windows Tips: Run Suspicious Programs Safely

The SpywareBiz Blog,,,to Combat Spyware! — Fri, 02 Jun 2006 23:18:55 GMT

re: Running restricted -- What does the "protect my computer" option mean?

Ajay — Tue, 06 Jun 2006 23:13:23 GMT

Seems like the "Protect My Computer" option should be implemented as a virtual machine that isolates any changes the application makes and can discard them on exit. Microsoft already has the Virtual PC product/technology and the App Compatibility Toolkit so it might be able to integrate limited versions of these into Windows. I got Virtual PC initially to test my software on a clean install of various Windows configurations and I also thought it would be good to try out other people's software and keep it isolated from my "real" installation.

Windows Tips: Run Suspicious Programs Safely

The SpywareBiz Blog,,,to Combat Spyware! — Thu, 08 Jun 2006 01:40:22 GMT

re: Running restricted -- What does the "protect my computer" option mean?

Russell Tucker — Thu, 10 Aug 2006 15:36:05 GMT

When the IE icon on my computer is right clicked, I do not see a "Run as" option at all. Is there some other way to get to this option?

Thanks,

Russ

It's not on the context menu if you click on the IE icon at the top of the Start menu, but it is if you right-click on an IE icon somewhere else, such as in the Quick Launch area, on the desktop, or in the All Programs part of the Start menu.

HTH

-- Aaron

re: Running restricted -- What does the "protect my computer" option mean?

Russell Tucker — Sat, 12 Aug 2006 17:15:44 GMT

Thanks, Aaron. Found it!

And thanks for pointing this out to us. Such is becoming more important each day.

Regards,

Russ Tucker

re: Running restricted -- How to restrict the user in timely manner

Nash Sapardi — Sun, 13 Aug 2006 00:42:17 GMT

Hi Aaron,
Need to know how to restrict the user to use the system after 12.00 midnight? Or the system force the user to logout after 12 midnight

Best regards/

re: Running restricted -- What does the "protect my computer" option mean?

Fox Purtill — Wed, 23 Aug 2006 12:17:03 GMT

Help! Somehow my machine ended up running the ENTIRE OS in restricted. I can right-click anything and uncheck the 'Protect my computer and data..." etc and it opens, but how do I GET RID of that? I want to just be able to run my programs. I am the administrator of the machine and the only user. I have no clue why this suddenly started happening.

At the moment if I double-click any application it the icon is busy for a second and no application starts. If I right-click (run as..) and remove the checkbox it starts. This was NOT the case yesterday.

I can only guess, but my guess would be that some kind of registry modification was made that shouldn't have been made -- possibly by malware, possibly just by accident. IIRC the Windows Setup disks will help you repair an existing Windows installation - you might try doing that.

-- Aaron

re: Running restricted -- What does the "protect my computer" option mean?

Nick Heim — Tue, 29 Aug 2006 01:43:18 GMT

Hi Aaron,
is there a way to unset or set the option “Protect my computer ..." programmatically in the linkfile?
I would like to do this with a MSI custom action DLL i already use to set the option in a link, which let it pop up the "Run as" dialog.
Thanks a lot for the very good info on your blog.
Regards, Nick

Look for SDLF_RUNAS_USER on this page and this page. Note that setting the flag will only cause the "Run As..." dialog to appear -- it still requires user interaction to make the target program run restricted.

HTH

-- Aaron

re: Running restricted -- What does the "protect my computer" option mean?

john — Wed, 11 Oct 2006 00:38:49 GMT

this guy sent software to my computer--and he got every name and dialogue from yahoo that i had used in months--how can i prevent this from happening again

re: Running restricted -- What does the "protect my computer" option mean?

Dave — Sat, 14 Oct 2006 02:59:16 GMT

You might want to look at http://windowzones.com, which is currently in beta.

It allows you to lock applications down into a "safe zone" which is like a sandbox, but with much better app compat than restricted tokens (doesn't have all of the problems noted for IE, for example).

re: Running restricted -- What does the "protect my computer" option mean?

Paul Whitcomb — Thu, 07 Dec 2006 22:22:43 GMT

In Windows 2000, I am attempting to disable the function performed by "protect my computer and data" in Windows XP. Is this possible?

I don't quite understand -- are you trying to disable the UI (dialog) that exposes "protect my computer"?

-- Aaron

re: Running restricted -- What does the "protect my computer" option mean?

Gretchen — Wed, 10 Jan 2007 18:54:10 GMT

I am trying to run a program for my business and it won't run. When I right click on the icon, and go to the run as option, there is a check mark next to the box that says clicking the box might cause the program to not function. I think this is the problem, but everytime I take the check off, it automatically re-checks it. How do I keep it from running automatically?

Gretchen - when you right-click and choose "Run As...", the default selection is to run the program with the greatly reduced rights described in this post. Most apps don't work correctly with that setting. If you just start the program normally, you shouldn't see that dialog, and the program should run with the same privileges that all your other programs do.

Has this program worked correctly in the past for you?

Are you logged on as a member of the Administrators group, or as a regular User?

-- Aaron

re: Running restricted -- What does the "protect my computer" option mean?

Tim Cooper — Wed, 28 Mar 2007 16:29:07 GMT

I'm also getting this same problem on a user's XP SP2 machine:

At the moment if I double-click any application it the icon is busy for a second and no application starts. If I right-click (run as..) and remove the checkbox it starts. This was NOT the case yesterday.

on my computer, what does msi mean? Thank you!

Katy — Fri, 30 Mar 2007 20:58:00 GMT

30 March 2007

I have a brand new Mac notebook. What does msi

mean? Thank you!

Katy: It probably doesn't mean the same thing on a Mac as it does on a Windows computer. On Windows it is a Microsoft Windows Installer package. No idea what it is on a Mac.

-- Aaron

What does the "protect my computer" option mean?

SSQA- Users & SQL tools — Mon, 23 Apr 2007 11:51:25 GMT

Very interesting insight of security topics on Windows operating system by Aaron Margosis.

re: Running restricted -- What does the "protect my computer" option mean?

Peter — Mon, 23 Jul 2007 20:13:13 GMT

So far, several people have asked how to turn off the restricted user option. So far there has been no answer to that question. People have replied to the posts but have not provided the answer. So, how do you turn off the option? Yes, I know it is more risky...yes, I know that it has been added by microsoft to make my computing experience more pleasant. The thing is, I just want to be able to click on an icon and have the program run. Simple eh?

So, how do you turn off the run restricted option?

[Aaron Margosis] What you're seeing is most likely due to corrupted registry settings. It's certainly not due to anything the Windows developers intentionally designed. I don't know which specific registry settings might be involved, so I don't have an answer to the question.

re: Running restricted -- What does the "protect my computer" option mean?

Ahitub — Thu, 02 Aug 2007 08:31:43 GMT

HI KJK::Hyperion

The link you have mentioned not work properly ...whats the prob with ...

Thanks

________________

Ahitub

http://computersnext.com

re: Running restricted -- What does the "protect my computer" option mean?

James — Sat, 29 Sep 2007 02:52:11 GMT

So, how do you turn off the run restricted option?

re: Running restricted -- What does the "protect my computer" option mean?

mani — Tue, 06 Nov 2007 14:31:31 GMT

pls.. help me out...

m also getting this same problem on a user's XP SP2 machine

re: Running restricted -- What does the "protect my computer" option mean?

Armando — Fri, 16 Nov 2007 01:21:56 GMT

I am another simple user that wants to double click an icon and get the program start. The only way I can do this is to "run as" and uncheck the protection. Can this protection remain unchecked? This is a VERY unconfortable situation.

re: Running restricted -- What does the "protect my computer" option mean?

Ditto to the two previous entries. — Thu, 17 Jan 2008 14:04:07 GMT

I think its MS trying to strong arm individuals into purchasing VISTA. Ugh. It seems to be progressive. Phase one OS in phase one out. How else will they continue their empire. Gone are the days you purchase it you own it. Security update!! Security updates!! Security updates MY ask me no questions....

re: Running restricted -- What does the "protect my computer" option mean?

Adam Saunders — Fri, 11 Apr 2008 18:00:24 GMT

Same problem here. I uncheck "protect my data from unauthorized program activity" the option, but when I close the dialog box and go back the option is rechecked. WTF?

re: Running restricted -- What does the "protect my computer" option mean?

Louis — Sat, 28 Jun 2008 04:51:13 GMT

I have the same problem, but my situation happened after the 2nd time I rebooted just after doing my last Microsoft update - I believe it was a security update.

re: Running restricted -- What does the "protect my computer" option mean?

Ivan — Thu, 28 Aug 2008 23:48:03 GMT

I've had the same problem for several months until I discovered today that I had 'Mark Any Content Safer' installed. It probably came with a video application.

After complete removal I can again launch my apps without the 'Run As' dialog.

[Aaron Margosis] Very interesting. What is "Mark Any Content Safer"?

re: Running restricted -- What does the "protect my computer" option mean?

Matt Ledbetter — Fri, 05 Sep 2008 18:12:23 GMT

If you are having the problem of everything running in restricted mode, it is most likely a registry issue.

Download the registry fix here: http://www.geekstogo.com/forum/index.php?act=attach&type=post&id=5794

Reboot in safe mode and run the downloaded program. Reboot and problem should be solved. Only works with XP as far as I know.

Not resposible for your computer bursting in to flames.

-Matt

[Aaron Margosis] That link downloads a zip file that contains a .reg file that appears to be mostly the XP default settings for HKCR\.exe and HKCR\exefile. It does have one extraneous setting (adding a property sheet handler for "PEAnalyser"). That would appear to be something added to the system by the person who exported this .reg file.

Caveat: this is based strictly on the observations I made, based on what was downloaded at the time that I clicked on the link. I cannot provide any assurance that the hyperlink above will still point to the same zip file when you click on the link; nor can I provide any assurance that the zip file is not malformed in some way to exploit a vulnerability in various versions of unzipping programs. (I extracted it using Explorer's built-in capabilities.) I also won't make any assertions here about whether that extraneous "PEAnalyser" entry will or will not have any impact on any given system, nor whether restoring this set of defaults will be sufficient to fix the problems people have described above.

MarkAny ContentSafer

Ivan — Sat, 06 Sep 2008 17:42:30 GMT

This is a DRM application favored by Samsung. It quietly hijacked some entries in the registry, apparently those which are used when an application is launched. I could only partially remove this thing the first time around, so some entries were not cleared.

Ivan

re: Running restricted -- What does the "protect my computer" option mean?

curious joe — Sat, 24 Jan 2009 16:48:17 GMT

hi there,

i was wondering if it was better to run a supicious (or in general) little app that only comes as a single .exe file with right-click and "run as...." then my own credentials but with this checkbox activated (protect my computer from malicious activity...)

or if it would even be better to "run as..." and then using the guest user (i have guest user activated on windows xp sp3) for this task.

can a malicious program mess my system when i run it as only in the guest credentials, or is the first option better with the checkbox?

thanks for any hints.

greets.

re: Running restricted -- What does the "protect my computer" option mean?

colleen — Fri, 26 Jun 2009 00:01:22 GMT

I also have the same problem when I click on any icons on my desktop the will not run unless I do a run as or uncheck the protect my files.

Is there any way to remove that check mark and have it stay off.

re: Running restricted -- What does the "protect my computer" option mean?

Anthony Wieser — Sat, 25 Jul 2009 14:34:57 GMT

Thanks for posting this. Only came noticed the checkbox 5 years later!

Is there a well know SID that this causes the software to run with? Or must I check for this state with IsTokenRestricted to see if this has been checked when my program runs?

re: Running restricted -- What does the "protect my computer" option mean?

ryan — Fri, 14 Aug 2009 09:13:28 GMT

thanks the reg fix did the trick!

Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

Running Windows as limited user

Table of contents, Aaron Margosis' non-admin blog

Spread the LUA joy

Run as and Protect My Computer

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

Windows Tips: Run Suspicious Programs Safely

re: Running restricted -- What does the "protect my computer" option mean?

Windows Tips: Run Suspicious Programs Safely

re: Running restricted -- What does the &quot;protect my computer&quot; option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- How to restrict the user in timely manner

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

on my computer, what does msi mean? Thank you!

What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

MarkAny ContentSafer

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?

re: Running restricted -- What does the "protect my computer" option mean?