forum.vdsworld.com

[cnodnarb]

Just thought of something

In Windows 7 and Vista, screensavers and Group Policy scripts that run applications are HEAVILY restricted at the login screen....what user account is that? Anyone know?

[Aslan]

I don't know about the screen savers but as far as Group Policy objects;

Computer policies are run with an elevated domain account (i.e Domain Admins or an account that has admin privileges on the computer object)

User policies are run with the logged in user account

[cnodnarb]

I only know about this because of a presentation system I built for Windows XP machines that did not port to Vista machines a few years back for a large telecom, everything turned out OK with the project but we did have to specify XP boxes only. It ran a group policy before the user logged in, and on Vista the policy had 0 privileges and was VERY sandboxed...

I want to do that for my VWA protocol, basically for Calculators and your average 'throw away' app that are useful but fleeting do not need privilege. If they do need more privilege they can request it from the user with a proper warning prompt.

[cnodnarb]

CreateRestrictedToken

http://msdn.microsoft.com/en-us/library/aa446583(v=vs.85).aspx

I have no ideal how to use it yet. But this is what I need.

and

CreateProcessAsUser

http://msdn.microsoft.com/en-us/library/ms682429(v=vs.85).aspx

[cnodnarb]

Sysinternals psexec does what I need, but is NOT redistributable.

It uses the API calls I mentioned above per http://blogs.technet.com/b/markrussinovich/archive/2006/03/02/running-as-limited-user-the-easy-way.aspx

Basically trying to accomplish

[cnodnarb]

Almost solved.

I need the OPPOSITE (or close to) of all access which is very very popular.

Apparently I'm looking for unpopular information.

&HF01FF is all access. Now what would be very restricted access....

[cnodnarb]

After much grinding and research I learned the psexec command is no different than

runas /trustlevel:0x20000

Which I'm not sure will work because this just basically states a basic user level of elevation, which I'm actually looking for lower *sigh*. I want some way to restrict file and registry access completely, which doesn't look like will happen.

EDIT
One advantage is this should override the file manifest and allow the program to run without a user prompt. Guess I need to test for that factor.

EDIT2 YES! At least I get one win. This does allow for programs that normally runasadmin to run with basic user privilege.

Normally the options are:
1. Don't run.
2. Run with full access to EVERYTHING.

This presents a third option
3. Run with possibility to fail due to inadequete privilege. However, what if you coded to RFC for VWA but forgot to switch off require admin, and as a DEMAND the RFC will not allow you to invoke as admin...this fixes the problem. I think I got it.


Still not completely satisfied, but this is as adequately 'sandboxed' as I can reasonably get I believe.

EDIT3
In Windows XP looks like isn't possible. Trust levels are "Disallowed" and "Unrestricted".

EDIT4
Good news: Looks like these specific trust levels are pretty universal.
Bad news: I don't know if I should allow my application to run on Windows XP and under. The beta will for certain...but this may be a 'new age' application.

[cnodnarb]

I FOUND IT!!!!!

It has the same exact behavior i saw a few years ago when implementing the aforementioned presentation system on Vista (which failed for that project, but I'm glad it happened because it's PERFECT now)

Thanks!

[edit]Trying to not have loose lips...anyone have a spare zipper you can sew to my mouth?[/edit]

[edit2]
Now I have to determine the extent of the permission denials...vdsx extensions/external calls are probably out...not sure...no registry....no file system...will we be able to call javascript within browser DOM solution...I don't know...I just made a LOT of work for myself...but sandboxing is achieved.[/edit2]