How to run in standard account a program requiring admin cedentials ?

[tom982]

I asked and I have been advised that you should upgrade to Windows 7 as it has "more lenient admin rights" and "won't ask for admin privileges".

Whilst you consider that, can you upload the .exe file of the program please? Attach it with your next post. I'll have a go at changing the manifest inside it to force it to run under a standard account. I've never done this before - or anything like this in fact - but its worth a shot
Tom

I have a Win 7 installation on this system too but all the games are still on Vista and I wasn't considering taking the leap before at least how it works was more clear to me (e.g. to avoid repeating the same scheme in Win 7). As my Win 7 ca, "see" Vista's disks, I tried to launch the game from there and it worked but it also requests me to confirm if I allow to "run this unknown code" (the famous UAC for consent under Amdin accounts).

As far as modifying the exe is concerned, after reading the post following yours, are you sure you still want to do that ? Besides, it appears that 4 .exe are in the "/bin" folder of the game with some .dll's and more. here is what this folder looks like:

 Directory of C:\Program Files\Frogster\Mythos\bin

21/07/2011  04:47    <DIR>          .
21/07/2011  04:47    <DIR>          ..
29/12/2010  03:25           167.936 binkw32.dll
24/12/2010  02:39         3.497.832 d3dx9_34.dll
27/07/2011  23:49                82 FileVersion.xml
21/07/2011  04:39           798.720 fmodex.dll
29/12/2010  03:25           492.032 granny2.dll
29/12/2010  03:25         1.568.768 libmysql.dll
21/07/2011  04:47         7.196.672 [COLOR=Blue][B]Myth.exe[/B][/COLOR]
23/03/2011  15:33           258.048 MythosGDF.dll
21/07/2011  04:39                82 NetworkInfo.ini
21/07/2011  04:36         6.238.208 [COLOR=Blue][B]PakTool.exe
[/B][/COLOR]21/07/2011  04:34    <DIR>          StringMsg
06/01/2011  13:36             2.025 StringMsg.txt
21/07/2011  04:47    <DIR>          Update
21/07/2011  04:36                70 UpdateInfo.ini
21/07/2011  04:36         3.293.184 [COLOR=Blue][B]Updater.exe[/B][/COLOR]
23/03/2011  15:10           409.600 [COLOR=Red][B]UpdaterRun.exe[/B][/COLOR]
06/01/2011  07:40            98.304 XPva03.dll
              15 File(s)     24.021.563 bytes

The setup process creates a shortcut pointing to UpdaterRun.exe.
The game also can be dowloaded and installed from Mythos Website.
Considering the above warnings, do you need some specific file from my installation ? I can pack it in a 7z archive and attach it.
Thanks again for your support. :-)

Sounds like I better not do it then! You're in much better hands with Richard, I'm sure he'll be able to sort you out

Hello again!

This question has actually been discussed at great length before, and in fact there *is* one solution. However, that solution is not perfect, and you need to decide whether or not you want to use this solution. But to make an informed decision, you must first fully understand all of your options, and their implications.

This discussion is going to include the following topics:

encryption
encoding
passwords
security
layers of security
authentication
mathematics (only if I get carried away in explaining how encryption algorithms work - a fascinating subject - for a simple introduction to the simple RSA: RSA Algorithm Explained Using a Simple "Pencil And Paper" Method and for the proofs: RSA - Wikipedia, the free encyclopedia)
polymorphism and encapsulation (only joking about those last two! They are programming terms, and not relevant to this discussion)

Unfortunately, I do not have time to write this now, because I am going to the cinema with my new family

I will be back later today,

Richard

Thanks for taking over Richard Sounds intriguing

Have fun at the cinema!

Tom

 

[aschwarzie]

Hi Richard,
Wel... I accept to dive into such discussions if and only if you substitute the quite disappointing loss of "encapsulation" and "polymorphism" by the more saucy "obfuscation" and "hashing" ?
I'll patiently wait for your return from the cinema, as I might also be taking some leisure time now ;-)
Cheers !

PS: Thanks again Tom for your very appreciated assistance.

 

[niemiro]

Hello again!

First, can I please stress that you must understand the security connotations involved here, and to stress that you should ask questions where you don't understand.

There is one built in and easy solution to this in Vista Business, Vista Enterprise, and Vista Ultimate - not what you have.

That is:

runas /savecred /user:DOMAIN\USER "C:\Program Files\Path\To\The\Game.exe"

Now you put in the password just once more, update the game's shortcut to instead of pointing to the actual game, to point to runas.exe, with the above arguments.

This is the little known designed solution for this problem.

However, this is actually a bit of a security risk. Read here: RUNAS /SAVECRED is huge security hole

Therefore, I would always advise you to NEVER EVER EVER save credentials for the root Administrator account name, which can be used in a non-specific attack.

If someone has physical access to the PC, nothing is safe, and in fact it is far quicker to remove the admin password (far easier than you might think - two minutes at max for a prepared hacker) than to crack it.

From http://technet.microsoft.com/en-us/library/cc722487.aspx:

"Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore"

This is the most important thing to remember. If we only introduce a security hole which is only accessible physically, it really doesn't matter. A hacker won't look for it, he will just use one of the common and more powerful holes which exist on every computer and can't be fixed by Microsoft.

From http://blogs.msdn.com/b/oldnewthing/archive/2004/11/29/271551.aspx:

"If it were possible to pass the password on the command line, people would start embedding passwords into batch files and logon scripts, which is laughably insecure."

Laughably insecure it really is.

You have your choices:

• Upgrade your children to an admin account
• Type in the password every time
• Ban admin games (not a sensible solution, I know. I am trying to list *everything* which I can think of)
• Remove your password
• Use a workaround method to embed that password into a batch files - this can be extended by using an encryption algorithm to encode the password - however, I will explain later, we can never truly encrypt the password)

You can use SendKeys in a Visual Basic Script to create a virtual keypress - just like typing on the keyboard to "type" the password letter by letter and press enter (all done at lightning speed).

A keylogger virus would still be able to steal the password this way, but they would also be able to do this every time you type on the keyboard, so we shall forget about this.

The biggest problem is that your password is plain visible to your children if they open up the batch file.

However, if we encode the password, they would not recognise it. Your children may be able to open a batchfile and realise that the password is stored in plain text, but I doubt VERY much that they could sniff as it is decrypted and passed plaintext to runas. I doubt many other people on this forum could do that! That is NOT easy.

(in actual fact, if we do this, we will need an executable, and I would actually use CreateProcessWithLogonW

I will go into more details tomorrow about the exact implementation, and the security implications of doing this, so that you can make an informed decision tomorrow. I will also tie together all the loose ends on this very rambling post.

Please bear with me!

Richard

 

[niemiro]

Hi Richard,
Well... I accept to dive into such discussions if and only if you substitute the quite disappointing loss of "encapsulation" and "polymorphism" by the more saucy "obfuscation" and "hashing" ?
I'll patiently wait for your return from the cinema, as I might also be taking some leisure time now ;-)
Cheers !

lol. I am sure that I can bring both obfuscation and hashing into tomorrow's post

 

[aschwarzie]

First, can I please stress that you must understand the security connotations involved here, and to stress that you should ask questions where you don't understand.

Well understood, count on me. Btw, I'm an IT professional, even if it didn't come through in my former posts, and all of the concepts you've enumerated so far are known to me. How Vista (or Win 7) work is however much less known to me.

There is one built in and easy solution to this in Vista Business, Vista Enterprise, and Vista Ultimate - not what you have.

That is:
runas /savecred /user:DOMAIN\USER "C:\Program Files\Path\To\The\Game.exe"

Now you put in the password just once more, update the game's shortcut to instead of pointing to the actual game, to point to runas.exe, with the above arguments.

This is the little known designed solution for this problem.

Yep I knew this one, as my post hee above dated 3 days ago mentions.

However, this is actually a bit of a security risk. Read here: RUNAS /SAVECRED is huge security hole

I've just read the article you refer to and I understand hat such possible "reusability" of the stored credentials is indeed a HUGE security hole -- I thought it would at least have been limited to only running the command that got the credentials initially.
However, as we both agree, this feature isn't available in Vista Home editions.

Therefore, I would always advise you to NEVER EVER EVER save credentials for the root Administrator account name, which can be used in a non-specific attack.

If someone has physical access to the PC, nothing is safe, and in fact it is far quicker to remove the admin password (far easier than you might think - two minutes at max for a prepared hacker) than to crack it.

From http://technet.microsoft.com/en-us/library/cc722487.aspx:

"Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore"

I fully agree with all the above. But let's be honest: it's a private, home computer and all my really sensitive data are stored into a truecrypt hidden volume, protected by a STRONG pasword, according to Password Meter at least, and uses a two-factor authentication. My passwords are stored into a KeePass database. (Convinced now that I know a bit about this topic ? ;-).

This is the most important thing to remember. If we only introduce a security hole which is only accessible physically, it really doesn't matter. A hacker won't look for it, he will just use one of the common and more powerful holes which exist on every computer and can't be fixed by Microsoft.

Agreed. But again this is not the kind of security I'm willing to implement here.

From http://blogs.msdn.com/b/oldnewthing/archive/2004/11/29/271551.aspx:

"If it were possible to pass the password on the command line, people would start embedding passwords into batch files and logon scripts, which is laughably insecure."

Laughably insecure it really is.

I completely agree with that. The only place to have passwords stored is a password stored designed for this purpose -- and seriously protect its access by a strong password not stored on that system (not stored anywhere as far as I'm concerned).

You have your choices:

• Upgrade your children to an admin account
• Type in the password every time
• Ban admin games (not a sensible solution, I know. I am trying to list *everything* which I can think of)
• Remove your password
• Use a workaround method to embed that password into a batch files - this can be extended by using an encryption algorithm to encode the password - however, I will explain later, we can never truly encrypt the password)

About those options:

• Upgrade my children's account to admin -- I don't want them to install other games without my prior qualification and consent. Furthermore this may be a potential confidentiality and/or privacy risk I don't want to take;
• Type the password everytime is exactly what I'm doing now (except the couple of days where I disabled UAC);
• Ban admin games -- not my favourite indeed, but I haven't eliminated it yet;
• Remove my password -- ??? please clarify;
• Embed the password into a batch file, preferrably encrypted -- too early for me to decide, but might be worth considering imho if the encryption is "heavy enough";
• there is another option I would add here: create a dedicated bootable Windows partition only for these games, installed on a unique account with admin privileges.
  

You can use SendKeys in a Visual Basic Script to create a virtual keypress - just like typing on the keyboard to "type" the password letter by letter and press enter (all done at lightning speed).

A keylogger virus would still be able to steal the password this way, but they would also be able to do this every time you type on the keyboard, so we shall forget about this.

The biggest problem is that your password is plain visible to your children if they open up the batch file.

However, if we encode the password, they would not recognise it. Your children may be able to open a batchfile and realise that the password is stored in plain text, but I doubt VERY much that they could sniff as it is decrypted and passed plaintext to runas. I doubt many other people on this forum could do that! That is NOT easy.

If I understood well the last paragraph above, the admin password would be stored in the batch file, encrypted but in plain text (i.e. printable letters and numbers and some symbols) and decrypted with some process and passed to runas to elevate the privileges at admin level as the game is started with the runas ?
I have two questions:

• how is the "runas" going to work on the Vista Home (Premium) edition I have ?
• is/can the decryption process be protected by some password (e.g. a "game" password my kids would use to unlock this decryption mechanism) ?

(in actual fact, if we do this, we will need an executable, and I would actually use CreateProcessWithLogonW

I did not read this article which may go beyond my understanding, at least seen from a superficial level.

I will go into more details tomorrow about the exact implementation, and the security implications of doing this, so that you can make an informed decision tomorrow. I will also tie together all the loose ends on this very rambling post.

Please bear with me!

I'm bearing more than ever ! :-)

 

[aschwarzie]

Hi Richard,
I hope you're doing fine and all. I see the movie was kinda knocking you off ! ;-)
This little update to let you know that I applied the SP2 pack on my Vista Home Premium installation. I'm unsure this brings any opportunity to solving my request (I'm sure you'd have mentioned that long time ago), but I thought I'd mention it.
Best regards :-)

 

[aschwarzie]

Hullooow ? Anybody there ? ;-)

 

[tom982]

Hullooow ? Anybody there ? ;-)

Don't worry, we're still here, Richard (niemiro) is a very busy person, to be honest I don't understand how he can juggle so much at the same time! He'll be back

Tom