Edit

Share via

  • Article

[Newsletters Archive ^] [< Volume 7, Special Announcement] [Volume 8, Number 1 >]

The Systems Internals Newsletter Volume 7, Number 2

http://www.sysinternals.com
Copyright (C) 2005 Mark Russinovich

August 24, 2005 - In this issue:

  1. INTRODUCTION
  2. GUEST EDITORIAL
  3. WHAT'S NEW AT SYSINTERNALS
  4. SYSINTERNALS FORUM
  5. MARK'S BLOG
  6. MARK'S ARTICLES
  7. MARK'S SPEAKING SCHEDULE
  8. UPCOMING SYSINTERNALS/WINDOWS OS INTERNALS TRAINING

Winternals Software is the leading developer and provider of advanced systems tools for Windows.

Winternals is pleased to announce the release of two new products. Administrator's Pak 5.0 makes it easier than ever to repair an unstable, unbootable, or locked-out system with new tools such as the automatic crash analyzer, AD explorer, and Inside for AD,providing real time monitoring of AD transactions. Also new is Recovery Manager 2.0, providing customizable, powerful, ultra-rapid rollback for mission-critical servers, desktops, and notebooks to remotely restore a single system or thousands of systems simultaneously throughout the enterprise.

For full product details, multimedia demos, webinars, or to request a trial CD of either product, please visit http://www.winternals.com

INTRODUCTION

Hello everyone,

Welcome to the Sysinternals newsletter. The newsletter currently has 55,000 subscribers.

Visits to the Sysinternals web site continues to climb! In July, we had over 900,000 unique visitors. The most frequently accessed tool for the month was Process Explorer with 275,000 downloads! Since I update the tools frequently, make sure you're using the latest version. The best way to keep up with changes is to subscribe to my RSS feed at http://www.sysinternals.com/sysinternals.xml (and if you're not yet using RSS to keep up with web sites, you need to start!).

In this issue, Wes Miller, Product Manager at Winternals Software, shares his experience in running as a non-admin. We all say we should do it, but few computer professionals actually practice what they preach (myself included). Maybe I'll start soon...

--Mark Russinovich

GUEST EDITORIAL

Life as a non-administrator by Wes Miller

Odds are, on the computer you are reading this on, you are a local administrator. And sadly, the majority of users running Windows XP (NT and 2000 as well) run as local administrators because it takes significant work to ensure all applications and scenarios in an enterprise work without users being admins - so... we take the easy way out and make the world administrators. This is not good.

So, I decided recently to run as a normal user (Power User, as many know, is not a safe account to use as it has privileges that can permit an escalation of privilege attack and become a member of the Administrators group).

My first thought was to use the wonderful Windows XP Fast User Switching functionality; I could log into my non-admin and admin account and just switch back and forth between sessions. But unfortunately that that feature is not available when you join a domain (too bad for business users).

My second thought was to use RunAs, but it (or a shortcut defined to use alternate credentials) always prompts for a username and password. That also was not acceptable, as I didn't want to manually enter my administrative credentials each time I ran an app that needed admin rights.

So, since I've used the Sysinternals tools for years, I asked Mark Russinovich to make PsExec work if I'm not an admin. The reason PsExec did not work out of the box is that it installs a small service which then does the work; installing the service requires admin credentials, which of course wouldn't work from my non-admin account.

Mark graciously enhanced PsExec so that now if you specify alternate credentials AND are running a process on the local system, PsExec creates the process as a child process with the alternate credentials (and no longer creates the service to create the child process).

This allowed me to set up shortcuts to run my favorite admin apps using PsExec to launch the process.

Ah, but PsExec (and RunAs) can't run *.cpl and *.msc files - at least not directly from the command-line. Perhaps out of laziness, perhaps because I wanted something seamless - I created a small WSH script that takes any exe, specific file to open, and any parameters, and named it run.vbs. Now I just run run.vbs with whatever I want to open (even MMC consoles or control panel applets) and it's pretty much seamless. Here is the command-line I run in the WSH script:

psexec.exe -d -i -e -u Administrator -p password cmd /c start
executable | file | parameters

One of the most significant catch-22's that I have not been able to overcome is installing software that must be installed as a specific user. The best (worst?) example of this I've seen is the freshly introduced Google Desktop. You have to be an administrator to install (of course), and it actually has logic in it to block installation if you try to use RunAs or PsExec - returning the message, "Installing Google Desktop under different credentials than the active user is currently not supported." I don't quite get why, aside from the fact that it helps reduce their test matrix. To get around it without logging off, I launched a command prompt as Administrator, added myself to the Administrators group, used PsExec to run a command prompt as myself, (since Explorer was confused about my group membership), and ran it again. Worked fine. When it was done, I dropped myself back out again.

No, not dead easy, but it meant my account was only a member of the Administrators group for a minimal amount of time - and I never had to log off.

Note that I have not linked to or mentioned DropMyRights as a technique to secure a system - I don't believe it is. Running as non-admin secures your system. Selectively running dangerous apps as non-admin does not - it may reduce risk somewhat - but I don't believe it is a practice that should be encouraged.

To sum it all up, switching from an administrator account to a user account for your daily use is one thing you can do to reduce the attack surface that your use of your Windows system exposes. I encourage you to give it a try and record your experiences.

WHAT'S NEW AT SYSINTERNALS

Lots of tools were updated since the last newsletter in April. The two with the biggest enhancements were Process Explorer and Autoruns. Here is a detailed list of changes by tool:

Process Explorer V9.25

  • unified 32-bit and 64-bit (x64) binary
  • supports Windows Vista
  • now displays 64-bit user and kernel-mode stack information
  • lists 32-bit loaded DLLs for 32-bit (Wow64) processes on 64-bit systems
  • in-memory image string scanning and packed image highlighting
  • process window manipulation (minimize, maximize, etc)
  • new column option for information on signed images
  • option to display a real-time CPU graph in tray icon
  • CPU graph and I/O delta columns to the process view
  • view and edit process security descriptors (see Security tab of process properties)

PsTools v2.2

  • PsShutdown includes a -v switch for specifying the duration the notification dialog displays or omitting the dialog altogether
  • PsLoglist has a time formatting fix for its csv output
  • PsInfo now shows full hotfix information, including IE hotfixes
  • PsExec now works like Runas when you run commands on the local system, allowing you to run it from a non-administrator account and script the password entry

Filemon v7.01

  • clearer error messages for when an account does not have privileges required to run Filemon or Filemon is already running
  • consolidates the 32-bit and 64-bit (x64) versions into a single binary

Autoruns v8.13

  • different autostart types now separated onto different tabs of the main window
  • new "Everything" view that gives you a quick view at all configured autostarts
  • new autostart locations including KnownDLLs, image file hijacks, boot execute images, and more Explorer and Internet Explorer add-on locations
  • shows more information about images
  • supports 64-bit Windows XP and 64-bit Windows Server 2003
  • integrates with Process Explorer to show details of running autostart processes

DebugView v4.41

  • now captures kernel-mode debug output on x64 versions of 64-bit Windows and supports toggling between clock time and elapsed time modes

Handle v3.1

  • single executable supports both 32-bit Windows and x64 Windows XP and Windows Server 2003

RootkitRevealer v1.55

  • more sophisticated rootkit detection mechanisms, setting the stage for the next round of escalation by the rootkit community

Ctrl2cap 64-bit Update

  • Ctrl2cap now works on 64-bit Windows XP and Windows Server 2003

TCPView v2.4

  • the domain-name lookup functionality of the Sysinternals Whois utility is now available in TCPView

SYSINTERNALS FORUM

Come visit one of the 14 interactive Sysinternals forums (http://www.sysinternals.com/Forum). With over 1500 members, there have been 2574 posts to date in 945 different topics.

MARK'S BLOG

My blog started since the last newsletter - here are the posts since the last newsletter:

  • Unkillable Processes
  • Running Windows with No Services
  • The Case of the Periodic System Hangs
  • Popup Blocker? What Popup Blocker?
  • An Explosion of Audit Records
  • Buffer Overflows in Regmon Traces
  • Buffer Overflows
  • Running Everyday on 64-bit Windows
  • Circumventing Group Policy Settings
  • The Case of the Mysterious Locked File
  • .NET World Follow Up
  • The Coming .NET World - I'm scared

To read the articles, visit http://www.sysinternals.com/blog

MARK'S ARTICLES

Mark's two most recent articles in Windows and IT Pro Magazine were:

  • "Unearthing Rootkits" (June 2005)
  • Power Tools column: getting the most out of Bginfo

These are available online to subscribers at http://www.windowsitpro.com/

MARK'S SPEAKING SCHEDULE

After highly rated talks at Microsoft TechEd in Orlando and Amsterdam, I'm enjoying a quieter summer. My TechEd Orlando breakout session, "Understanding and Fighting Malware: Viruses, Spyware and Rootkits", was one of the top 10-rated sessions at TechEd, viewed live by over 1000 TechEd attendees and webcast live to over 300 web viewers. You can watch the webcast on demand at http://msevents.microsoft.com/cui/eventdetailaspx?eventID=1032274949&Culture=en- US

Events I'll be speaking at in the upcoming months include:

  • Windows Connections (November 2, 2005, San Francisco, CA) - http://www.devconnections.com/shows/winfall2005/default.asp?s=61
  • Microsoft 2005 Professional Developers Conference (preconference tutorial September 11, 2005, Los Angeles) - http://commnet.microsoftpdc.com/content/precons.aspx#PRE07
  • Microsoft IT Forum (November 14-18, 2005, Barcelona, Spain) - http://www.mseventseurope.com/msitforum/05/Pre/Content/PreWindows.aspx

For the latest updates, see http://www.sysinternals.com/Information/SpeakingSchedule.html

LAST PUBLIC INTERNALS/TROUBLESHOOTING CLASS FOR 2005: SAN FRANCISCO SEPTEMBER 19-23

If you're an IT professional deploying and supporting Windows servers and workstations, you need to be able to dig beneath the surface when things go wrong. Having understanding of the internals of the Windows operating system and knowing how to use advanced troubleshooting tools will help you deal with such problems and understand system performance issues more effectively. Understanding the internals can help programmers to better take advantage of the Windows platform, as well as provide advanced debugging techniques.

In this class, you'll gain an in-depth understanding of the kernel architecture of Windows NT/2000/XP/2003, including the internals of processes, thread scheduling, memory management, I/O, services, security, the registry, and the boot process. Also covered are advanced troubleshooting techniques such as malware disinfection, crash dump (blue screen) analysis, and getting past boot problems. You'll also learn advanced tips on using the key tools from www.sysinternals.com (such as Filemon, Regmon, & Process Explorer) to troubleshoot a range of system and application issues, such as slow computers, virus detection, DLL conflicts, permission problems, and registry issues. These tools are used on a daily basis by Microsoft Product Support and have been used effectively to solve a wide variety of desktop and server issues, so being familiar with their operation and application will assist you in dealing with different problems on Windows. Real world examples will be given that show successful application of these tools to solve real problems. And because the course was developed with full access to the Windows kernel source code AND developers, you know you're getting the real story.

If this sounds intriguing then come to our last public hands-on (bring your own laptop) Windows internals & advanced troubleshooting class in San Francisco, September 19-23 (our 2006 schedule is not yet finalized, but will likely include Austin in the spring, London in June, and San Francisco again in September 2006). And if you have 20 or more people, you may find it more attractive to run a private on-site class at your location (email seminars@... for details).

For more details and to register, visit http://www.sysinternals.com/Troubleshooting.html

Thank you for reading the Sysinternals Newsletter.

Published Wednesday, August 24, 2005 4:34 PM by ottoh

[Newsletters Archive ^] [< Volume 7, Special Announcement] [Volume 8, Number 1 >]