question

AvineshwarGartner-8511 avatar image
0 Votes"
AvineshwarGartner-8511 asked RLWA32-6355 commented

Differentiate between a "direct" (i.e. "directly" started by a user) and a non-direct (i.e. started on behalf) process

Background:
I am working on a project that is supposed to control whether an application should be allowed to execute or not as well as handle UAC for the users i.e. a user at the maximum, only sees a customized consent screen and never a credential prompt. I intercept the process and block the execution while our custom code is executing and making some determination about the file (now, process). For some background, running custom code is possible since I use a privilege management system where there is an option to run custom code. There were multiple issues, and, I am more or less past that i.e. the project works. I have tested around ~150 setups (pre and post install) and they all seem to be fine; of course, each of these apps have not been tested thoroughly considering them as out-of-scope as well as there are obviously 1000s of apps out there and covering them is the intention. Now, a few technical decision that was made to make this project possible are anti-best-practice. That said, I still went that route since that seemed to be the only possible solution for this based on my exposure with Windows Internals.

Problem:
Determine if a process is invoked "directly" by a user
Solution:
If an (immediate, not anywhere in the process tree) invoking process matches from a list of processes (e.g. explorer, cmd, powershell, runtimebroker, chrome, firefox), then it has to be invoked directly by user. I know there are edge cases to this (e.g. there are non-direct processes where a parent could match as per this logic). The implementation ensures we gracefully handle them.
Caveat(s):
Since I only allow (directly) user started processes after they meet certain criteria, this is an "explicit deny" logic. I prefer "implicit deny" and "explicit allow"
Ask:
Is there a simple and better way to detect whether a process has been "directly" started by the user? Is there some Windows API that can do this for me? If not, why this is hard to implement or not possible or not worthy?

Whatever suggestions are provided, please share some documentation, if available, as that is going to help in more than one way.

windows-10-generalwindows-api
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Castorix31 avatar image
0 Votes"
Castorix31 answered RLWA32-6355 commented

Is there a simple and better way to detect whether a process has been "directly" started by the user? Is there some Windows API that can do this for me? If not, why this is hard to implement or not possible or not worthy?

Not sure if it will help you, but you can get the parent of a process with
NtQueryInformationProcess and InheritedFromUniqueProcessId flag
I had posted a sample in C# in this thread to differentiate a process launched from Explorer or from the Task Scheduler




· 17
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Castorix31

Hi,

Thanks for your response. I already have the PPID and PPNAME at my disposal and that's what I am referring to in my evaluation, but it doesn't really mean a user has directly started something, or does it? (if yes, is there some documentation that confirms?). The fundamental question I have is, keeping user-initiated (e.g. desktop, start menu, something else) action in min, is there a true-true way to know if it was a user who did that? (e.g. using some direct API, or creating a correlation from multiple data points like: keypress-event/mouse-down-event AND the PPNAME)

From what I have researched and found based on my experiments is that the PPNAME could alternate between runtimebroker.exe (if Start Menu is used) AND explorer.exe (if Desktop/WinExplorer is used) irrespective of the event source (e.g. mouse OR keyboard; but it has to be one of them unless ofc there is some magic feature that imitates a keypress or mouse click on an app based on highlight)

0 Votes 0 ·
RitaHan-MSFT avatar image RitaHan-MSFT AvineshwarGartner-8511 ·

It seems @Castorix31 's solution can differentiate how the application is started. Could you tell what is "really user has directly started", or give some example of "really directly" and "not really directly"? And what's your concern about application's starting way, could you share your use case?

0 Votes 0 ·

Keeping Windows aside, "directly" would be user starting an app directly via some Human Interface Device (HID) using:
- desktop shortcut, or,
- pinned shortcut, or,
- start menu, or,
- searching from the start menu

Consequently, "not directly" is simply any process not started via HID directly, say, a spawned process from a root process (which a user must have started via some HID interaction; that would be called a "parent" process generally)

When I start an app using a desktop shortcut (by pressing RETURN, OR, by double clicking it), parent is explorer.exe. Is that sufficiently reliable though? What happens if I search an app (say, WhatsApp or Vivaldi) using the Start Menu and then do the same HID interactions. It would rather be runtimebroker.exe (due to the nature of the app in this case). Is that correct? If yes, am I clear?

0 Votes 0 ·
Show more comments

Also, by correlation, I mean, in theory, do something like this:

  • Identify the current window (not sure what happens in the case of Start Menu)

  • Identify the position of what is currently highlighted

  • Detect the RETURN-key press event, OR, identify mouse-down event with its click positioning

  • Figure out if there was a direct match or a vicinity match

  • If true, this is a user-initiated action, else, this is not a user-initiated action

Caveats:
- Some application code (e.g. MACROs) can be used to mimic this behavior

0 Votes 0 ·
MotoX80 avatar image
0 Votes"
MotoX80 answered

What is the vulnerability that you are trying to address? Are you just trying to prevent someone from programmatically doing SendKeys and using your app?

What about implementing a "Click on all pictures that show a flower" CAPTCHA process as part of your "customized consent screen" ? Now I realize that putting flowers on the screen might not be appropriate in a business environment, but from my experience of trying to automate applications it isn't easy to "read" the screen from code. As you noted, maybe just monitoring the mouse position would suffice. Display a graphic that has instructions to move the mouse over an image. Or something like that. Within the main form you should be able to reference X/Y mouse coordinates and detect "human" activity.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AvineshwarGartner-8511 avatar image
0 Votes"
AvineshwarGartner-8511 answered AvineshwarGartner-8511 commented

@MotoX80
Well, I have not built an app, this is a framework where other applications operate in (e.g. Microsoft Word, WinRAR, WinZip, Zoom). I want to control what applications can be installed and then further be operated just fine. So, to that extent, this is a privilege management system. For comparison, and if you are familiar, imagine an amalgamation of SRP and AppLocker, with more things (e.g. security token swapping/replacement).

So, talking WinForms won't be correct, as I don't inject/control anything in any app. I hook into Windows Kernel. I am assuming I am at the right place asking all these questions though, yeah?

Now, in theory, it does looks like that in order to "truly" (like, really truly) detect if it was a user who just opened (well, tried to since I intercept it right away before allowing it) an application (whether via Desktop, Start Menu, pinned shortcut, and so on), things that go into this are: input device and/or location of cursor AND immediate parent process.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I hook into Windows Kernel. I am assuming I am at the right place asking all these questions though, yeah?

This thread is only tagged as Windows-10-General. You might need to add other tags to get to users who have more of a developers focus. C++, winapi-general, winapi-sdk, maybe others. Maybe someone from the MS staff could help you.

1 Vote 1 ·

Yes, I wasn't sure so that's how I started. Just improved on them. Thanks.

0 Votes 0 ·