Secure Desktop Prompting : Always Run As Administrator

I’m a PC, and Windows 8 will be partially my idea.

User Account Control

The main goal of the UAC(User Account Control), is to limit application
software down to standard privileges, until an administrator authorizes
an elevation of privileges.
Applications trusted by the user/admin may be granted administrative
privileges, while malwares are prevented from executing on the desktop.

This article describes how to grant semi-permanent authorization, to
certain programs specified by the administrator, on a secure desktop.
The main user interface looks, sounds, and acts like the real thing,
only better! It’s a bold statement, but that’s how I roll.

Update 12/01/09-12/24/09

This articles source files have been updated with the following changes.

  1. The .NET Process component is now used, so that the SecureString data type protects the password until it’s transfered and disposed of.
  2. It validates credentials and starts applications from a “Sub Main”, so it loads a little faster now.
  3. The Administrator password is set on the fly, so that whatever password is typed, changes that users password, and authorizes the program with it. Previous authorizations become inactive when passwords are changed.
  4. The background imagery mirrors the particular operating system that is it being displayed on, so that the shields are appropriately colored.

Outline

There are four main elements to achieving this.

  1. A kiosk-like desktop that’s protected from input and execution.
  2. Proper declaration and call of the CreatProcess API,
    so that processes can be launched on the new desktop.
    This was real tricky to get right while upgrading the old style declarations.
  3. A declaration and proper call to the CreateProcessWithLogon API.
  4. An encryption routine, to obscure your password, user name,
    and path to the executable shortcut.

Key features

  1. It’s simpler to use common programs that have already been granted privileges once.
    A malware cannot launch these applications with your granted permission either.
    Only the user knows where this application is located, and/or it’s link, and what it opens.
    This feature will encourage users NOT to turn off the UAC completely!
    It is best to use a Standard or split token account anyways, but now you can “white list”
    certain programs as the true administrator. It’s the best of both worlds, because the remaining UAC prompts will be more suspicious.
    Read more about the pros/cons of usability versus security, of the UAC when it was first designed.Windows Team Blog
  2. The ability to launch a small group of programs while on the secure desktop is a unique feature that microsoft should integrate into the UAC on Windows 8.
    As of now, windows allows you to input a password safely there, but then returns you back to the jungle. A safe place to elevate and use high level programs, would avoid snooping programs that wait until after you have granted elevation, and then automate the user interface. For example the task manager, displays the elevation button until you elevate. A malware can then spring into action, after being dormant.
  3. It’s compatible with 2k/XP/Vista/7, {32-64 bit}.
    Why not offer backwards compatibility to existing XP administrators? No worries, got your back.
    This is an immediate security upgrade to the wide open “Run As” window, which allows keyloggers to snatch your password as shown below.

This flaw exists in Vista and Windows 7 as well. Yikes!

XP users should run their PC with a standard account. Vista/7 users should run a split token account, or in other words a user that is in the administrators group, thus avoiding password phishing. In the past and still today, alot of people don’t use a standard account, because you can’t do much of anything without getting access denied messages, and many programs actually need higher privileges to operate as designed.

It is a sound security idea, but it’s highly unusable in its stock form. Now you can have your cake, and eat it too.
You can safely use a restricted account to protect the system against software attacks, but not be restricted by it, when using it normally.

In addition passwords cannot be sniffed on a secure desktop object, as opposed to the “Run As” window which is completely naked on the default desktop, as shown above.

Setup(Updated)

Administrator activation is now seamless with first time use.

Vista and Windows 7

The manifest file included, requires the user to elevate the program to set it up on Vista and Windows 7.
If the manifest file is deleted after setup, the program will run with *{reduced functionality}.

2k and XP

On 2K/XP systems, you will have to log into an existing administrator account to setup the program.
After the setup is complete Standard accounts will be able to run it, but only with reduced functionality.

* When running with reduced functionality, the program will not be able to save files in restricted folders like, “Program Files”, or “System32”, etc. It also will not be able to change passwords on the fly, but it will still be able to make use of an existing password to authorize shortcuts.

Usages

The sample application and source files included in this article,
can be used in five ways, four of which are distinctive.

The most secure way to make permanent authorizations, is to have the program run at the welcome screen(boot), as I’ve outlined in my On Screen Keys article last month. That way your password would be safe at the welcome screen. However at the moment there are virtually zero high-level hacks against this kind of program on a secure desktop object like that of an ATM machine, so you can feel very secure while using it.

  1. Always Run As Administrator

    Run the program and it will enter a secure desktop,
    where you can enter your password, user name, location, and path to the file
    that you want to,”Always run as administrator”.
    Click OK > Yes.
    The program then becomes an administrative shortcut,
    that will always open the specified path with administrative privileges.
    It will also create a regular shortcut, for you to place on the desktop,
    taskbar, start menu, or desired location, that way you can quickly access the shortcut at any time.
  2. Run On Secure Desktop

    Run the program and enter a secure desktop, where you can provide the password,
    to run almost any application in this secure environment,
    without fear of keyloggers etc.
    You don’t have to “always” run as administrator, either. Just close the app, and no settings will be saved or remembered.
  3. Run On Secure Administrator Desktop

    Run the program and enter a secure desktop, where you can provide the password. Then open explorer.exe, usually located here:

    C:\Windows\explorer.exe

    This will show the taskbar, and start menu of the administrator. The desktop will have been given a unique number, that you should remember for this session.{see illustration below} Now if you leave the administrator desktop by closing any open applications,
    you may navigate back at any time, by right clicking the secure button, and choosing what desktop you want to go to.
  4. Run On Default Desktop

    Run the program and enter a secure desktop, where you can provide the password, and then click the Desktop button to exit the secure environment.
    Now the program will run on the regular desktop, keeping your secured data.
    You can then minimize the application to the taskbar icon, so that it can
    be used as an administrative launch deck, by Right-clicking > Open.

You can even make a new verb that starts up this program by right-clicking an executable file, similar to the “Run as… verbs”.

Create a text file with notepad, and paste the following contents. Then save the text(.txt) file as a registry(.reg) file. Now double click it, to enable the new verb in the registry.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\exefile\shell\runasadmin]
"HasLUAShield"=""
@="Run as administrator always"

[HKEY_CLASSES_ROOT\exefile\shell\runasadmin\command]
@="C:\\Security\\UAC.exe %*"

In the regedit code above, you would need to change the path to your security program.

3. In method 3, the unique desktop name is found when you mouse over the “File origin:” as show here.

To navigate to a particular desktop, right click the Secure/Desktop button, and specify it’s name.

Secure Desktop

Default Desktop w/Tray Icon

More by Author

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Must Read