Comments on: Quickpost: Restricted Tokens and UAC

By: Preventing Malicious Documents from Compromising Windows Machines « Didier Stevens

Sun, 27 Sep 2009 13:33:50 +0000

[...] not talking about targeted attacks), restrict the user rights. Windows Vista and later versions do this for you with UAC, even if you’re an [...]

By: Didier Stevens

Didier Stevens — Wed, 22 Oct 2008 20:22:03 +0000

Your C# code works with the restricted token because UAC gave it the restricted token.
Start your C# code with “Run as administrator”, accept the elevation prompt, and your code will run with the normal administrator token.

By: SteveK

SteveK — Wed, 22 Oct 2008 08:36:46 +0000

You wrote: In Windows Vista, when an administrator is login on, 2 tokens are created: the normal token (with all administrative rights) and a restricted token.

This works against the restricted token:

WindowsIdentity user = WindowsIdentity.GetCurrent();
WindowsPrincipal princ = new WindowsPrincipal(user);
Console.WriteLine(“Is Administrator = {0}”, princ.IsInRole(WindowsBuiltInRole.Administrator));

QUESTION: How can I enumerate the “normal token” SID’s ?

By: Didier Stevens

Didier Stevens — Tue, 10 Jun 2008 10:59:10 +0000

I experienced this on my XP system where I use a non-admin account. Some applications require administrative access, so I would start them with a runas command with administrator credentials. And then I wouldn’t be able to drag and drop between this application and explorer. To be able to drag and drop, I needed to start another explorer application (like 2xexplroer) with administrator credentials, and then I could drag and drop between these two applications.

I don’t think this is a Vista or UAC problem, but is linked to drag and drop OLE.

Now for installing programs on my Vista box, I started to work like this:
- if the program needs to be installed, I’ll first try to find a portable version of the program and start to use this
- if there is no portable version, after having tested the program in a VM, I’ll install it on my Vista box, temporarily logging on with the administrator account.

By: Claus Valca

Claus Valca — Mon, 09 Jun 2008 00:33:32 +0000

I’ve noticed that tokens in Vista also seem to control the interaction of activities between applications.

For example, on my XP Home system, I blog using two applications: Firefox (3.0 nightlies) and Windows Live Writer.

On this platform I can drag and drop links and text from Firefox directly into WLW with no issues.

On our Vista (Home Premium) laptop, I cannot do this unless I launch both WLW and Firefox with the “Run as Administrator” method.

My Logitech wireless mouse has a highly-customizable scroll-click wheel which I have set to copy/paste actions. On XP I can copy/paste anywhere into anything. On Vista the same mouse and software refused to copy/paste between different applications until I set the auto-start Logitech process to launch as a scheduled task with “Run as Administrator” enabled. Took me a while to work that one out!

I actually like and think UAC is a good thing, but for many users, especially those who have always run under the administrator group rights, these extra levels of token control take some getting used to. Once the concept is understood things work good.

I do find it still confusing when deciding if I should install an application with “run as administrator” or not. Generally for security applications I do so, and for “standard” applications I do not. Not sure. I would assume the installer would handle that, but from what I’ve seen and experienced, sometimes with Vista you must install some apps that way, but it takes trial and error (and review of forums) to get it worked out.

Any ideas or guidance on this?

Thanks for the awesome posts!