Re: wanted: run_as_low_integrity command on Vista?

[Joanna Rutkowska <joanna () invisiblethings org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andrew,

Indeed, it seems like you can use not only chml, but also new Vista's
icacls command to do that - i.e. to set the integrity level of an
executable to low and then, when started (from withing a processes
running at medium IL), the new process will run with low IL. But that
seems to work only if you are starting the process in the context of the
current user...

However, if one uses the runas command (or Mark's psexec) to start a
process as a different user, then the new process gets medium IL,
despite the fact that its executable is marked with "Low Mandatory
Level" ACE. Any idea why that happens?

Also, in [1] a method for starting a medium IL processes from within IE
running in Protected Mode (i.e. at low IL) is described - it requires
setting appropriate entries in the registry under
HKLM\Software\Microsoft\IE key.

The question is: is there any way to do that for other low integrity
processes, besides IE? E.g. I would like to allow my Thunderbird.exe
(running as low IL) to start gpg.exe at medium IL, without popping the
consent dialog box (as my Thunderbird typically starts gpg.exe a few
dozens of times every day)?

joanna.

[1]
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ietechcol/dnwebgen/protectedmode.asp


Andrew Cushman wrote:
> Here's what Mark Russinovich said...
>
>
> -----Original Message-----
> From: Mark Russinovich 
> Sent: Monday, January 15, 2007 9:27 AM
> To: Andrew Cushman
> Subject: RE: [Dailydave] wanted: run_as_low_integrity command on Vista?
>
>
> I'm going to add support for this to Process Explorer in the near
> future. In the meantime she can make a copy of cmd.exe and set its
> integrity level to low using Mark Minasi's Chml tool:
> http://www.minasi.com/vista/chml.htm
>
> -----Original Message-----
> From: dailydave-bounces () lists immunitysec com
> [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Joanna
> Rutkowska
> Sent: Sunday, January 14, 2007 10:24 AM
> To: dailydave
> Subject: [Dailydave] wanted: run_as_low_integrity command on Vista?
>
> Does anybody know of any *off-the-shelf* tool/command that could be used
> to lunch a process in low integrity mode on Vista? Something like:
>
> runaslow <progname> <args>
>
> joanna.
>
> BTW, I read this:
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ietechc
> ol/dnwebgen/protectedmode.asp
>
> and I think I know how to do that in C - it's just that I can't believe
> that MS (or at least Mark Russinovich) hasn't shipped such a tool...
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


-----BEGIN PGP SIGNATURE-----

iD8DBQFFrOFBORdkotfEW84RAoDtAJ9JrrQJfbFZc0M2p5YXhvRvES9JowCg01E7
qTG4+8jskNd4Yy9gkELQVr0=
=17yf
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave