Running restricted — What does the “protect my computer” option mean?


If you’ve been reading my “non-admin” posts, by now I assume you have seen the Windows XP “Run As” dialog.  (If you haven’t, please read this post first:  “RunAs” basic (and intermediate) topics.)

 

The initial settings when the “Run As” dialog opens are to run the program as the current user, with an option selected to “Protect my computer and data from unauthorized program activity”.  It further states that “This option can prevent computer viruses from harming your computer or personal data, but selecting it might cause the program to function improperly.”  What does that mean?  How do you decide whether to use it?  As far as I know, there hasn’t been any accurate public documentation about the “protect my computer” option, let alone any guidance as to when it might or might not work for any particular application.

 

The net effects

 

The bottom line is that the app runs with a “restricted token” that basically has these net effects:

  • Group membership:  If you were logged in as a member of Administrators, Power Users, or certain powerful domain groups, the app runs without the benefit of those group memberships.
  • Registry:  The app has read-only access to the registry, including HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE.  The app has no access to HKCU\Software\Policies.
  • File system (assuming NTFS):  The app cannot access the user’s profile directory at all.  That includes “My Documents”, “Temporary Internet Files”, “Cookies”, etc.
  • Privileges:  The app has no system-wide privileges other than “Bypass traverse checking”.

 

These are very powerful restrictions, particularly those around the registry and profile folders.  It’s probably a safe bet that most apps do not expect “access denied” errors when writing to HKCU or the user’s temp or MyDocs folders, and probably do not handle such errors gracefully.  When I tried to use Outlook Express with “protect my computer”, it failed to start up at all.  This isn’t entirely surprising – all its data is in the user’s profile folder hierarchy.

 

The only thing I ever really use with “protect my computer” is Internet Explorer when I want to really constrain a particular site and not allow it to write to my hard drive at all.  (Note that this is only an additional element of defense in depth, not an entire defense.)  IE works fairly well this way, but with some odd and annoying problems:

  • You can’t use SSL (https) at all.
  • If you right-click on a hyperlink and choose “Open in New Window”, nothing happens.
  • If you enter a URL in the address bar without “http://” in front of it (e.g., “www.msn.com”), you get an error message like “C:\Documents and Settings\aaronmar\Desktop is not accessible.  Access is denied.”, before IE goes ahead and loads the site anyway.
  • On XP SP2 and on Server 2003, toolbars do not appear where you configured them, if they appear at all.  E.g., PrivBar always needs to be re-enabled; “Links” appears (on my machine) in the upper left, to the left of the menu bar.  (This wasn’t a problem with XP SP1.)

 

That’s about all the “guidance” I’ve got as far as what to expect if you use the “protect my computer” option.  If anyone really cares, I could write a lot more about the geeky details around restricted tokens, deny-only SIDs, how access checks are performed against restricted tokens, which groups get marked deny-only with “protect my computer”, etc.  But maybe Larry Osterman will save me the trouble and follow up on some of his recent security posts (e.g., What is this thing called, SID?)

Comments (52)

  1. Ok, I’ll see if I can get some of them written for next week.

  2. Hi Aaron, I think you may be interested in this…

    I’ve written a sandboxing tool that, IMHO, manages to be at the same time powerful (certainly, much more configurable than Run As) and intuitive. I’ve called it I Am, it’s a non-interactive command-line application and it’s open source (MIT license). It’s pretty hard to use as it requires a fairly strong technical background, but it currently lacks any documentation (apart from an article about it – in Italian – I wrote for an e-zine). But you sound very informed on the topic and should be able to figure it out easily (try "iam -help").

    It also emulates the "Run As" sandbox as closely as possible (iam -wincompat) – but I haven’t tested either in a domain, so expect problems (bug reports are welcome! just google for my nickname to know my e-mail address) – the only relevant difference being the requirement of a group without members called "IAM", which the command uses in addition to the standard sandbox SID (S-1-5-12, "RESTRICTIONS"), because the latter can’t be specified in the ACL editor (a real pity, since, as you noted, the "Run As" sandbox has the effect of making the user profile directories inaccessible, and not being able to specify that group in ACLs makes this limitation unescapable).

    It lacks polish (for example, sandboxed programs inherit the TMP and TEMP variables, which will generally point to an unwritable directory, so you have to redirect them by yourself) and real-world testing, but it works great – from a purely technical standpoint, much better than "Run As" in fact. The only pity is it’s a bit too easy to forget running programs in a sandbox, but I’m looking into a suite of shell extensions for that

    The URL is http://spacebunny.xepher.net/hack/iam/ and the filenames should be pretty intuitive. Let me know what do you think about it, I value your opinion!

  3. David Candy says:

    cacls can give restricted full control over a file object.

    cacls apppath /e /g restricted:f

    processed dir: C:Documents and SettingsDavid CandyDesktopAppPath

    And the GUI permissions now list restricted as full control (or read only or whatever you tell it to do).

    Remember to use quotes if anything contains a space.

  4. Sean McLeod says:

    Would be useful to have all attachments that are launched from email run using this "restricted token".

    Currently as of XP SP2 there is an IAttachmentExecute interface to be used by email programs etc. when they want to save and/or execute an attachment. IAttachmentExecute::Execute() may run a virus scan on the attachment before executing the attachment etc.

    If it also allowed you to execute the attachment using this "restricted token" then an email attachment virus would have a more difficult time since the registry would be read-only, large parts of the filesystem would be off-limits or read-only etc.

    Is there an easy way to set up a SID/ACL to prevent a process from getting any network access? Would help prevent certain virus’s from spreading if you could easily add this restriction to untrusted code.

  5. Sean, yes, it would seem useful, but since a lot (most?) apps just completely break when run with the "protect my computer" option, it would probably be pretty much unusable. E.g., let’s say it’s a Word doc. First, Word wouldn’t be able to read a copy of the doc cached in your %Temp% folder, since it wouldn’t have access. Likewise, Word wouldn’t be able to save it (as-is or edited) to your "My Documents" folder. Word wouldn’t have access to your user-specific normal.dot or other config info stored in the file system in your profile. And on and on.

    AFAIK, there is no ACL that prevents an app from creating a TCP/IP network connection.

  6. BUT – that reminds me of something else I meant to mention. A "protect my computer" restricted token cannot authenticate on the network using your Windows identity. So while you can still connect to remote resources that allow anonymous connections, the restricted app cannot act "as you" on the network.

  7. Ayman AlRashed says:

    IMO, while an ambitious option, it’s still not usable in it’s current form due to app compat issues.

  8. Sean McLeod says:

    Network wise I was thinking more of worms that propogate by searching the network for vulnerable hosts and/or email themselves out. If you could limit the process to having no network access then the worm wouldn’t be able to propogate itself in this fashion.

    While XP SP2 has some network changes to limit the rate of outbound connections when it detects lots of incomplete network connections it doesn’t completely prevent the propogation, rather just slows the rate.

    What sorts of apps/code did MS have in mind in terms of running under this restricted token?

    As mentioned if there are too many compatability issues then it won’t be able to be used for running ‘suspect’ code in such a way that it is not able to do any damage but at the same time is able to do enough to be useful, especially for non dangerous code.

    The other option I thought of was to have suspect code/attachments run in a virtual machine session, e.g. using some lightweight flavour of VirtualPC. In this environment the app would get a snapshot of the current host environment and have read and write access to all the necessary files. But network access would be blocked so suspect code couldn’t read your data and forward it out via the network.

    Any writes in the this virtual environment would be visible to the app running in the VM but wouldn’t make it through to the host’s file system and would be discarded when the app exited.

    When the app exited the VM would also pop-up a report listing any portions of the registry and file system that were written to and any attempted network access as a way for users (although probably only for advanced users, there would also be heuristics used to determine a suggested pass/fail for regular users) to determine whether the screen saver attachment that some mate had sent is really just a regular screen saver or whether it’s really a virus/worm.

    The heavyweight implementation would be to use a full virtual machine in which to run the suspect code. A more lighter weight approach may be possble using some combination of a restricted token, network filter to block network access and a file system filter driver interacting with the volume snapshot service to provide a temporary writable volume for the suspect code that then gets discarded when the process quits.

  9. Puri says:

    Hi,

    I couldn’t agree more about running with Limited/Restricted user account. Thats how I always run at home. I don’t run a virus checker on my PC. But at work, I found that it doesn’t work. The problem is most corporate ITs run Sematic AntiVirus as part of login startup tasks. I think they have something in the domain startup script that checks whether anti virus dat files are up-to-date or not. It failed to run with limited user account. So they forced me to add admin privileges to my login.

    But ur blogs are full of information. Good to hear from an MS guy.

    puri

  10. Dot Wind says:

    A very interesting serie of postings over at Aaron Margosis’ WebLog showing the advantages of running as a limited user. A special interesting entry is the "Protect my computer" option, and the priviliges toolbar….

  11. Complete list of Aaron Margosis’ non-admin / least privilege posts, for easy lookup.

  12. tonyso says:

    Get your friends and family, all those folks that come to you for computer help once their machines have…

  13. Today I got a bug report that the app I’m working on doesn’t work with work when launched with Run As……

  14. James Gerber says:

    I tried this with IE and Firefox and neither launched at all (XP Home).

  15. James Gerber:  If IE didn’t launch, my guess is that you have an IE add-in installed that failed with the restricted token and caused the process to exit.  No idea about Firefox.

  16. Doug Woodall says:

    Sadly, I thought I would ask all my coworkers if they knew how to do this.

    Guess the outcome.

    I wish I wish I could educate with a lasting effect. It seems people just dont care until they lose their Identity or are scammed out of money. Then they come around. Too late.

    Great Post !

    Take care,

  17. Ajay says:

    Seems like the "Protect My Computer" option should be implemented as a virtual machine that isolates any changes the application makes and can discard them on exit. Microsoft already has the Virtual PC product/technology and the App Compatibility Toolkit so it might be able to integrate limited versions of these into Windows.  I got Virtual PC initially to test my software on a clean install of various Windows configurations and I also thought it would be good to try out other people’s software and keep it isolated from my "real" installation.

  18. Russell Tucker says:

    When the IE icon on my computer is right clicked, I do not see a “Run as” option at all. Is there some other way to get to this option?

    Thanks,

    Russ

    It’s not on the context menu if you click on the IE icon at the top of the Start menu, but it is if you right-click on an IE icon somewhere else, such as in the Quick Launch area, on the desktop, or in the All Programs part of the Start menu.

    HTH

    — Aaron

  19. Russell Tucker says:

    Thanks, Aaron. Found it!

    And thanks for pointing this out to us. Such is becoming more important each day.

    Regards,

    Russ Tucker

  20. Nash Sapardi says:

    Hi Aaron,

    Need to know how to restrict the user to use the system after 12.00 midnight? Or the system force the user to logout after 12 midnight

    Best regards/

  21. Fox Purtill says:

    Help!  Somehow my machine ended up running the ENTIRE OS in restricted.  I can right-click anything and uncheck the ‘Protect my computer and data…” etc and it opens, but how do I GET RID of that?  I want to just be able to run my programs.  I am the administrator of the machine and the only user.  I have no clue why this suddenly started happening.  

    At the moment if I double-click any application it the icon is busy for a second and no application starts. If I right-click (run as..) and remove the checkbox it starts.  This was NOT the case yesterday.

    I can only guess, but my guess would be that some kind of registry modification was made that shouldn’t have been made — possibly by malware, possibly just by accident.  IIRC the Windows Setup disks will help you repair an existing Windows installation – you might try doing that.

    — Aaron

  22. Nick Heim says:

    Hi Aaron,
    is there a way to unset or set the option “Protect my computer …” programmatically in the linkfile?
    I would like to do this with a MSI custom action DLL i already use to set the option in a link, which let it pop up the “Run as” dialog.
    Thanks a lot for the very good info on your blog.
    Regards, Nick

    Look for SDLF_RUNAS_USER on this page and this page.  Note that setting the flag will only cause the “Run As…” dialog to appear — it still requires user interaction to make the target program run restricted.

    HTH

    — Aaron

  23. john says:

    this guy   sent software to my computer–and he got every name and dialogue from yahoo that i had used in months–how can i prevent this from happening again

  24. Dave says:

    You might want to look at http://windowzones.com, which is currently in beta.

    It allows you to lock applications down into a "safe zone" which is like a sandbox, but with much better app compat than restricted tokens (doesn’t have all of the problems noted for IE, for example).

  25. Paul Whitcomb says:

    In Windows 2000, I am attempting to disable the function performed by “protect my computer and data” in Windows XP. Is this possible?

    I don’t quite understand — are you trying to disable the UI (dialog) that exposes “protect my computer”?

    — Aaron

  26. Gretchen says:

    I am trying to run a program for my business and it won’t run.  When I right click on the icon, and go to the run as option, there is a check mark next to the box that says clicking the box might cause the program to not function.  I think this is the problem, but everytime I take the check off, it automatically re-checks it.  How do I keep it from running automatically?

    Gretchen – when you right-click and choose “Run As…”, the default selection is to run the program with the greatly reduced rights described in this post.  Most apps don’t work correctly with that setting.  If you just start the program normally, you shouldn’t see that dialog, and the program should run with the same privileges that all your other programs do.

    Has this program worked correctly in the past for you?

    Are you logged on as a member of the Administrators group, or as a regular User?

    — Aaron

  27. Tim Cooper says:

    I’m also getting this same problem on a user’s XP SP2 machine:

    Help!  Somehow my machine ended up running the ENTIRE OS in restricted.  I can right-click anything and uncheck the ‘Protect my computer and data…" etc and it opens, but how do I GET RID of that?  I want to just be able to run my programs.  I am the administrator of the machine and the only user.  I have no clue why this suddenly started happening.  

    At the moment if I double-click any application it the icon is busy for a second and no application starts. If I right-click (run as..) and remove the checkbox it starts.  This was NOT the case yesterday.

  28. Katy says:

    30 March 2007

    I have a brand new Mac notebook.  What does msi

    mean?  Thank you!

    Katy:  It probably doesn’t mean the same thing on a Mac as it does on a Windows computer.  On Windows it is a Microsoft Windows Installer package.  No idea what it is on a Mac.

    — Aaron

  29. Very interesting insight of security topics on Windows operating system by Aaron Margosis.

  30. Peter says:

    So far, several people have asked how to turn off the restricted user option. So far there has been no answer to that question. People have replied to the posts but have not provided the answer. So, how do you turn off the option? Yes, I know it is more risky…yes, I know that it has been added by microsoft to make my computing experience more pleasant. The thing is, I just want to be able to click on an icon and have the program run. Simple eh?

    So, how do you turn off the run restricted option?

    [Aaron Margosis] What you’re seeing is most likely due to corrupted registry settings.  It’s certainly not due to anything the Windows developers intentionally designed.  I don’t know which specific registry settings might be involved, so I don’t have an answer to the question.

  31. Ahitub says:

    HI KJK::Hyperion

    The link you have mentioned not work properly …whats the prob with …

    Thanks

    ________________

    Ahitub

    http://computersnext.com

  32. James says:

    So, how do you turn off the run restricted option?

  33. mani says:

    pls.. help me out…

    m also getting this same problem on a user’s XP SP2 machine

  34. Armando says:

    I am another simple user that wants to double click an icon and get the program start. The only way I can do this is to "run as" and uncheck the protection.  Can this protection remain unchecked? This is a VERY unconfortable situation.

  35. I think its MS trying to strong arm individuals into purchasing VISTA. Ugh. It seems to be progressive. Phase one OS in phase one out. How else will they continue their empire. Gone are the days you purchase it you own it. Security update!! Security updates!! Security updates MY ask me no questions….  

  36. Adam Saunders says:

    Same problem here. I uncheck "protect my data from unauthorized program activity" the option, but when I close the dialog box and go back the option is rechecked. WTF?

  37. Louis says:

    I have the same problem, but my situation happened after the 2nd time I rebooted just after doing my last Microsoft update – I believe it was a security update.

  38. Ivan says:

    I’ve had the same problem for several months until I discovered today that I had ‘Mark Any Content Safer’ installed. It probably came with a video application.

    After complete removal I can again launch my apps without the ‘Run As’ dialog.

    [Aaron Margosis]  Very interesting.  What is “Mark Any Content Safer”?

  39. Matt Ledbetter says:

    If you are having the problem of everything running in restricted mode, it is most likely a registry issue.

    Download the registry fix here: http://www.geekstogo.com/forum/index.php?act=attach&type=post&id=5794

    Reboot in safe mode and run the downloaded program. Reboot and problem should be solved. Only works with XP as far as I know.

    Not resposible for your computer bursting in to flames.

    -Matt

    [Aaron Margosis]  That link downloads a zip file that contains a .reg file that appears to be mostly the XP default settings for HKCR.exe and HKCRexefile.  It does have one extraneous setting (adding a property sheet handler for “PEAnalyser”).  That would appear to be something added to the system by the person who exported this .reg file.

    Caveat:  this is based strictly on the observations I made, based on what was downloaded at the time that I clicked on the link.  I cannot provide any assurance that the hyperlink above will still point to the same zip file when you click on the link; nor can I provide any assurance that the zip file is not malformed in some way to exploit a vulnerability in various versions of unzipping programs.  (I extracted it using Explorer’s built-in capabilities.)  I also won’t make any assertions here about whether that extraneous “PEAnalyser” entry will or will not have any impact on any given system, nor whether restoring this set of defaults will be sufficient to fix the problems people have described above.

  40. Ivan says:

    This is a DRM application favored by Samsung. It quietly hijacked some entries in the registry, apparently those which are used when an application is launched. I could only partially remove this thing the first time around, so some entries were not cleared.

    Ivan

  41. curious joe says:

    hi there,

    i was wondering if it was better to run a supicious (or in general) little app that only comes as a single .exe file with right-click and "run as…." then my own credentials but with this checkbox activated (protect my computer from malicious activity…)

    or if it would even be better to "run as…" and then using the guest user (i have guest user activated on windows xp sp3) for this task.

    can a malicious program mess my system when i run it as only in the guest credentials, or is the first option better with the checkbox?

    thanks for any hints.

    greets.

  42. colleen says:

    I also have the same problem when I click on any icons on my desktop the will not run unless I do a run as or uncheck the protect my files.

    Is there any way to remove that check mark and have it stay off.

  43. Anthony Wieser says:

    Thanks for posting this.  Only came noticed the checkbox 5 years later!

    Is there a well know SID that this causes the software to run with?   Or must I check for this state with IsTokenRestricted to see if this has been checked when my program runs?

  44. ryan says:

    thanks the reg fix did the trick!

  45. Jean says:

    After running (successfully) McAfee’s Stinger, all my applications are configured with the ‘Protect my computer and data..’ option checked.  The only way to start an application is to do Run As… and uncheck that option.  If I try to open normally the app, I find the ‘Open With’ window, which works OK for a document, but not for an application. The worst is that the default mode for the app is staying with the option checked, so I have to do that everytime.

    My question: is there a way set the default so that this option stays unchecked? either for each app individually, or, even better for all apps?

    Thanks for the help.

    [Aaron Margosis]  Wow.  Are you sure that McAfee did that?  As you can see from earlier comments, others have had that same symptom, but since I’ve never seen it on a system I had control over, I’ve never diagnosed it.  The root cause should be fairly easy to identify with Process Monitor.  In the meantime, if you’re sure McAfee caused it, contact them.

    Actually, if you want me to take a look (I’m curious again), run the following commands at a command prompt, and send the output to me via the email link on this page:

    REG QUERY HKCR.exe /s

    REG QUERY HKCRexefile /s

  46. Jean says:

    Actually, I am assuming McAfee did that, but it could be that the virus did it before getting cleaned up. (I used Stinger, sent by McAfee, to clean the XP Antivirus Pro trojan, which keeps popping up windows with scary warnings about virus infections)

    I will contact McAfee on this today.

    I am also going to run your commands.

    Thanks for looking at that.

  47. Jean says:

    Update: I realized on another XP machine that applications seem to be set up with the option "Protect my computer and data.." normally checked, and this doesn’t seem to prevent it from opening.

    Also, the McAfee technician on the chat line sent me to their paying Virus Removal Team!  I will wait to see if I can resolve this before I do that.  I already pay for their subscription!

  48. Shabu Thomas says:

    Hi

    I am also facing the following issue:

    +++++++++++++++++++

    ” all my applications are configured with the ‘Protect my computer and data..’ option checked.  The only way to start an application is to do Run As… and uncheck that option.  If I try to open normally the app, I find the ‘Open With’ window, which works OK for a document, but not for an application.”

    +++++++++++++++++++

    and I ran the query sent by Aaron with below results:

    ***********************************

    C:>reg query HKCRexefile /s

    ! REG.EXE VERSION 3.0

    HKEY_CLASSES_ROOTexefile

       <NO NAME>   REG_SZ  Application

       EditFlags   REG_BINARY      38070000

       TileInfo    REG_SZ  prop:FileDescription;Company;FileVersion

       InfoTip     REG_SZ  prop:FileDescription;Company;FileVersion;Create;Size

    HKEY_CLASSES_ROOTexefileDefaultIcon

       <NO NAME>   REG_SZ  %1

    HKEY_CLASSES_ROOTexefileshell

    HKEY_CLASSES_ROOTexefileshellopen

       EditFlags   REG_BINARY      00000000

    HKEY_CLASSES_ROOTexefileshellopencommand

       <NO NAME>   REG_SZ  “%1” %*

    HKEY_CLASSES_ROOTexefileshellrunas

    HKEY_CLASSES_ROOTexefileshellrunascommand

       <NO NAME>   REG_SZ  “%1” %*

    HKEY_CLASSES_ROOTexefileshellex

    HKEY_CLASSES_ROOTexefileshellexDropHandler

       <NO NAME>   REG_SZ  {86C86720-42A0-1069-A2E8-08002B30309D}

    HKEY_CLASSES_ROOTexefileshellexPropertySheetHandlers

    HKEY_CLASSES_ROOTexefileshellexPropertySheetHandlersPifProps

       <NO NAME>   REG_SZ  {86F19A00-42A0-1069-A2E9-08002B30309D}

    HKEY_CLASSES_ROOTexefileshellexPropertySheetHandlersShimLayer Property Page

       <NO NAME>   REG_SZ  {513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}

    C:>reg query HKCR.exe /s

    ! REG.EXE VERSION 3.0

    HKEY_CLASSES_ROOT.exe

       <NO NAME>   REG_SZ  secfile

       Content Type        REG_SZ  application/x-msdownload

    HKEY_CLASSES_ROOT.exeDefaultIcon

       <NO NAME>   REG_SZ  %1

    HKEY_CLASSES_ROOT.exePersistentHandler

       <NO NAME>   REG_SZ  {098f2470-bae0-11cd-b579-08002b30bfeb}

    HKEY_CLASSES_ROOT.exeshell

    HKEY_CLASSES_ROOT.exeshellopen

    HKEY_CLASSES_ROOT.exeshellopencommand

       <NO NAME>   REG_SZ  “C:Documents and SettingsthomshabLocal SettingsApplication Datavma.exe” /START “%1” %*

       IsolatedCommand     REG_SZ  “%1” %*

    HKEY_CLASSES_ROOT.exeshellrunas

    HKEY_CLASSES_ROOT.exeshellrunascommand

       <NO NAME>   REG_SZ  “%1” %*

       IsolatedCommand     REG_SZ  “%1” %*

    HKEY_CLASSES_ROOT.exeshellstart

    HKEY_CLASSES_ROOT.exeshellstartcommand

       <NO NAME>   REG_SZ  “%1” %*

       IsolatedCommand     REG_SZ  “%1” %*

    ***********************************

    Hope this helps…

    [Aaron Margosis]  Yes, there are settings in there that don’t belong and that look like they were put there with malicious intent.  Can you also post the results for “reg query hkcrsecfile /s”?

  49. Shabu Thomas says:

    forgot to mention that i started facing this issue after my laptop got inffected with Trojan.FakeAV virus. Though Symantec detected on a manual scan and removed it, i started facing this issue. One of the entries in the registry point to the virus appln "vma.exe"

  50. Mr Man says:

    Can you use this "protected" mode to run IE8? I have Windows XP SP3 and when I try to do this, nothing happens…. ?

    [Aaron Margosis]  Yeah, for about the same reasons it doesn't work with IE7 I wouldn't expect it to work with newer versions.

Skip to main content