LUA Buglight


LUA Buglight 2.1 is here.  LUA Buglight identifies admin-permissions issues ("LUA bugs") in desktop applications.  I've made a lot of changes to LUA Buglight since the last "2.0 Preview" that I posted, so the version number has been bumped up:

  • Support for Windows 7, Vista and XP, and corresponding Servers (2008 R2, 2008, 2003)
  • Support for x64 (except on XP/2003)
  • Completely revamped Reporter -- streamlined and with more detailed results

Note:  The new Reporter has necessitated a new file format, so the new Buglight cannot read reports generated from older versions of Buglight.

One thing that is seriously missing is documentation -- I hope to have that posted here in some form soon.  The basics:

  • On XP/2003, you need to run it as a standard user, and you need the username/password for an administrative account; on Vista and higher, you need to run it non-elevated as a member of the Administrators group, with UAC and admin-approval mode enabled.
  • Tell it what program to run, then run it.  Whenever your app performs an action that fails unelevated, it will repeat the operation with admin rights before returning control back to the program.  If it fails without admin rights and succeeds with admin rights, details about that operation get logged.
  • Click the "Stop Logging" button to close the log file; by default this will also open the Reporter and show the results.

Another feature that isn't present yet is that while LUA Buglight does an excellent job of identifying when a program performs operations that succeed only when run as administrator, right now it doesn't provide the details to fix it if you can't modify the source code.  My plan is to turn that into a community effort by documenting the report's XML format and then providing some PowerShell scripts that process the results and point to app-compat shims, permissions changes, or other mitigations for the identified problems.

I wish I could work on LUA Buglight full time, but it's an unfunded, spare-time effort, outside of my day job.  I know that LUA Buglight would be a lot more useful with documentation, but it's more useful posted without documentation than it is not posted at all waiting for me to write up documentation.

More information will be posted to this blog. 

[Update 3/25/2011:  LUA Buglight 2.1.1 with support for Windows 7 SP1 and Server 2008 R2 SP1 is here.]

Comments (31)

  1. Kent says:

    LUA Buglight is a lot more useful than me, stumbling around in the dark by myself, trying to figure this all out by myself.

    I worship the keyboard your bleeding fingers pound on to produce LUA Buglight. Seriously, this is so so useful. I hope you can keep at it and thanks for all the work so far.

  2. AndresP says:

    Um.

    Running LUAB under W7-32 with Runa as different user ( who is admin).After running program and stoping log get error messages.

    “Could not load noise filter file c:usersandresAppDataLocalTempNoisefilter.xml The selected filterisnot a LUA Buglight 2.0 or newer filter.” and next after pressingOK > ” ERROR. The selected report is not a LUA Buglight 2.0 or newer report.”

    I can avoid first message if turn of filter noise. But cant still open report. Can open XML with other programs (notepad, IE etc). Seems OK onfirst look.

    [Aaron Margosis]  It’s not intended to be used with RunAs.  Log on as a member of the Administrators group with UAC enabled and run LUA Buglight non-elevated.  It will prompt for elevation the first time you start a program.

  3. Vince says:

    I don’t see any way to actually download the program from here.

    [Aaron Margosis]  Right below the text of the post it says “Attachment(s)” followed by a link to LuaBuglight.zip.

  4. Stephane Harvey says:

    Hi,

    I’m trying to run the new release (2.1) on Windows Server 2008 Enterprise (Build 6002 : Service pack 2) and I receive to error messages.

    The first one indicate “Unable to start LUA Buglight kernel driver. (Might be a version issue.) Error = 2” and “C:Usershas005AppDataLocalTemp2LBLDriverX86.sys”

    I have looked in the folder and the file is present.

    The second one indicate “Unable to acquire a ‘this-user-as-admin’ token.  Cannot continue with the test.”.

    Can you assist me ?

    [Aaron Margosis]  Had you run an earlier release of LUA Buglight on this system?  If so, reboot to make sure that the previous driver is not loaded.

  5. Stephane Harvey says:

    Hi,

    Yes, I have runned 2.0 but I have tried to reboot but the two same error messages appear.

    Do you have another tips for me ?

    Regards,

    Stephane

    [Aaron Margosis]  Error #2 means “The system cannot find the file specified.”  The extra 2 in the temp path seems odd.  Is that the folder you see if you start a CMD prompt and run “echo %TEMP%”?

    Also, you’re not doing anything with RunAs or anything like that, right?  Logged on as a member of the Administrators with UAC enabled?

    Actually, never mind that thing about 2 — I just tested on a Server 2008 (x64) system and saw the same thing there — it looks like it appends the terminal services session ID to the path so that the same user can be logged on multiple times.  But on my system LUA Buglight worked correctly. 🙂

  6. Stephane Harvey says:

    Hi,

    Yes, I have used “NET HELPMSG #” to know the signification.  This is why I have looked in the “C:Usershas005AppDataLocalTemp2” folder to look if the file is here.

    The “echo %TEMP%” result as “C:Usershas005AppDataLocalTemp2”.

    I use “has005” as a member of “Administrators” and UAC is enabled.

    I have tried RunAs earlier to perform some test but not now.

    Do you have another tips ?

    Regards

    Stephane

    [Aaron Margosis]  After a reboot, is there a registry key called HKLMSystemCurrentControlSetServicesBuglightDriver ?  If so, delete it.  (Might be lingering stuff from an earlier driver that didn’t clean up correctly.)

    Do you have any additional security restrictions on the system?  E.g., the elevated admin has the Load Drivers privilege?  Does it work on any other systems?

    What is the date on that driver file?  If you look at its Properties in Explorer, does it show as signed on October 15 2009?

  7. Stephane Harvey says:

    Hi,

    Great.

    I have deleted the registry key and rebooted my server and it work better but not perfectly.

    When I click “Stop logging”, I receive the following error message : “Could not load noise filter file C:Usershas005AppDataLocalTemp2NoiseFilter.xml: The selected filter is not a LUA Buglight 2.0 or newer filter.”

    Another registry key need to be deleted ?

    Regards,

    Stephane

    [Aaron Margosis]  Ah, good — need to add that to the FAQ.  As to the noise filter, try this:  close the Reporter and the main LUA Buglight app.  Go into that temp folder and make sure that any NoiseFilter.xml is deleted.  Try again.  (It might be a noise filter from a previous version.)

  8. Stephane Harvey says:

    Hi,

    Good morning !

    I have opened the temp folder “C:Usershas005AppDataLocalTemp2” and no other “NoiseFilter.xml” is present.

    Also, when I call LUA Buglight, I can see that the file “NoiseFilter.xml” is generated and deleted when I close LUA Buglight too.

    The error message appear immediately when I click on “Tools”, “Run LUA Buglight Reporter”.

    receive the following error message : “Could not load noise filter file C:Usershas005AppDataLocalTemp2NoiseFilter.xml: The selected filter is not a LUA Buglight 2.0 or newer filter.”

    When LUA Buglight Reporter is started, if I try to open the log file generated by LUA Buglight 2.1, I receive the following error message : “ERROR: The selected report is not a LUA Buglight 2.0 or newer report.”.

    Another clue ?

    Regards,

    Stephane

    [Aaron Margosis]  If you just double-click on the report file in Explorer (in the LuaBugLogs folder in your Documents folder), does it start with

    <?xml version=”1.0″ encoding=”windows-1252″ ?>
    <LuaBuglight version=”2.0>

  9. Stephane Harvey says:

    Hi,

    Yes.

    Regards,

    Stephane

    [Aaron Margosis]  What language version of Windows are you running?  (I ran into a localization problem with the first version of LUA Buglight, and I thought I’d solved that.)

    See whether this helps: Start LUA Buglight, go into the %TEMP% folder, open NoiseFilter.xml with Notepad, and add this line at the beginning of the file:

    <?xml version=”1.0″ encoding=”windows-1252″ ?>

  10. Stephane Harvey says:

    Hi,

    I’m running Windows Server 2008 Enterprise SP2 English.

    The line is not present in the NoiseFilter.xml file generated but adding this line at the beginning of the the file don’t fix the problem.

    Regards,

    Stephane

    [Aaron Margosis]  Hmm.  What happens if you run LuaBuglight.exe and before starting the Reporter, go into the %TEMP% folder and delete NoiseFilter.xml?

  11. Stephane Harvey says:

    Hi,

    I don’t receive the first error message : “Could not load noise filter file C:Usershas005AppDataLocalTemp2NoiseFilter.xml: The selected filter is not a LUA Buglight 2.0 or newer filter.” but when I try to open the log file generated by LUA Buglight 2.1, I always receive the following error message : “ERROR: The selected report is not a LUA Buglight 2.0 or newer report.”.

    Regards,

    Stephane

    [Aaron Margosis]  Does it work correctly on any other machines you have?

    BTW, follow up by contacting me directly through the Email link and I’ll post an update here if/when we resolve this.

  12. Shen says:

    Hi,

    I run the latest 2.1 version on Win7(Version 6.1.7600), but get the following error message:

    —————————

    LBLTokenHelper-Vista

    —————————

    Unable to start LUA Buglight kernel driver.  (Might be a version issue.)  Error = 50

    Driver path = C:UsersshurshAppDataLocalTempLBLDriverX86.sys

    —————————

    OK  

    —————————

    [Aaron Margosis]  Try rebooting — you may have an older version of the driver stuck in memory.

  13. Karthik says:

    Hi Aaron,

    I am getting an error message while running this application in both “Administrator” and “Standard User” mode.

    Is this application compatible with Windows 2008 server?

    If so, what is this error message means “LUA Buglight must be run unelevated by a member of the Administators group in admin-approval mode.

    Thanks for your help.

    Regards, Karthik

    [Aaron Margosis]  To do its work, LUA Buglight uses a user context that represents one user as both a regular user and as an administrator — which is what UAC gives you for members of the Administrators group.  In this case, you need to use another account that is a member of the Administrators group.  The standard user account can’t be used because it can’t be elevated.  The default Administrator account can’t be used because it runs everything elevated all the time — “Admin Approval Mode” is disabled by default for the built-in Administrator account.

  14. Drewfus says:

    It’s a great program.

    The only improvement i can think of would be to include Permissions details in the report, perhaps in SDDL format or Subinacl friendly format.

    Ex:

    [Registry]

    HKLMSystemCurrentControlSetServicesWinSock2Parameters=F

    [Files]

    C:Program FilesIBMLotusSymphonyframeworkrcpeclipseconfigurationwrittableArea49673.dll=CDP

    Then i can start scripting fixes using tools like iniman (W2K3 RK).

  15. christopher says:

    just wanted to say that this is fantastic!

    i have been spending days looking at permissions issues until i finally stumbled upon this.

    why in the world is miscrosoft NOT paying for this?  i realize vista has been out for some time, but a lot of developers (myself included) have not made the switch from xp till now with the promise of win7.  an included tool like this in the visual studio tools would be invaluable to helping win developers make the transition to the uac security model.

    thanks so much for all your effort and time on this, many many kudos!

  16. Chris says:

    Aaron,

    I’ve got the same problem as Stephane : "Could not load noise filter file C:Usershas005AppDataLocalTemp2NoiseFilter.xml: The selected filter is not a LUA Buglight 2.0 or newer filter."

    I tried the solution you suggested regarding the xml enconding to no avail.

    I use an XP French edition

    Thanks for your help

    Chris

  17. Chris says:

    Aaron,

    I change the "regional settings" from french to english US and it’s working so the localization problem is still here.

    Chris

  18. Darrin Babin says:

    Just wanted to say thanks for your efforts. This is an excellent tool. It has helped with dealing with applications that don’t play well with FDCC requirements.

  19. Sebastien Malouin says:

    Nice one !!! This little tool is excellent ! Thank you for your hard work !

  20. Richard says:

    "I wish I could work on LUA Buglight full time, but it's an unfunded, spare-time effort, outside of my day job.  I know that LUA Buglight would be a lot more useful with documentation, but it's more useful posted without documentation than it is not posted at all waiting for me to write up documentation."

    So make it open source, easy answer.

  21. Harald Schurack says:

    Hello,

    thanks for the program. I hope it will help a lot in solving migration issues with my old software.

    My plan is to test my applications in a VMware installation of Windows 7 but LUA Buglight

    does not start any application. I do get an error window "Timed out waiting for LBL TokenHelper-Vista.exe process to complete"

    Any idea what causeses that problem ? Does Lua Buglight run in a VM ?

    Kind regards

    Harald

  22. Sharapov says:

    I wanted to test an application using LUA Buglight running on Windows 7 x64.  Application runs fine using local Administrator's accoun, but doesn't run at all using regular user account. When running LUA Buglight I get an error: "Target process requires elevation. LUA Buglight cannot profile this app." What does this mean and what do I need to do to proceed? I'm running LUA Buglight under account that is member of local Administrators group and it runs in Admin Aproval Mode.

    [Aaron Margosis]  That means that Windows always insists on running the process with elevated privileges.  LUA Buglight needs to start the process un-elevated in order to test it.  There are a handful of typical causes.  One is that the app has an embedded manifest that marks it as requireAdministrator or highestAvailable.  Another is that Windows heuristically determines that the application is a legacy installer, and proactively "helps" you by prompting for elevation, since most installers require admin rights.  You can turn off this installer detection heuristic in Local Security Policy | Security Settings | Local Policies | Security Options | "User Account Control: Detect application installations and prompt for elevation" – set to Disable.  (This should actually be the preferred configuration in a managed environment.)

  23. Jeff says:

    This would seem to be an invaluable tool – I'm trying it out now. I agree that MS should find some way to fund this (and off-shoots of this) much like they did with Russinovich. Such a gesture would cause Microsoft to be taken more seriously in the realm of security.

    One note: Many of us have 'no way' to get at source code – and what I mean is that, for my purposes, I am trying to delve into LUA for Terminal Servers, where numerous users run various apps – and those apps are 99.99% third-party – for example: Oracle 10g client, Oracle SQL*Plus, Business Objects Data Integrator (Data Services connector to Oracle back-end DBs), and other such tools. Currently, I am using ProcMon to find some issues, and am in process of trying BugLight, to see if I can uncover more. The bottom line on this is that the issues are not of the type where we can say "Developers must fix the issue," unless maybe we go to Oracle and say "fix this so that it does not need to run with admin privs." And, it does appear that these various apps are attempting to make changes to HKLM and so forth; and, I agree with you that there is NO EXCUSE for Oracle's laziness in designing their apps! It SHOULD be FIXED – period.  What is the latest? 11i? And Oracle is STILL writing code that requires a basic user to be an 'admin' in order to simply run their client read-only software! Ridiculous! The client is simply making a connection to the back-end database – that's all – it should not need any admin writing to HKLM or other areas outside the "basic user realm."

  24. Elecktrus says:

    Hi, the program dont work in windows 7 with SP 1 (x86)

    I try it and get Error=50 , a problem with LBLDriverX86.sys

  25. Mike Diack says:

    Let me second Elecktrus's comments. Lua Buglight 2.1 works with Win 7 RTM, but not Win 7 SP1.

    There is a issue with the driver version. Aaron is aware – unsure when he'll fix it.

    [Aaron Margosis]  That's true — the driver component specifically checks for known OS/SP versions, so it needs to be updated.  I am working on an update now.

  26. NicoletaZ says:

    I have issues running the tool. The OS is Windows Server 2008 R2 Enterprise 64-bit and I need to run a 32-bit application.

    The error – "Unable to start LUA Buglight kernel driver. (Might be a version issue.) Error = 2 Driver Path = C:UsersMyUserAppDataLocalTemp1LBLDriverX64.sys"

    Also there is a second error "Unable to acqire a "This-user-as-admin" token".

    Any idea why this is happening?

    [Aaron Margosis]  Error 2 is "The system cannot find the file specified."  If you look in that folder, is the file there?  LUA Buglight works like the Sysinternals utilities — it has the additional files it needs embedded within it, and extracts them out to the %TEMP% folder.  You should see that and other extra files such as LuaDetoursShim.dll in the same location.

  27. NicoletaZ says:

    Hi Aaron,

    The files are there. I checked also everything that you mentioned in a previous conversation with Stephane who ran into similar issues. It's still not working.

    I don't know if it makes a difference but the machine is a VM.

    Thanks!

    [Aaron Margosis]  Do you have Service Pack 1 installed?  I need to post an update to LUA Buglight for it to work with Service Pack 1.

  28. NicoletaZ says:

    Hi Aaron,

    The machine has Service Pack 1 installed so I will need to the update.

    In the meantime I tested the application on Win2K3 and got the report.

    Thanks!

  29. Craig says:

    Hi Iv downloaded LUA Buglight and I cont run it when I try I get the error

    ' ERROR: LUA Buglight must be run unelevated by a member of the administrators group in admin-approval mode'

    I have tright running as a restricted users and network admin user and a local adimin user I even added my network admin user as a local admin and still had the same error.

    any idea's?

    [Aaron Margosis]  On Vista/Win7 or corresponding servers – make sure UAC is not disabled; log on as a member of the Administrators group but do not run LUA Buglight with admin rights.

  30. Craig says:

    Thanx for the reply I had already done that, I had put myself in the local admin group, modified the local policy so UAC is enabled (tried disabled aswell) then changed the permissions on the file and it still doesn't run.

    It doesnt even get to a splash screen.

    [Aaron Margosis]  Make sure to reboot after making any changes to UAC settings, and log off after making any group membership changes.

    Are you still getting any error messages, or does it just not run at all?  (There isn't a "splash screen".)  If you're still getting the same error message, open a Command Prompt and run the following command line:

    whoami /all /fo list | clip

    Then paste the clipboard content into an email to me using the Email Blog Author link on this page.

  31. Joshua Barnette says:

    Fabulous!

Skip to main content