Volume 7, Number 2

**********************************************************
THE SYSINTERNALS NEWSLETTER
https://www.sysinternals.com
Copyright (C) 2005 Mark Russinovich
**********************************************************

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|
August 24, 2005 - In this issue:

1. INTRODUCTION
2. GUEST EDITORIAL
3. WHAT'S NEW AT SYSINTERNALS
4. SYSINTERNALS FORUM
5. MARK'S BLOG
6. MARK'S ARTICLES
7. MARK'S SPEAKING SCHEDULE
8. UPCOMING SYSINTERNALS/WINDOWS OS INTERNALS TRAINING

Winternals Software is the leading developer and provider of advanced systems
tools for Windows.

Winternals is pleased to announce the release of two new products.
Administrator's Pak 5.0 makes it easier than ever to repair an unstable,
unbootable, or locked-out system with new tools such as the automatic crash
analyzer, AD explorer, and Inside for AD,providing real time monitoring of AD
transactions. Also new is Recovery Manager 2.0, providing customizable,
powerful, ultra-rapid rollback for mission-critical servers, desktops, and
notebooks to remotely restore a single system or thousands of systems
simultaneously throughout the enterprise.

For full product details, multimedia demos, webinars, or to request a trial CD
of either product, please visit
https://www.winternals.com
~~~~~~~~~~~~~~~~~~~~~~~~~

1. INTRODUCTION

Hello everyone,

Welcome to the Sysinternals newsletter. The newsletter currently has 55,000
subscribers.

Visits to the Sysinternals web site continues to climb! In July, we had over
900,000 unique visitors. The most frequently accessed tool for the month was
Process Explorer with 275,000 downloads! Since I update the tools frequently,
make sure you're using the latest version. The best way to keep up with changes
is to subscribe to my RSS feed at https://www.sysinternals.com/sysinternals.xml
(and if you're not yet using RSS to keep up with web sites, you need to start!).

In this issue, Wes Miller, Product Manager at Winternals Software, shares his
experience in running as a non-admin. We all say we should do it, but few
computer professionals actually practice what they preach (myself included).
Maybe I'll start soon...

--Mark Russinovich

2. GUEST EDITORIAL

Life as a non-administrator by Wes Miller

Odds are, on the computer you are reading this on, you are a local
administrator. And sadly, the majority of users running Windows
XP (NT and 2000 as well) run as local administrators because it takes
significant work to ensure all applications and scenarios in an enterprise work
without users being admins - so... we take the easy way out and make the world
administrators.
This is not good.

So, I decided recently to run as a normal user (Power User, as many know, is not
a safe account to use as it has privileges that can permit an escalation of
privilege attack and become a member of the Administrators group).

My first thought was to use the wonderful Windows XP Fast User Switching
functionality; I could log into my non-admin and admin account and just switch
back and forth between sessions. But unfortunately that that feature is not
available when you join a domain (too bad for business users).

My second thought was to use RunAs, but it (or a shortcut defined to use
alternate credentials) always prompts for a username and password. That also was
not acceptable, as I didn't want to manually enter my administrative credentials
each time I ran an app that needed admin rights.

So, since I've used the Sysinternals tools for years, I asked Mark Russinovich
to make PsExec work if I'm not an admin. The reason
PsExec did not work out of the box is that it installs a small service which
then does the work; installing the service requires admin credentials, which of
course wouldn't work from my non-admin account.

Mark graciously enhanced PsExec so that now if you specify alternate credentials
AND are running a process on the local system,
PsExec creates the process as a child process with the alternate credentials
(and no longer creates the service to create the child process).

This allowed me to set up shortcuts to run my favorite admin apps using PsExec
to launch the process.

Ah, but PsExec (and RunAs) can't run *.cpl and *.msc files - at least not
directly from the command-line. Perhaps out of laziness, perhaps because I
wanted something seamless - I created a small WSH script that takes any exe,
specific file to open, and any parameters, and named it run.vbs. Now I just run
run.vbs with whatever I want to open (even MMC consoles or control panel
applets) and it's pretty much seamless. Here is the command-line I run in the
WSH script:

psexec.exe -d -i -e -u Administrator -p password cmd /c start
executable | file | parameters

One of the most significant catch-22's that I have not been able to overcome is
installing software that must be installed as a specific user. The best (worst?)
example of this I've seen is the freshly introduced Google Desktop. You have to
be an administrator to install (of course), and it actually has logic in it to
block installation if you try to use RunAs or PsExec - returning the message,
"Installing Google Desktop under different credentials than the active user is
currently not supported." I don't quite get why, aside from the fact that it
helps reduce their test matrix. To get around it without logging off, I launched
a command prompt as Administrator, added myself to the Administrators group,
used PsExec to run a command prompt as myself, (since Explorer was confused
about my group membership), and ran it again. Worked fine. When it was done, I
dropped myself back out again.

No, not dead easy, but it meant my account was only a member of the
Administrators group for a minimal amount of time - and I never had to log off.

Note that I have not linked to or mentioned DropMyRights as a technique to
secure a system - I don't believe it is. Running as non-admin secures your
system. Selectively running dangerous apps as non-admin does not - it may reduce
risk somewhat - but I don't believe it is a practice that should be encouraged.

To sum it all up, switching from an administrator account to a user account for
your daily use is one thing you can do to reduce the attack surface that your
use of your Windows system exposes. I encourage you to give it a try and record
your experiences.

3. WHAT'S NEW AT SYSINTERNALS

Lots of tools were updated since the last newsletter in April. The two with the
biggest enhancements were Process Explorer and
Autoruns. Here is a detailed list of changes by tool:

Process Explorer V9.25
- unified 32-bit and 64-bit (x64) binary
- supports Windows Vista
- now displays 64-bit user and kernel-mode stack information
- lists 32-bit loaded DLLs for 32-bit (Wow64) processes on 64-bit systems
- in-memory image string scanning and packed image highlighting
- process window manipulation (minimize, maximize, etc)
- new column option for information on signed images
- option to display a real-time CPU graph in tray icon
- CPU graph and I/O delta columns to the process view
- view and edit process security descriptors (see Security tab of process
properties)

PsTools v2.2
- PsShutdown includes a -v switch for specifying the duration the notification
dialog displays or omitting the dialog altogether
- PsLoglist has a time formatting fix for its csv output
- PsInfo now shows full hotfix information, including IE hotfixes
- PsExec now works like Runas when you run commands on the local system,
allowing you to run it from a non-administrator account and script the password
entry

Filemon v7.01
- clearer error messages for when an account does not have privileges required
to run Filemon or Filemon is already running
- consolidates the 32-bit and 64-bit (x64) versions into a single binary

Autoruns v8.13
- different autostart types now separated onto different tabs of the main window
- new "Everything" view that gives you a quick view at all configured autostarts
- new autostart locations including KnownDLLs, image file hijacks, boot execute
images, and more Explorer and Internet Explorer add-on locations
- shows more information about images
- supports 64-bit Windows XP and 64-bit Windows Server 2003
- integrates with Process Explorer to show details of running autostart
processes

DebugView v4.41
- now captures kernel-mode debug output on x64 versions of 64-bit Windows and
supports toggling between clock time and elapsed time modes

Handle v3.1
- single executable supports both 32-bit Windows and x64 Windows XP and Windows
Server 2003

RootkitRevealer v1.55
- more sophisticated rootkit detection mechanisms, setting the stage for the
next round of escalation by the rootkit community

Ctrl2cap 64-bit Update
- Ctrl2cap now works on 64-bit Windows XP and Windows Server 2003

TCPView v2.4
- the domain-name lookup functionality of the Sysinternals Whois utility is now
available in TCPView

3. SYSINTERNALS FORUM

Come visit one of the 14 interactive Sysinternals forums
(https://www.sysinternals.com/Forum). With over 1500 members, there have been
2574 posts to date in 945 different topics.

4. MARK'S BLOG

My blog started since the last newsletter - here are the posts since the last
newsletter:
Unkillable Processes
Running Windows with No Services
The Case of the Periodic System Hangs
Popup Blocker? What Popup Blocker?
An Explosion of Audit Records
Buffer Overflows in Regmon Traces
Buffer Overflows
Running Everyday on 64-bit Windows
Circumventing Group Policy Settings
The Case of the Mysterious Locked File
.NET World Follow Up
The Coming .NET World - I'm scared

To read the articles, visit https://www.sysinternals.com/blog

5. MARK'S ARTICLES

Mark's two most recent articles in Windows and IT Pro Magazine were:
- "Unearthing Rootkits" (June 2005)
- Power Tools column: getting the most out of Bginfo

These are available online to subscribers at https://www.windowsitpro.com/

6. MARK'S SPEAKING SCHEDULE

After highly rated talks at Microsoft TechEd in Orlando and Amsterdam, I'm
enjoying a quieter summer. My TechEd Orlando breakout session, "Understanding
and Fighting Malware: Viruses, Spyware and Rootkits", was one of the top
10-rated sessions at TechEd, viewed live by over 1000 TechEd attendees and
webcast live to over 300 web viewers. You can watch the webcast on demand at
https://msevents.microsoft.com/cui/eventdetailaspx?eventID=1032274949&Culture=en-
US

Events I'll be speaking at in the upcoming months include:
- Windows Connections (November 2, 2005, San Francisco, CA) -
https://www.devconnections.com/shows/winfall2005/default.asp?s=61
- Microsoft 2005 Professional Developers Conference (preconference tutorial
September 11, 2005, Los Angeles) -
https://commnet.microsoftpdc.com/content/precons.aspx#PRE07
- Microsoft IT Forum (November 14-18, 2005, Barcelona, Spain) -
https://www.mseventseurope.com/msitforum/05/Pre/Content/PreWindows.aspx

For the latest updates, see
https://www.sysinternals.com/Information/SpeakingSchedule.html

7. LAST PUBLIC INTERNALS/TROUBLESHOOTING CLASS FOR 2005: SAN FRANCISCO SEPTEMBER
19-23

If you're an IT professional deploying and supporting Windows servers and
workstations, you need to be able to dig beneath the surface when things go
wrong. Having understanding of the internals of the Windows operating system and
knowing how to use advanced troubleshooting tools will help you deal with such
problems and understand system performance issues more effectively.
Understanding the internals can help programmers to better take advantage of the
Windows platform, as well as provide advanced debugging techniques.

In this class, you'll gain an in-depth understanding of the kernel architecture
of Windows NT/2000/XP/2003, including the internals of processes, thread
scheduling, memory management, I/O, services, security, the registry, and the
boot process. Also covered are advanced troubleshooting techniques such as
malware disinfection, crash dump (blue screen) analysis, and getting past boot
problems.
You'll also learn advanced tips on using the key tools from www.sysinternals.com
(such as Filemon, Regmon, & Process Explorer) to troubleshoot a range of system
and application issues, such as slow computers, virus detection, DLL conflicts,
permission problems, and registry issues. These tools are used on a daily basis
by Microsoft Product Support and have been used effectively to solve a wide
variety of desktop and server issues, so being familiar with their operation and
application will assist you in dealing with different problems on Windows. Real
world examples will be given that show successful application of these tools to
solve real problems. And because the course was developed with full access to
the Windows kernel source code AND developers, you know you're getting the real
story.

If this sounds intriguing then come to our last public hands-on (bring your own
laptop) Windows internals & advanced troubleshooting class in San Francisco,
September 19-23 (our 2006 schedule is not yet finalized, but will likely include
Austin in the spring, London in June, and San Francisco again in September
2006). And if you have 20 or more people, you may find it more attractive to run
a private on-site class at your location (email seminars@... for
details).

For more details and to register, visit
https://www.sysinternals.com/Troubleshooting.html

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|
Thank you for reading the Sysinternals Newsletter.