If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Disable LUA ????
Hi All,
Windows 7 Pro, SP1, x64, fully updated On one machine, I can not run the following command (access denied), except when the CMD windows is elevated to Administrator. MountVol.exe %Drive%\ %UUID% Now what is annoying is that this machine is the only one with the issue. And worse yet, I am the ONLY person that has ever touched it. It is a fresh install. On other almost identical machines, I do not have this issue. As a workaround, I disabled LUA. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System] "EnableLUA"=dword:00000000 This is M$ write up on it: https://msdn.microsoft.com/en-us/library/cc232765.aspx 0x00000000 Disabling this policy disables the "administrator in Admin Approval Mode" user type. 0x00000001 This policy enables the "administrator in Admin Approval Mode" user type while also enabling all other User Account Control (UAC) policies. Which means nothing to me. What the #&$@ is LUA? And, what have I done? Many thanks, -T |
Ads |
#2
|
|||
|
|||
Disable LUA ????
T on 2016/12/09 wrote:
Windows 7 Pro, SP1, x64, fully updated On one machine, I can not run the following command (access denied), except when the CMD windows is elevated to Administrator. MountVol.exe %Drive%\ %UUID% Now what is annoying is that this machine is the only one with the issue. And worse yet, I am the ONLY person that has ever touched it. It is a fresh install. On other almost identical machines, I do not have this issue. As a workaround, I disabled LUA. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System] "EnableLUA"=dword:00000000 This is M$ write up on it: https://msdn.microsoft.com/en-us/library/cc232765.aspx 0x00000000 Disabling this policy disables the "administrator in Admin Approval Mode" user type. 0x00000001 This policy enables the "administrator in Admin Approval Mode" user type while also enabling all other User Account Control (UAC) policies. Which means nothing to me. What the #&$@ is LUA? And, what have I done? Many thanks, -T LUA = Limited User Account A security token is assigned to a process based on the privileges for the Windows account. Tokens can be changed. For example, you can use SysInternals' psexec to change the security token on a process (run "psexec /?" and look at the -l argument). There other similar utilities, like DropMyRights. Another example is RunAs with the /trustlevel argument in Windows. Once the process has been loaded with a LUA token, any child processes it starts will also get the LUA token. Using these tools won't help to restrict privileges on a process that is started as a child. You have to use the tool to assign the LUA token. So clicking on a hyperlink in an e-mail (where that client has full admin privs) results in loading a web browser (also with full admin privs). You have to assign the LUA token to a process so then any children it loads are also limited. One use is to let you always login under an admin Windows account but run a process under a LUA token. For example, you might always want to login under an admin-level account but, by default, load a web browser under a LUA token. The web browser would get the limited privileges of a limited (normal) account hence mitigate some of the vectors through that process that might be used by malware or a malicious site. To do this requires you always use a shortcut that uses the psexec -l, DropMyRights, or other tool to assign a LUA token to the process that the tool is told to load. I believe there is a way to edit the registry so the handler for an object would specify to use the tool and the actual handler specified as the argument but I've not tried this; however, that would ensure that a child process for that program got loaded with a LUA token regardless of the privs for the parent program that called that child. Microsoft came out with UAC to provide a similar feature where a process got loaded under a LUA token if it were trying to perform some system-level function(s). Is UAC configured the same on all your hosts? Since you never mention getting a UAC prompt, either the program you are loading doesn't need system-level functions (e.g., regedit.exe) or you have disabled UAC. It can be configured to elevate privileges when YOU run a program but block with prompt with something else tries the same thing. UAC has multiple settings. Since your command example uses replaceable parameters from the shell, are you trying to run this command inside a batch file? Did you use the pre- and post-commands in the backup program to run that command? Well, the caller (parent) must have admin privileges to run mountvol.exe. If not, and because those are child processes, you might not see a UAC prompt. A backup program's frontend might not be running with admin privs but is backup job might. For example, many backup programs create an XML or some definition file that is read by the program that actually performs the backup job. However, the pre- and post-commands might be executed by the frontend process which does not have admin privs. I ran into that where the backup program created events in Task Scheduler. I changed the option to run with highest privileges for the scheduled task but my commands in a .bat file were not ran at elevated privs. So the pre- and post-commands would fail because the batch file ran programs that demanded admin privs (and I wouldn't get a UAC prompt for them although I have UAC enabled). For the backup program, ask its developer how you can run the pre- and post-commands under admin privileges regardless of under which priv set they load their backup program (the one that does the actual backup, not their frontend GUI). I thought I'd get tricky by editing the scheduled task they added to Task Scheduler by enabling the "run with highest privileges" option but it didn't work for me. |
#3
|
|||
|
|||
Disable LUA ????
On 12/09/2016 12:41 PM, VanguardLH wrote:
T on 2016/12/09 wrote: Hi Vanguard, I wrote your answer down in my keepers. Wow. You are good at this stuff! It is humbling. The user has admin rights. Since your command example uses replaceable parameters from the shell, are you trying to run this command inside a batch file? yes. Did you use the pre- and post-commands in the backup program to run that command? yes. Well, the caller (parent) must have admin privileges to run mountvol.exe. It does. That is what is annoying. Cobian is running as a system daemon. And has no problems with other commands. Cobian even has the ability to run as another user. I have had to use this to back up to network drives that don't like the user name to be "SYSTEM". I tried running as Administrator. That did not work either. For the backup program, ask its developer Cobain Backup is between developers. :'( -T |
#4
|
|||
|
|||
Disable LUA ????
T on 2016/12/09 wrote:
On 12/09/2016 12:41 PM, VanguardLH wrote: T on 2016/12/09 wrote: Hi Vanguard, I wrote your answer down in my keepers. Wow. You are good at this stuff! It is humbling. The user has admin rights. Since your command example uses replaceable parameters from the shell, are you trying to run this command inside a batch file? yes. Did you use the pre- and post-commands in the backup program to run that command? yes. Well, the caller (parent) must have admin privileges to run mountvol.exe. It does. That is what is annoying. Cobian is running as a system daemon. And has no problems with other commands. Cobian even has the ability to run as another user. I have had to use this to back up to network drives that don't like the user name to be "SYSTEM". I tried running as Administrator. That did not work either. For the backup program, ask its developer Cobain Backup is between developers. :'( Does Cobian load their own scheduler process and use that to start backup jobs? Or do they create an event in Windows' Task Scheduler? If the latter, have you tried enabling the "run with highest privileges" option? Instead of having Cobian directly load the batch file, have you tried using "psexec -h" to see if elevated privs get used to load the shell in which the batch file gets loaded? Or specify "cmd.exe /c batchfile" to make sure that process gets elevated privs instead of relying on calling cmd.exe indirectly (which may not have the necessary privs)? When the backup job is running, and for the actual process that is doing the backing up (not the GUI or service), what is its privs level? You could check using SysInternals' Process Explorer. |
#5
|
|||
|
|||
Disable LUA ????
On 12/09/2016 03:19 PM, VanguardLH wrote:
T on 2016/12/09 wrote: On 12/09/2016 12:41 PM, VanguardLH wrote: T on 2016/12/09 wrote: Hi Vanguard, I wrote your answer down in my keepers. Wow. You are good at this stuff! It is humbling. The user has admin rights. Since your command example uses replaceable parameters from the shell, are you trying to run this command inside a batch file? yes. Did you use the pre- and post-commands in the backup program to run that command? yes. Well, the caller (parent) must have admin privileges to run mountvol.exe. It does. That is what is annoying. Cobian is running as a system daemon. And has no problems with other commands. Cobian even has the ability to run as another user. I have had to use this to back up to network drives that don't like the user name to be "SYSTEM". I tried running as Administrator. That did not work either. For the backup program, ask its developer Cobain Backup is between developers. :'( Does Cobian load their own scheduler process and use that to start backup jobs? Or do they create an event in Windows' Task Scheduler? If the latter, have you tried enabling the "run with highest privileges" option? Instead of having Cobian directly load the batch file, have you tried using "psexec -h" to see if elevated privs get used to load the shell in which the batch file gets loaded? Or specify "cmd.exe /c batchfile" to make sure that process gets elevated privs instead of relying on calling cmd.exe indirectly (which may not have the necessary privs)? When the backup job is running, and for the actual process that is doing the backing up (not the GUI or service), what is its privs level? You could check using SysInternals' Process Explorer. Cobian runs as a service. I was just going to leave LUA disabled if you thought it was not a security hazard. |
#6
|
|||
|
|||
Disable LUA ????
T on 2016/12/09 wrote:
I was just going to leave LUA disabled if you thought it was not a security hazard. / / You mean UAC. ____________/ It's a safety net, like those dialogs asking if you really want to delete an e-mail when using Shift+Del (in MS Outlook) but which you can disable via setting. I'm not convinced UAC is effective against malware. I've perused a few hacking forums and they all know how to get around it. UAC is more to protect against the biggest enemy: the user. |
#7
|
|||
|
|||
Disable LUA ????
On 12/09/2016 07:15 PM, VanguardLH wrote:
T on 2016/12/09 wrote: I was just going to leave LUA disabled if you thought it was not a security hazard. / / You mean UAC. ____________/ It's a safety net, like those dialogs asking if you really want to delete an e-mail when using Shift+Del (in MS Outlook) but which you can disable via setting. I'm not convinced UAC is effective against malware. I am totally convinced it is not I've perused a few hacking forums and they all know how to get around it. UAC is more to protect against the biggest enemy: the user. I really do mean LUA [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System] "EnableLUA"=dword:00000000 |
#8
|
|||
|
|||
Disable LUA ????
On 12/09/2016 03:19 PM, VanguardLH wrote:
T on 2016/12/09 wrote: On 12/09/2016 12:41 PM, VanguardLH wrote: T on 2016/12/09 wrote: Hi Vanguard, I wrote your answer down in my keepers. Wow. You are good at this stuff! It is humbling. The user has admin rights. Since your command example uses replaceable parameters from the shell, are you trying to run this command inside a batch file? yes. Did you use the pre- and post-commands in the backup program to run that command? yes. Well, the caller (parent) must have admin privileges to run mountvol.exe. It does. That is what is annoying. Cobian is running as a system daemon. And has no problems with other commands. Cobian even has the ability to run as another user. I have had to use this to back up to network drives that don't like the user name to be "SYSTEM". I tried running as Administrator. That did not work either. For the backup program, ask its developer Cobain Backup is between developers. :'( Does Cobian load their own scheduler process and use that to start backup jobs? Or do they create an event in Windows' Task Scheduler? If the latter, have you tried enabling the "run with highest privileges" option? Instead of having Cobian directly load the batch file, have you tried using "psexec -h" to see if elevated privs get used to load the shell in which the batch file gets loaded? Or specify "cmd.exe /c batchfile" to make sure that process gets elevated privs instead of relying on calling cmd.exe indirectly (which may not have the necessary privs)? When the backup job is running, and for the actual process that is doing the backing up (not the GUI or service), what is its privs level? You could check using SysInternals' Process Explorer. You know what? This fixed a ton of error on Cobian. The backup was larger than the shadow space (a reboot was required) C:\vssadmin list shadowstorage vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2005 Microsoft Corp. Shadow Copy Storage association For volume: (C\\?\Volume{825e2fc4-b861-11e6-ba53-806e6f6e6963}\ Shadow Copy Storage volume: (C\\?\Volume{825e2fc4-b861-11e6-ba53-806e6f6e6963}\ Used Shadow Copy Storage space: 9.383 GB (2%) Allocated Shadow Copy Storage space: 9.813 GB (2%) Maximum Shadow Copy Storage space: 10 GB (2%) C:\vssadmin resize shadowstorage /for=C: /on=C: /maxsize=50GB vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2005 Microsoft Corp. Successfully resized the shadow copy storage association |
Thread Tools | |
Display Modes | Rate This Thread |
|
|