Disable LUA ????

Hi All,

Windows 7 Pro, SP1, x64, fully updated

On one machine, I can not run the following command
(access denied), except when the CMD windows is
elevated to Administrator.

MountVol.exe %Drive%\ %UUID%

Now what is annoying is that this machine is the only
one with the issue. And worse yet, I am the ONLY person
that has ever touched it. It is a fresh install. On
other almost identical machines, I do not have this issue.

As a workaround, I disabled LUA.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System]
"EnableLUA"=dword:00000000

This is M$ write up on it:
https://msdn.microsoft.com/en-us/library/cc232765.aspx

0x00000000
Disabling this policy disables the "administrator in
Admin Approval Mode" user type.

0x00000001
This policy enables the "administrator in Admin
Approval Mode" user type while also enabling all
other User Account Control (UAC) policies.

Which means nothing to me. What the #&$@ is LUA? And, what
have I done?


Many thanks,
-T

T on 2016/12/09 wrote:

Windows 7 Pro, SP1, x64, fully updated

On one machine, I can not run the following command
(access denied), except when the CMD windows is
elevated to Administrator.

MountVol.exe %Drive%\ %UUID%

Now what is annoying is that this machine is the only
one with the issue. And worse yet, I am the ONLY person
that has ever touched it. It is a fresh install. On
other almost identical machines, I do not have this issue.

As a workaround, I disabled LUA.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System]
"EnableLUA"=dword:00000000

This is M$ write up on it:
https://msdn.microsoft.com/en-us/library/cc232765.aspx

0x00000000
Disabling this policy disables the "administrator in
Admin Approval Mode" user type.

0x00000001
This policy enables the "administrator in Admin
Approval Mode" user type while also enabling all
other User Account Control (UAC) policies.

Which means nothing to me. What the #&$@ is LUA? And, what
have I done?

Many thanks,
-T

LUA = Limited User Account

A security token is assigned to a process based on the privileges for
the Windows account. Tokens can be changed. For example, you can use
SysInternals' psexec to change the security token on a process (run
"psexec /?" and look at the -l argument). There other similar
utilities, like DropMyRights. Another example is RunAs with the
/trustlevel argument in Windows. Once the process has been loaded with
a LUA token, any child processes it starts will also get the LUA token.
Using these tools won't help to restrict privileges on a process that is
started as a child. You have to use the tool to assign the LUA token.
So clicking on a hyperlink in an e-mail (where that client has full
admin privs) results in loading a web browser (also with full admin
privs). You have to assign the LUA token to a process so then any
children it loads are also limited.

One use is to let you always login under an admin Windows account but
run a process under a LUA token. For example, you might always want to
login under an admin-level account but, by default, load a web browser
under a LUA token. The web browser would get the limited privileges of
a limited (normal) account hence mitigate some of the vectors through
that process that might be used by malware or a malicious site. To do
this requires you always use a shortcut that uses the psexec -l,
DropMyRights, or other tool to assign a LUA token to the process that
the tool is told to load. I believe there is a way to edit the registry
so the handler for an object would specify to use the tool and the
actual handler specified as the argument but I've not tried this;
however, that would ensure that a child process for that program got
loaded with a LUA token regardless of the privs for the parent program
that called that child.

Microsoft came out with UAC to provide a similar feature where a process
got loaded under a LUA token if it were trying to perform some
system-level function(s). Is UAC configured the same on all your hosts?
Since you never mention getting a UAC prompt, either the program you are
loading doesn't need system-level functions (e.g., regedit.exe) or you
have disabled UAC. It can be configured to elevate privileges when YOU
run a program but block with prompt with something else tries the same
thing. UAC has multiple settings.

Since your command example uses replaceable parameters from the shell,
are you trying to run this command inside a batch file? Did you use the
pre- and post-commands in the backup program to run that command? Well,
the caller (parent) must have admin privileges to run mountvol.exe. If
not, and because those are child processes, you might not see a UAC
prompt. A backup program's frontend might not be running with admin
privs but is backup job might. For example, many backup programs create
an XML or some definition file that is read by the program that actually
performs the backup job. However, the pre- and post-commands might be
executed by the frontend process which does not have admin privs. I ran
into that where the backup program created events in Task Scheduler. I
changed the option to run with highest privileges for the scheduled task
but my commands in a .bat file were not ran at elevated privs. So the
pre- and post-commands would fail because the batch file ran programs
that demanded admin privs (and I wouldn't get a UAC prompt for them
although I have UAC enabled).

For the backup program, ask its developer how you can run the pre- and
post-commands under admin privileges regardless of under which priv set
they load their backup program (the one that does the actual backup, not
their frontend GUI). I thought I'd get tricky by editing the scheduled
task they added to Task Scheduler by enabling the "run with highest
privileges" option but it didn't work for me.

On 12/09/2016 12:41 PM, VanguardLH wrote:
T on 2016/12/09 wrote:


Hi Vanguard,

I wrote your answer down in my keepers. Wow. You are good at
this stuff! It is humbling.

The user has admin rights.

Since your command example uses replaceable parameters from the shell,
are you trying to run this command inside a batch file?

yes.

Did you use the pre- and post-commands in the backup program to
run that command?

yes.

Well, the caller (parent) must have admin privileges to run
mountvol.exe.

It does. That is what is annoying. Cobian is running as a
system daemon. And has no problems with other commands.

Cobian even has the ability to run as another user. I have
had to use this to back up to network drives that don't like
the user name to be "SYSTEM". I tried running as Administrator.
That did not work either.

For the backup program, ask its developer

Cobain Backup is between developers. :'(

-T

T on 2016/12/09 wrote:

On 12/09/2016 12:41 PM, VanguardLH wrote:
T on 2016/12/09 wrote:


Hi Vanguard,

I wrote your answer down in my keepers. Wow. You are good at
this stuff! It is humbling.

The user has admin rights.

Since your command example uses replaceable parameters from the shell,
are you trying to run this command inside a batch file?

yes.

Did you use the pre- and post-commands in the backup program to
run that command?

yes.

Well, the caller (parent) must have admin privileges to run
mountvol.exe.

It does. That is what is annoying. Cobian is running as a
system daemon. And has no problems with other commands.

Cobian even has the ability to run as another user. I have
had to use this to back up to network drives that don't like
the user name to be "SYSTEM". I tried running as Administrator.
That did not work either.

For the backup program, ask its developer

Cobain Backup is between developers. :'(

Does Cobian load their own scheduler process and use that to start
backup jobs? Or do they create an event in Windows' Task Scheduler? If
the latter, have you tried enabling the "run with highest privileges"
option?

Instead of having Cobian directly load the batch file, have you tried
using "psexec -h" to see if elevated privs get used to load the shell in
which the batch file gets loaded? Or specify "cmd.exe /c batchfile"
to make sure that process gets elevated privs instead of relying on
calling cmd.exe indirectly (which may not have the necessary privs)?

When the backup job is running, and for the actual process that is doing
the backing up (not the GUI or service), what is its privs level? You
could check using SysInternals' Process Explorer.

On 12/09/2016 03:19 PM, VanguardLH wrote:
T on 2016/12/09 wrote:

On 12/09/2016 12:41 PM, VanguardLH wrote:
T on 2016/12/09 wrote:


Hi Vanguard,

I wrote your answer down in my keepers. Wow. You are good at
this stuff! It is humbling.

The user has admin rights.

Since your command example uses replaceable parameters from the shell,
are you trying to run this command inside a batch file?

yes.

Did you use the pre- and post-commands in the backup program to
run that command?

yes.

Well, the caller (parent) must have admin privileges to run
mountvol.exe.

It does. That is what is annoying. Cobian is running as a
system daemon. And has no problems with other commands.

Cobian even has the ability to run as another user. I have
had to use this to back up to network drives that don't like
the user name to be "SYSTEM". I tried running as Administrator.
That did not work either.

For the backup program, ask its developer

Cobain Backup is between developers. :'(

Does Cobian load their own scheduler process and use that to start
backup jobs? Or do they create an event in Windows' Task Scheduler? If
the latter, have you tried enabling the "run with highest privileges"
option?

Instead of having Cobian directly load the batch file, have you tried
using "psexec -h" to see if elevated privs get used to load the shell in
which the batch file gets loaded? Or specify "cmd.exe /c batchfile"
to make sure that process gets elevated privs instead of relying on
calling cmd.exe indirectly (which may not have the necessary privs)?

When the backup job is running, and for the actual process that is doing
the backing up (not the GUI or service), what is its privs level? You
could check using SysInternals' Process Explorer.



Cobian runs as a service.

I was just going to leave LUA disabled if you thought it was not
a security hazard.

T on 2016/12/09 wrote:

I was just going to leave LUA disabled if you thought it was not
a security hazard. /
/
You mean UAC. ____________/

It's a safety net, like those dialogs asking if you really want to
delete an e-mail when using Shift+Del (in MS Outlook) but which you can
disable via setting. I'm not convinced UAC is effective against
malware. I've perused a few hacking forums and they all know how to get
around it. UAC is more to protect against the biggest enemy: the user.

On 12/09/2016 07:15 PM, VanguardLH wrote:
T on 2016/12/09 wrote:

I was just going to leave LUA disabled if you thought it was not
a security hazard. /
/
You mean UAC. ____________/

It's a safety net, like those dialogs asking if you really want to
delete an e-mail when using Shift+Del (in MS Outlook) but which you can
disable via setting. I'm not convinced UAC is effective against
malware.

I am totally convinced it is not

I've perused a few hacking forums and they all know how to get
around it. UAC is more to protect against the biggest enemy: the user.


I really do mean LUA

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System]
"EnableLUA"=dword:00000000

On 12/09/2016 03:19 PM, VanguardLH wrote:
T on 2016/12/09 wrote:

On 12/09/2016 12:41 PM, VanguardLH wrote:
T on 2016/12/09 wrote:


Hi Vanguard,

I wrote your answer down in my keepers. Wow. You are good at
this stuff! It is humbling.

The user has admin rights.

Since your command example uses replaceable parameters from the shell,
are you trying to run this command inside a batch file?

yes.

Did you use the pre- and post-commands in the backup program to
run that command?

yes.

Well, the caller (parent) must have admin privileges to run
mountvol.exe.

It does. That is what is annoying. Cobian is running as a
system daemon. And has no problems with other commands.

Cobian even has the ability to run as another user. I have
had to use this to back up to network drives that don't like
the user name to be "SYSTEM". I tried running as Administrator.
That did not work either.

For the backup program, ask its developer

Cobain Backup is between developers. :'(

Does Cobian load their own scheduler process and use that to start
backup jobs? Or do they create an event in Windows' Task Scheduler? If
the latter, have you tried enabling the "run with highest privileges"
option?

Instead of having Cobian directly load the batch file, have you tried
using "psexec -h" to see if elevated privs get used to load the shell in
which the batch file gets loaded? Or specify "cmd.exe /c batchfile"
to make sure that process gets elevated privs instead of relying on
calling cmd.exe indirectly (which may not have the necessary privs)?

When the backup job is running, and for the actual process that is doing
the backing up (not the GUI or service), what is its privs level? You
could check using SysInternals' Process Explorer.



You know what? This fixed a ton of error on Cobian. The backup
was larger than the shadow space (a reboot was required)


C:\vssadmin list shadowstorage

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool

(C) Copyright 2001-2005 Microsoft Corp.



Shadow Copy Storage association

For volume: (C\\?\Volume{825e2fc4-b861-11e6-ba53-806e6f6e6963}\

Shadow Copy Storage volume:
(C\\?\Volume{825e2fc4-b861-11e6-ba53-806e6f6e6963}\

Used Shadow Copy Storage space: 9.383 GB (2%)

Allocated Shadow Copy Storage space: 9.813 GB (2%)

Maximum Shadow Copy Storage space: 10 GB (2%)







C:\vssadmin resize shadowstorage /for=C: /on=C: /maxsize=50GB

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool

(C) Copyright 2001-2005 Microsoft Corp.



Successfully resized the shadow copy storage association