First of all, how are you sure that the disk activity you are seeing is actually paging? Lots of stuff loads at boot time, hence the name. Get Filemon and set the filter to show only IO on pagefile.sys.
Second, let me introduce you to the concept of standby pages: memory that has copies both in memory and on disk. This way, if the memory is needed for something else it can be taken immediately without accessing the disk (since there's already a copy there), and if the memory is needed back where it came from (a soft fault), it's already in memory. Windows does agressively put pages into the standby list, and Task Manager double counts them in Availaible Memory and System Cache. Availaible memory includes both free memory and standby memory; it's the memory that is availaible for any use without accessing the disk. This preemptive paging does disk activity now so that it might be avoided in the future when the disk is busy with something more important.
The problem, as far as I can see, is that CSRSS.exe, which implements some important parts of win32 (important enough for the kernel to die in sympathy if CSRSS dies), is also responsible for the menial tasks of drawing console windows.
I think that CSR was intended to be a generic subsystem server at one point. CSR actually loads libraries that contain the work code: from HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems, Windows value
This is the command line used to start csrss. Note the ServerDll= lines: csr loads basesrv, winsrv and calls entry point UserServerDllInitialization and ConServerDllInitialization. Csrss.exe is only some 6KB: the real work is done in these libraries. Back when Win32 was all in user mode (NT 3.51) winsrv.dll was 1.3MB: it's where all the GDI and USER back end code lived. There was also a call to GdiServerDllInitialization in winsrv. In NT4 winsrv.dll shrunk down to 166KB, since most of the code was moved into win32k.sys. Anyways, it looks like the console is implemented in winsrv but using the ConServer init function; it might be (or have been) possible to have CSR start another unpriviliged process that just does the console work. I bet MS could do it if they really wanted to.
The most useful simulation of reality is a true one.
Natural selection has an interest to leverage belief in order to create beneficial behaviors.
I've skimmed a few of Plantinga's papers at this page. Here's a quote from Warrant and Proper Function (pp. 225-226) quoted in Naturalism Defeated:
So suppose Paul is a prehistoric hominid; a hungry tiger approaches. Fleeing is perhaps the most appropriate behavior: I pointed out that this behavior could be produced by a large number of different belief-desire pairs. To quote myself:
Perhaps Paul very much likes the idea of being eaten, but when he sees a tiger, always runs off looking
for a better prospect, because he thinks it unlikely that the tiger he sees will eat him. This will get his body parts
in the right place so far as survival is concerned, without involving much by way of true belief. . . . . Or perhaps
he thinks the tiger is a large, friendly, cuddly pussycat and wants to pet it; but he also believes that the best way
to pet it is to run away from it. . . . or perhaps he thinks the tiger is a regularly recurring illusion, and, hoping
to keep his weight down, has formed the resolution to run a mile at top speed whenever presented with such an
illusion; or perhaps he thinks he is about to take part in a 1600 meter race, wants to win, and believes the
appearance of the tiger is the starting signal; or perhaps . . . . Clearly there are any number of belief-cum-desire
systems that equally fit a given bit of behavior
The thing is, rational behavior does not replace instinct. This scenario is very plausable, if Paul was left up to only his own mental devices to make decisions; if paul were somehow completely separated from instinct. A real homonid would have instinct to tell him to fear the tiger, and these instincts are behaviors governed only by the long term survivial of the species. Instincual behaviors are simple and have few links between input and result. This behavior is simple: to fear predators or other large, scary creatures and to flee from them. This behavior will continue to be correct as long as predators exist. It's the perfect type of behavior to program insinctively since
It will be correct for many many generations, even across species
It is fairly general (and so is robust and will continue to be correct even if the predator changes)
An incorrect choice will result in certain death, so has a direct effect on selection
On the other hand, some types of behaviors are better learned by each creature:
Suppose Joey is a prehistoric homonid. In recent years, a new species of plant has evolved. It spreads when birds eat its berries, but the seeds are lost when eaten by other creatures. The plant's berries are adapted to make non-birds sick when the berries are eaten. To continue to entice the birds, the berries continue to be sweet. The only distinguishing part of the plant is the shape of its leaves. Joey eats a bunch of the berries from this plant, and likes them because they are sweet. A few hours later, Joey feels sick and realizes that the plant with the funny leaves was the only unusual thing he ate recently. Joey remembers not to eat from this bush again. 500 years later, this plant becomes extinct, choked out by other plants.
This behavior is better suited to be learned because:
It was correct for only a short time. Evolution would take far too long to program an appropriate instinct, and it would be vestigial for some time after that.
It is specific to one type of plant; it's fragile and would not be applicable to any other species of plants.
An incorrect choice will be rememberable but not fatal. Joey's species would continue to survive (albeit not as well) even while eating the berries regularly. This smaller differen
Nature has no reason to favor organisms with brains that yield true information over organisms with brains that yield false but accidentally useful information.
The key word in the second choice is accidentally. In this system, every beneficial behavior must be programmed genetically and individually by mutation-- by accident. The beneficial ones will then be reinforced by selection. Mutation works in time periods measured in many generations, but it sucks in the short term. The environment is in a constant state of change, requiring new behaviors to be created and old ones (that were once beneficial) to be reversed. Evolutionary instincts take many generations to change.
On the other hand, a brain that yields truth can create a reflection of reality inside of itself. This reflection can accurately interpret and predict the outcome of a wide range of different situations, without need of individual mutations to create behaviors for each one. This brain is far more adaptable for the lifetime of a member of its species. It can learn from its own experiences, from its parents and from culture, each of which can adapt in a fraction of the time that evolution can. Culture and parentage can even teach useful behaviors to offspring, passing them along as evolution does.
In other words, adaptations that benefit a rational mind are worth many adaptations that provide temporarily beneficial instincts, since they are better adapted to a changing environment.
Eject key on the keybaord? What if I have more than one CD/DVD drive? Which one does it eject? All of them? Does it pop up an ugly dialog box about selecting which one? Does button this eject other types of removable media, such as ZIP disks?
I don't understand how having the eject key on the keyboard is better design than supplying each device with its own button, on location. You're going to have to move your hand over there to pick up/drop off a CD anyways...
This is like having the eject button for your VCR/DVD player on the remote but not on the front of the device.
User identities are confirmed by using an Authentication Package. All of the packages that Windows includes require the user's password or smartcard interaction. It is documented how to write a new package; it is possible to create a package that would allow an administrator to act with the authority of any user. No one has done so AFAIK, and it doesn't look too simple.
An even easier way to impersonate a user on the local system is to manufacture a token: tokens are used to identify the authority behind a process. Anyone with TCB privilege (SYSTEM by default) can directly manufacture a token using NtCreateToken that contains user and group identities of whomever you want. This only works on the local system, though.
This is another case of the underlying system being capable, but Microsoft dropping the ball at a later stage. I think the justification for not being able to impersonate other users is the same as for not being able to assign ownership of objects to other users, except to restore backups.
About processes you can't kill: see the latest Sysinternals blog entry. It's due to buggy drivers that don't cancel IRPs correctly: a process can't exit until all of its IO is canceled. As for deleting files, that's a property of the locking system. You can still rename the files, though. That's what SFU does.
Microsoft writes lots of drivers. They support most standardized hardware and have a class or port driver for practically every device type. Class and port drivers handle all the common things a type of driver does; for example, the SCSI port driver does the things common to all SCSI drivers. The manufactuer writes a miniport driver to go along with it, which only handles the device-specific things.
Also, lots of 'drivers' are merely filter drivers; the standard Microsoft driver does everything it needs to to support the device, and the filter sits on top (or underneath it) to modify its behavior slightly (probably for performance/extra features). For example, VIA's USB controller 'driver' is just a filter for Microsoft's standard UHCI USB driver (which operates fine by itself). VIA's IDE 'driver' (viaide.sys) is also just a filter on top of microsoft's standard pciidex.sys and atapi.sys. The disk controller still works without VIA's software help (albeit slower).
Drivers Microsoft does provide:
Standard PS2 stuff (COM, LPT, game port, floppy)
Standard IDE controller and ATAPI devices
OHCI, UHCI, EHCI USB hubs
Lots of USB HID stuff
Standard 1394
ACPI, PCI, DMA, standard busses and bridges
A standard processor driver
External modems
Filesystems (these are a pain to write anyways)
Devices Microsoft provides class/port drivers for, but not usually full drivers:
SCSI controllers
'Hardware' RAID controllers
Video *
Sound (although the SB16/AWE32 compat drivers are MS)
Smart cards
Video decoders/encoders
Network cards
Specialized USB devices
AGP busses
Devices that I've found that Microsoft doesn't provide any drivers for:
My Winbond SD/MMC card reader
Looking at the loaded kernel modules on my computer using Process Explorer, there are 126 loaded, 100 of which are Microsoft. On my laptop, 102/132 are MS. On both of them, I could use only MS drivers and still have a usable system.
* MS has a generic VGA video driver (sloww) and usually ships a stripped down (for stability) version of the vendor's normal driver on the install CD. (doesn't Apple have nVidia/ATI write their own drivers for the most part too?)
The welcome screen is most certainly NOT required to use fast user switching. Simply set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon value AllowMultipleTSSessions to 1 while the "classic" logon screen is selected. Use task manager to switch to other sessions or disconnect yourself to begin a new session. See also tsdiscon.exe and tscon.exe. Besides, Server 2003 supports fast user switching without any welcome screen nonsense. FUS is still disabled when the XP machine is in a domain; AllowMultipleTSSessions is always set to 0. I think Microsoft doesn't want you doing it for licencing/marketing reasons and possibly to make compatibility easier. I wouldn't be suprised if Longhorn supports it.
As another poster noted, the users's processes are NOT suspended when the console session is switched. Fast user switching is implemented exactly the same way that Terminal Services is, plus the ability to change what session the console is connected to. Sessions are either connected to the console, a remote computer or are disconnected. The only difference is where (if anywhere) keyboard/mouse input comes from and where video and sound output goes.
Overlay file systems and immutible file systems allow you to even share most of the files in the jail, without exposing the jails to substitution attacks from other jails. Again, this gives you a significant improvement in efficiency because you don't have to actually duplicate the userland either.
Couldn't you implement the same thing with a new directory that no one (in the jail) has permission to write to, and hard links to the files that are the same?
I don't know how complete the notification mechanism in NT is. Is that in NTFS or can you get notifications from any file system like you can on FreeBSD where the notifications happen at the vnode layer? Why doesn't Microsoft make more use of it?
FindFirstChangeNotification has existed since NT 3.1 and Win 95. On NT, it's implemented by NtNotifyChangeDirectoryFile. It requires filesystem support, which the NTFS, FAT and SMB redirector drivers provide. IDK about the others. MS uses it in shell windows to update changes and the indexing service (and MSN desktop search) use it.
In NT3.51, open File Manager. Optionally select the folder you want to share. In the menu, Disk->Share As... Here, it asks you for the share name (defaulting to the short name of the folder you selected), the shared path (defauting to the selected folder) and space for an optional comment. The default permissions give everyone full access to the share (which means that everyone can get through the front door, but still need access under NTFS permissions.), but can be changed using the Permissions button. Click OK. That's three clicks (after selection).
In NT 4, right click the desired folder in any shell view (explorer, my computer, an open dialog) and select Sharing... Select the Shared As radio button. Here you can set the share name or add a comment. The default permissions are the same as in NT 3.51 and it has the same button to change them. Click OK. That's four clicks (after selection).
Note that in all versions of Windows that support file sharing (even WFW), you can open a command prompt or use a run box and type net share sharename=path.
If you want an old game that has real depth, play Starflight. I recently started playing it for the first time, and it's like a good book but without being linear. I've been picking up clues to the story, while exploring planets and trying to stay alive.
The DOS version of Starflight is an 80808 era CGA game that has a lot of things that were way ahead of it's time. Inside of 700K there are hundreds of unique planets, several races and an involved storyline. The planetary details are generated by fractals but remember what you do on them. Almost everything is done in real time; if you stay silent on the comm channel too long, the aliens on the other side can get annoyed or take over the conversation. A lot of descriptions are done by text, so it requires a little imagination, but the atmosphere of trying to survive, alone in a cold unforgiving universe is very strong.
If you want to give Starflight a chance, I suggest using dosbox with the speed set to 1000 cycles. Anything higher will make battles and communication impossible. Be careful, though: saving or even playing the game modifies the main game files (stara.com, starb.com, starflt.com), so make archives of them if you want to save. You can't quit without saving.
Despite a slower pace than many modern games, this game is quite addictive once you get started. I'm going back to it right now... now if I can just find some promethium so I can repair the sheilds...
The best way IMO, on XP Pro is to log on as admin normally but reduce the privileges of exposed programs (like web browsers or email clients). All the stuff that needs admin just to run can get it by default, changing settings is easy because I'm admin by default, but the apps at risk for compromise are made safe.
Software Restriction Policies, with one registry tweak (don't ask my why it's not standard) will let you set programs (identified by executable path, hash or certificate) to run:
Unrestricted
Not run at all (regardless of access rights)
Be run as if you were a normal user (removing all admin privileges)
Run restricted, which is same as normal user but without access to the user's profile and private key store
Untrusted, with only the access provided by the Users, Everyone and Authenticated Users groups (guest access only).
I run IE and Mozilla as restricted, along with anything else I'm exposing to the Internet. If one of them is compromised, they won't have any more privileges than any normal user, even though I'm logged in as an admin.
Read thesetwo articles for a detailed description. The short version is, first put the text below into a.reg file and execute it (or do it manually)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\Safer\CodeIdentifiers]
"Levels"=dword:00031000 Add this line if you want to use certificates to identify binaires (slower): "AuthenticodeEnabled"=dword:00000001
Then open the Local Security Policy (in admin tools) find Software Restriction Policies and create a new policy. Now, in the additional rules folder, you can right-click to add new rules based on path, hash or certificate. For example, make %programfiles%\internet explorer restricted (for windows update use a normal explorer window). I dare you to get any malware to install through IE when in this mode (I've tried). Heck, I bet most malware won't even run in Basic User mode.
Oh, and if you're worried about shatter attacks, don't be: restricted and untrusted modes put the new processes in job objects that prevent them from accessing outside windows.
And why then can it not be removed without significant problems?
Removing IE breaks the shell. Most software for Windows depends on at least part of the shell. Even the common open dialog boxes depend on the shell: notice that you can open notepad and put an http: address into the open dialog box. It'll happily retrieve the raw html from that address, using the shell. Even Task Manager has an open dialog, which means it depends on the shell. The newer help system is all HTML. All the things that break depend on the shell components that do HTML rendering.
Besides, the OP's point was that Windows was ORIGINALLY not multiuser or secure and the DESIGN flaws from that are STILL present in the current versions, regardless of their current multiuser and memory protection capabilities.
I said that the design of Windows NT has always been secure and multiuser. NT has little in common with the other Windows line under the surface. Name one design flaw present in the first version of NT (3.1) that still exists in the current version (Server 2003 or 5.2). I don't understand what's so bizarre about that.
It's hard to compare to UNIX because there are so many variants, and I'm only familiar with a few of them. Still, standard Linux still uses the ancient RWX permissions, and gives each user one primary group. This is hardly as flexible as ordered accept/deny ACLs. Many UNIXes don't have an auditing system as deep as NT's. It's usually up to whatever resource manager to do its own auditing, if it's supported at all. I'm still looking for an equivalent to NT's restricted tokens in a common UNIX.
For deleting/moving files that are in use, take a look at the PendingFileRenameOperations value under the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager key. This value is a multi-string set of pairs of filenames: the first in each pair is the source file and the second is the destination. If the destination is blank, the source file is deleted. The session manager does this very early in the boot process, before any other user-mode processes have started. The file paths are native NT, not Win32, so there are no wildcards and you'll have to prefix the paths with \??\ if you want to use drive letters. For example, set the first two strings to \??\C:\WINDOWS\system32\t?skmgr.exe and blank to delete t?skmgr.exe on next reboot.
Yes, Windows 2000 and XP CAN be brought dead to the metal in certain circumstances NOT involving hardware failure. I've seen it.
A condition not caused by bad hardware or bad third party drivers or an admin user trying to kill it on purpose? How? You left out all the details.
IE (a fucking WEB BROWSER) and its integration into the OS is just one example.
The only thing that IE is integrated into is the shell environment. It has no integration with the security system or the kernel or anything else. IE is implemented by a set of user mode libraries hosted by processes that host the shell, like iexplore.exe or explorer.exe. The shell normally runs in the security context of the currently logged-on user.
If a shell process is made to run malicious code through a vulnerability (even from a hole in IE) or user negligence, it has exactly the same rights as the current user. If the user is running a web browser as an administrator to browse untrusted sites, then that's just user stupidity. It has nothing to do with the OS's design.
IE's integration into the Windows shell is just like KHTML's integration into KDE's shell or WebCore's integration into OSX's shell. They're each a set of standard libraries for rendering HTML for various UI components.
Yes, the defaults for setting up a normal user account are poor. Defaults != OS design. Yes, there is a lot of software that needs excessive privileges to run properly. This is not the fault of the OS, but of developers who can't be bothered to write good software. The most that could be blamed on the OS design is that the security model is too complex, but even then, the errors are almost always things that would be illegal on UNIX too, like writing to the same directory that the program binaries are installed in.
Besides, the OP's point was that Windows was ORIGINALLY not multiuser or secure and the DESIGN flaws from that are STILL present in the current versions, regardless of their current multiuser and memory protection capabilities.
Windows NT has always had a secure, multiuser design. (unlike UNIX where security was taped on as an afterthought) Your only example about IE integration has little to do with OS security, and hardly distinguishes Windows since KDE and OSX do the same thing.
Bring up some of the other supposedly myriad design flaws in Windows NT based OSes.
The article is light on technical details, but it does sound like the Enhanced Security mode of WS2003. Running IE as a seperate user with less privileges is better, but that wouldn't work in a multi-user environment. Every user would have the same access to a shared profile for storing bookmarks, saved forms and the like. There is a more elegant solution: restricted tokens.
Restricted tokens are a feature available in Windows 2000 and later that allows any user to create a new process with less privileges than they have normally. You can delete SIDs, so that they can't be used to grant access, delete privileges, and create a list of restricting SIDs. "When a restricted process or thread tries to access a securable object, the system performs two access checks: one using the token's enabled SIDs, and another using the list of restricting SIDs. Access is granted only if both access checks allow the requested access rights." (from the above link)
I've been running Internet Explorer, Mozilla, Winamp and a few other things with restricted SIDs for quite a while now. I delete the Administrators group, all privileges and restrict them to a narrow set of SIDs. I give them access to my profile, but are explicitly denied access to all the Run keys in the registry, and My Documents. The program jobprc can be used to create restricted tokens and job objects. You can also create a process with a restricted token with the Protect My Computer option of RunAs, albeit with less control.
I created a VM and TRIED to get infected while logged on as an admin using a restricted token. Nothing got through.
It would be great if Microsoft took better advantage of restricted tokens by running certain things (like IE) with them by default.
On Windows 2000 or later, there is a special PNP IRP that is sent to devices that have been yanked: IRP_MN_SURPRISE_REMOVAL. All removable devices must support this IRP and it must succeed. Devices are to release any resources used by the device, fail all pending and future operations on the device (other than close/cleanup) and await a IRP_MN_REMOVE_DEVICE once all handles have been closed for final cleanup. This IRP is generally handled by the volume device, below the filesystem. The devices, including the filesystem, play dead until all handles are closed.
I pulled a USB flash drive while Explorer was copying a file to it. Explorer immediately gave me an ugly dialog box about not being able to find the file path with no option to retry or continue. I'm not sure what happens with memory-mapped file IO, but I know that when a pagefile becomes inaccessible, any thread that hits a hard fault hangs. Paging files aren't supposed to be located on removable devices, because pagefiles can't be closed at runtime. Besides, the kernel would die with a KERNEL_DATA_INPAGE_ERROR if it couldn't retrieve a kernel page from a removed disk.
2000 enables write caching on removable devices by default, requiring you to use the "Safe hardware removal" applet. Microsoft found that too many people were simply yanking the things, so they made write caching disabled by default on XP. You can change the status of write caching on any volume in hardware->properties->policies. It is safe to pull an idle device without using safe removal when write caching is disabled.
Unlike vFAT, the xvFAT filesystem will not induce a kernel panic if a USB storage device is removed during a write operation,...
The kernel normally crashes when you yank a block device on a USB bus that uses vFAT? The FS can't just fail the pending write operations? It has to kill the kernel?
What does the filesystem have to do with crashing, other than the quaility of the driver? i.e. what do the on-disk file structures have to do with having a kernel panic?
I mean, that's what xvFAT is, a different set of disk structures, isn't it? (not just a different driver) There's really no way to make the current vFAT driver recover safely with the current FAT disk structures?
Yes, I agree that the defaults are poor and Microsoft could be doing more to encourage ignorant users to adopt good practices. However, the topic at hand is specifically about competent users that know what they are doing. These users know about normal user accounts and are able to set it up themselves.
A Mac or Linux user needs to run the attachment AND either enter in a root password or have a privilege escalation flaw in the OS.
This is just as true on a Windows machine when the user is running with normal privileges, except it won't ask for a password. It just fails until you explicitly have it run as another user account. A competent Windows user wouldn't run his computer with admin privs for normal use; a user that runs their mail client as root/admin is incompetent on either platform.
User A is highly skilled, (s)he takes all the proper precautions, but a bug in the network stack compromises the computer.
User B is not skilled, but has a secure OS and competent admin. The user tries to run an executable attachment, but because the admin hasn't signed it it cannot run and the computer stays secure.
For one thing, users A and B are exposed to different kinds of attacks: network and trojan, respectively. The precautions for protecting against network attacks is the same on all modern platforms: minimization of attack surface and use of firewalls and routers. The design of Windows, Linux and OSX are the same when it comes to network services.
The precautions taken by the network admin on computer B are not limited to Linux or OSX; Windows has (since XP) Software Restriction Policies that can limit a user's ability to run binaries to a whitelist defined by path, hash or signing. Besides that, you can apply file system security to prevent users from having both write and execute to directories, preventing them from running arbitrary binaries on all versions of NT, OSX and Linux.
All drivers run in the same kernel mode virtual address space (usually the top 2GB) plus the current process's virtual address space. Drivers are free to call the native Zw* functions, the ones that don't do security checks or validation. Drivers can access the same Object Manager namespace as everyone else so there aren't any 'hidden' drivers.
There's nothing stopping a driver running malicious code from connecting to the \Device\Tcp device to open a socket, using ZwCreateFile to copy a malware app into the Windows directory and using ZwCreateKey to install it as a new service.
There's also nothing stopping a driver from posting a kernel APC onto a thread from a user-mode victim process so that the driver can load malicious code into the process. After that, it's as simple as changing the thread's thread environment block to return into the new code's address. The next time the thread is scheduled, the malicious code will be running. All with zero access checks.
STOP errors do in fact occur when a driver tries to access certain read-only memory sections. These are sections that were setup at boot time and should never be changed. You're right about the purpose of STOP errors (die if there's any chance of corruption) and why the video drivers are avoided.
Use hibernate. Just hit the button and the computer will be off some 10 seconds later. When you next push the power button, everything will come back just as you left it.
I have never seen a program that asks if you are sure if you want to hibernate or tries to stop the process. I've hibernated while games were running without any problems.
Go to the power options control panel (type powercfg.cpl into the Run box). In the Hibernate tab, check "Enable hibernation". Click apply. Then on the Advanced tab, where it says "When I press the power button on my computer:" select "Hibernate". Click OK.
If you're asking if there's a way to launch a new process with less privileges than its parent, then there is a way: create the child process with a restricted token. A restricted token is a copy of another token, but with privileges and SIDs deleted and an optional list of restricting SIDs.
Privileges are for things like loading a driver or shutting down the system. Normally you delete all the privileges on a restricted token.
SIDs give you identity, both as a user and for group membership. A token has a SID for the user himself and each group he belongs to. There's a SID for the Users group, one for the Administrators group, etc. Deleted SIDs can't be used to gain access to resources (but will still be considered for deny entries). If you delete the Administrators SID from the restricted token, new processes created with it won't have admin access.
If a list of restricting SIDs exists, then access checks must succeed using the normal SIDs AND the the list of restricting SIDs. (See the description on the CreateRestrictedToken page)
There's two ways that I know of to use restricted tokens: 1. Use the "protect my computer" option of RunAs; this runs the program with the Administrators group and your personal SID disabled, all privileges deleted, and a list restricting SIDs the same as yours, plus the SID named RESTRICTED. This way, you can explicitly deny RESTRICTED access to things that you would normally have access to, such as sensitive things in your own profile. See Aaron Margosis's blog for a good description. 2. You can use my program, jobprc. It's a command line program that's more complicated but exposes virtually all of the power of restricted tokens and job objects. For example, you could run Internet Explorer without admin privileges with jobprc iexplore -dsid administrators -dprivmax. IE would still have access to your profile, but it doesn't get the access granted by the Administrators group or any special privileges.
As an application developer, you could check to see if your app was started with an appropriate token, and if not, have it relaunch itself with a restricted token.
When you direct NT to make a memory dump on BSOD, it uses disk space already reserved for the pagefile. You need to have a page file on the boot volume large enough to hold whatever size memory dump. Since the sectors are already allocated, it's as simple as writing memory directly into them; the filesystem need not be involved for this. The next time the system boots, it copies the memory dump contents into a new file (which is now safe to create) before the pagefile is used for paging again. Another area is pre-allocated to hold space for a crash event in the event log.
Slashdot Mirror
First of all, how are you sure that the disk activity you are seeing is actually paging? Lots of stuff loads at boot time, hence the name. Get Filemon and set the filter to show only IO on pagefile.sys.
Second, let me introduce you to the concept of standby pages: memory that has copies both in memory and on disk. This way, if the memory is needed for something else it can be taken immediately without accessing the disk (since there's already a copy there), and if the memory is needed back where it came from (a soft fault), it's already in memory. Windows does agressively put pages into the standby list, and Task Manager double counts them in Availaible Memory and System Cache. Availaible memory includes both free memory and standby memory; it's the memory that is availaible for any use without accessing the disk. This preemptive paging does disk activity now so that it might be avoided in the future when the disk is busy with something more important.
I've skimmed a few of Plantinga's papers at this page. Here's a quote from Warrant and Proper Function (pp. 225-226) quoted in Naturalism Defeated:
The thing is, rational behavior does not replace instinct. This scenario is very plausable, if Paul was left up to only his own mental devices to make decisions; if paul were somehow completely separated from instinct. A real homonid would have instinct to tell him to fear the tiger, and these instincts are behaviors governed only by the long term survivial of the species. Instincual behaviors are simple and have few links between input and result. This behavior is simple: to fear predators or other large, scary creatures and to flee from them. This behavior will continue to be correct as long as predators exist. It's the perfect type of behavior to program insinctively since
On the other hand, some types of behaviors are better learned by each creature:
Suppose Joey is a prehistoric homonid. In recent years, a new species of plant has evolved. It spreads when birds eat its berries, but the seeds are lost when eaten by other creatures. The plant's berries are adapted to make non-birds sick when the berries are eaten. To continue to entice the birds, the berries continue to be sweet. The only distinguishing part of the plant is the shape of its leaves. Joey eats a bunch of the berries from this plant, and likes them because they are sweet. A few hours later, Joey feels sick and realizes that the plant with the funny leaves was the only unusual thing he ate recently. Joey remembers not to eat from this bush again. 500 years later, this plant becomes extinct, choked out by other plants.
This behavior is better suited to be learned because:
On the other hand, a brain that yields truth can create a reflection of reality inside of itself. This reflection can accurately interpret and predict the outcome of a wide range of different situations, without need of individual mutations to create behaviors for each one. This brain is far more adaptable for the lifetime of a member of its species. It can learn from its own experiences, from its parents and from culture, each of which can adapt in a fraction of the time that evolution can. Culture and parentage can even teach useful behaviors to offspring, passing them along as evolution does.
In other words, adaptations that benefit a rational mind are worth many adaptations that provide temporarily beneficial instincts, since they are better adapted to a changing environment.
Eject key on the keybaord? What if I have more than one CD/DVD drive? Which one does it eject? All of them? Does it pop up an ugly dialog box about selecting which one?
Does button this eject other types of removable media, such as ZIP disks?
I don't understand how having the eject key on the keyboard is better design than supplying each device with its own button, on location. You're going to have to move your hand over there to pick up/drop off a CD anyways...
This is like having the eject button for your VCR/DVD player on the remote but not on the front of the device.
User identities are confirmed by using an Authentication Package. All of the packages that Windows includes require the user's password or smartcard interaction. It is documented how to write a new package; it is possible to create a package that would allow an administrator to act with the authority of any user. No one has done so AFAIK, and it doesn't look too simple.
An even easier way to impersonate a user on the local system is to manufacture a token: tokens are used to identify the authority behind a process. Anyone with TCB privilege (SYSTEM by default) can directly manufacture a token using NtCreateToken that contains user and group identities of whomever you want. This only works on the local system, though.
This is another case of the underlying system being capable, but Microsoft dropping the ball at a later stage. I think the justification for not being able to impersonate other users is the same as for not being able to assign ownership of objects to other users, except to restore backups.
About processes you can't kill: see the latest Sysinternals blog entry. It's due to buggy drivers that don't cancel IRPs correctly: a process can't exit until all of its IO is canceled. As for deleting files, that's a property of the locking system. You can still rename the files, though. That's what SFU does.
Also, lots of 'drivers' are merely filter drivers; the standard Microsoft driver does everything it needs to to support the device, and the filter sits on top (or underneath it) to modify its behavior slightly (probably for performance/extra features). For example, VIA's USB controller 'driver' is just a filter for Microsoft's standard UHCI USB driver (which operates fine by itself). VIA's IDE 'driver' (viaide.sys) is also just a filter on top of microsoft's standard pciidex.sys and atapi.sys. The disk controller still works without VIA's software help (albeit slower).
Drivers Microsoft does provide:
- Standard PS2 stuff (COM, LPT, game port, floppy)
- Standard IDE controller and ATAPI devices
- OHCI, UHCI, EHCI USB hubs
- Lots of USB HID stuff
- Standard 1394
- ACPI, PCI, DMA, standard busses and bridges
- A standard processor driver
- External modems
- Filesystems (these are a pain to write anyways)
Devices Microsoft provides class/port drivers for, but not usually full drivers:- SCSI controllers
- 'Hardware' RAID controllers
- Video *
- Sound (although the SB16/AWE32 compat drivers are MS)
- Smart cards
- Video decoders/encoders
- Network cards
- Specialized USB devices
- AGP busses
Devices that I've found that Microsoft doesn't provide any drivers for:- My Winbond SD/MMC card reader
Looking at the loaded kernel modules on my computer using Process Explorer, there are 126 loaded, 100 of which are Microsoft. On my laptop, 102/132 are MS. On both of them, I could use only MS drivers and still have a usable system.* MS has a generic VGA video driver (sloww) and usually ships a stripped down (for stability) version of the vendor's normal driver on the install CD. (doesn't Apple have nVidia/ATI write their own drivers for the most part too?)
The welcome screen is most certainly NOT required to use fast user switching. Simply set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon value AllowMultipleTSSessions to 1 while the "classic" logon screen is selected. Use task manager to switch to other sessions or disconnect yourself to begin a new session. See also tsdiscon.exe and tscon.exe. Besides, Server 2003 supports fast user switching without any welcome screen nonsense.
FUS is still disabled when the XP machine is in a domain; AllowMultipleTSSessions is always set to 0.
I think Microsoft doesn't want you doing it for licencing/marketing reasons and possibly to make compatibility easier. I wouldn't be suprised if Longhorn supports it.
As another poster noted, the users's processes are NOT suspended when the console session is switched. Fast user switching is implemented exactly the same way that Terminal Services is, plus the ability to change what session the console is connected to. Sessions are either connected to the console, a remote computer or are disconnected. The only difference is where (if anywhere) keyboard/mouse input comes from and where video and sound output goes.
In NT3.51, open File Manager. Optionally select the folder you want to share. In the menu, Disk->Share As... Here, it asks you for the share name (defaulting to the short name of the folder you selected), the shared path (defauting to the selected folder) and space for an optional comment. The default permissions give everyone full access to the share (which means that everyone can get through the front door, but still need access under NTFS permissions.), but can be changed using the Permissions button. Click OK.
That's three clicks (after selection).
In NT 4, right click the desired folder in any shell view (explorer, my computer, an open dialog) and select Sharing... Select the Shared As radio button. Here you can set the share name or add a comment. The default permissions are the same as in NT 3.51 and it has the same button to change them. Click OK.
That's four clicks (after selection).
Note that in all versions of Windows that support file sharing (even WFW), you can open a command prompt or use a run box and type net share sharename=path.
If you want an old game that has real depth, play Starflight. I recently started playing it for the first time, and it's like a good book but without being linear. I've been picking up clues to the story, while exploring planets and trying to stay alive.
The DOS version of Starflight is an 80808 era CGA game that has a lot of things that were way ahead of it's time. Inside of 700K there are hundreds of unique planets, several races and an involved storyline. The planetary details are generated by fractals but remember what you do on them. Almost everything is done in real time; if you stay silent on the comm channel too long, the aliens on the other side can get annoyed or take over the conversation. A lot of descriptions are done by text, so it requires a little imagination, but the atmosphere of trying to survive, alone in a cold unforgiving universe is very strong.
If you want to give Starflight a chance, I suggest using dosbox with the speed set to 1000 cycles. Anything higher will make battles and communication impossible. Be careful, though: saving or even playing the game modifies the main game files (stara.com, starb.com, starflt.com), so make archives of them if you want to save. You can't quit without saving.
Despite a slower pace than many modern games, this game is quite addictive once you get started. I'm going back to it right now... now if I can just find some promethium so I can repair the sheilds...
Software Restriction Policies, with one registry tweak (don't ask my why it's not standard) will let you set programs (identified by executable path, hash or certificate) to run:
- Unrestricted
-
Not run at all (regardless of access rights)
-
Be run as if you were a normal user (removing all admin privileges)
- Run restricted, which is same as normal user but without access to the user's profile and private key store
- Untrusted, with only the access provided by the Users, Everyone and Authenticated Users groups (guest access only).
I run IE and Mozilla as restricted, along with anything else I'm exposing to the Internet. If one of them is compromised, they won't have any more privileges than any normal user, even though I'm logged in as an admin.Read these two articles for a detailed description. The short version is, first put the text below into a
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W
"Levels"=dword:00031000
Add this line if you want to use certificates to identify binaires (slower):
"AuthenticodeEnabled"=dword:00000001
Then open the Local Security Policy (in admin tools) find Software Restriction Policies and create a new policy. Now, in the additional rules folder, you can right-click to add new rules based on path, hash or certificate. For example, make %programfiles%\internet explorer restricted (for windows update use a normal explorer window). I dare you to get any malware to install through IE when in this mode (I've tried). Heck, I bet most malware won't even run in Basic User mode.
Oh, and if you're worried about shatter attacks, don't be: restricted and untrusted modes put the new processes in job objects that prevent them from accessing outside windows.
In response to your earlier comment:I said that the design of Windows NT has always been secure and multiuser. NT has little in common with the other Windows line under the surface. Name one design flaw present in the first version of NT (3.1) that still exists in the current version (Server 2003 or 5.2). I don't understand what's so bizarre about that.
It's hard to compare to UNIX because there are so many variants, and I'm only familiar with a few of them. Still, standard Linux still uses the ancient RWX permissions, and gives each user one primary group. This is hardly as flexible as ordered accept/deny ACLs. Many UNIXes don't have an auditing system as deep as NT's. It's usually up to whatever resource manager to do its own auditing, if it's supported at all. I'm still looking for an equivalent to NT's restricted tokens in a common UNIX.
For deleting/moving files that are in use, take a look at the PendingFileRenameOperations value under the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager key. This value is a multi-string set of pairs of filenames: the first in each pair is the source file and the second is the destination. If the destination is blank, the source file is deleted. The session manager does this very early in the boot process, before any other user-mode processes have started. The file paths are native NT, not Win32, so there are no wildcards and you'll have to prefix the paths with \??\ if you want to use drive letters.
For example, set the first two strings to \??\C:\WINDOWS\system32\t?skmgr.exe and blank to delete t?skmgr.exe on next reboot.
If a shell process is made to run malicious code through a vulnerability (even from a hole in IE) or user negligence, it has exactly the same rights as the current user. If the user is running a web browser as an administrator to browse untrusted sites, then that's just user stupidity. It has nothing to do with the OS's design.
IE's integration into the Windows shell is just like KHTML's integration into KDE's shell or WebCore's integration into OSX's shell. They're each a set of standard libraries for rendering HTML for various UI components.
Yes, the defaults for setting up a normal user account are poor. Defaults != OS design.
Yes, there is a lot of software that needs excessive privileges to run properly. This is not the fault of the OS, but of developers who can't be bothered to write good software. The most that could be blamed on the OS design is that the security model is too complex, but even then, the errors are almost always things that would be illegal on UNIX too, like writing to the same directory that the program binaries are installed in.Windows NT has always had a secure, multiuser design. (unlike UNIX where security was taped on as an afterthought) Your only example about IE integration has little to do with OS security, and hardly distinguishes Windows since KDE and OSX do the same thing.
Bring up some of the other supposedly myriad design flaws in Windows NT based OSes.
The article is light on technical details, but it does sound like the Enhanced Security mode of WS2003. Running IE as a seperate user with less privileges is better, but that wouldn't work in a multi-user environment. Every user would have the same access to a shared profile for storing bookmarks, saved forms and the like. There is a more elegant solution: restricted tokens.
Restricted tokens are a feature available in Windows 2000 and later that allows any user to create a new process with less privileges than they have normally. You can delete SIDs, so that they can't be used to grant access, delete privileges, and create a list of restricting SIDs. "When a restricted process or thread tries to access a securable object, the system performs two access checks: one using the token's enabled SIDs, and another using the list of restricting SIDs. Access is granted only if both access checks allow the requested access rights." (from the above link)
I've been running Internet Explorer, Mozilla, Winamp and a few other things with restricted SIDs for quite a while now. I delete the Administrators group, all privileges and restrict them to a narrow set of SIDs. I give them access to my profile, but are explicitly denied access to all the Run keys in the registry, and My Documents. The program jobprc can be used to create restricted tokens and job objects.
You can also create a process with a restricted token with the Protect My Computer option of RunAs, albeit with less control.
I created a VM and TRIED to get infected while logged on as an admin using a restricted token. Nothing got through.
It would be great if Microsoft took better advantage of restricted tokens by running certain things (like IE) with them by default.
On Windows 2000 or later, there is a special PNP IRP that is sent to devices that have been yanked: IRP_MN_SURPRISE_REMOVAL. All removable devices must support this IRP and it must succeed. Devices are to release any resources used by the device, fail all pending and future operations on the device (other than close/cleanup) and await a IRP_MN_REMOVE_DEVICE once all handles have been closed for final cleanup. This IRP is generally handled by the volume device, below the filesystem. The devices, including the filesystem, play dead until all handles are closed.
I pulled a USB flash drive while Explorer was copying a file to it. Explorer immediately gave me an ugly dialog box about not being able to find the file path with no option to retry or continue. I'm not sure what happens with memory-mapped file IO, but I know that when a pagefile becomes inaccessible, any thread that hits a hard fault hangs.
Paging files aren't supposed to be located on removable devices, because pagefiles can't be closed at runtime. Besides, the kernel would die with a KERNEL_DATA_INPAGE_ERROR if it couldn't retrieve a kernel page from a removed disk.
2000 enables write caching on removable devices by default, requiring you to use the "Safe hardware removal" applet. Microsoft found that too many people were simply yanking the things, so they made write caching disabled by default on XP. You can change the status of write caching on any volume in hardware->properties->policies.
It is safe to pull an idle device without using safe removal when write caching is disabled.
The FS can't just fail the pending write operations? It has to kill the kernel?
What does the filesystem have to do with crashing, other than the quaility of the driver? i.e. what do the on-disk file structures have to do with having a kernel panic?
I mean, that's what xvFAT is, a different set of disk structures, isn't it? (not just a different driver)
There's really no way to make the current vFAT driver recover safely with the current FAT disk structures?
Yes, I agree that the defaults are poor and Microsoft could be doing more to encourage ignorant users to adopt good practices. However, the topic at hand is specifically about competent users that know what they are doing. These users know about normal user accounts and are able to set it up themselves.
The precautions taken by the network admin on computer B are not limited to Linux or OSX; Windows has (since XP) Software Restriction Policies that can limit a user's ability to run binaries to a whitelist defined by path, hash or signing. Besides that, you can apply file system security to prevent users from having both write and execute to directories, preventing them from running arbitrary binaries on all versions of NT, OSX and Linux.
All drivers run in the same kernel mode virtual address space (usually the top 2GB) plus the current process's virtual address space. Drivers are free to call the native Zw* functions, the ones that don't do security checks or validation. Drivers can access the same Object Manager namespace as everyone else so there aren't any 'hidden' drivers.
There's nothing stopping a driver running malicious code from connecting to the \Device\Tcp device to open a socket, using ZwCreateFile to copy a malware app into the Windows directory and using ZwCreateKey to install it as a new service.
There's also nothing stopping a driver from posting a kernel APC onto a thread from a user-mode victim process so that the driver can load malicious code into the process. After that, it's as simple as changing the thread's thread environment block to return into the new code's address. The next time the thread is scheduled, the malicious code will be running. All with zero access checks.
STOP errors do in fact occur when a driver tries to access certain read-only memory sections. These are sections that were setup at boot time and should never be changed. You're right about the purpose of STOP errors (die if there's any chance of corruption) and why the video drivers are avoided.
Use hibernate. Just hit the button and the computer will be off some 10 seconds later. When you next push the power button, everything will come back just as you left it.
I have never seen a program that asks if you are sure if you want to hibernate or tries to stop the process. I've hibernated while games were running without any problems.
Go to the power options control panel (type powercfg.cpl into the Run box). In the Hibernate tab, check "Enable hibernation". Click apply. Then on the Advanced tab, where it says "When I press the power button on my computer:" select "Hibernate". Click OK.
If you're asking if there's a way to launch a new process with less privileges than its parent, then there is a way: create the child process with a restricted token. A restricted token is a copy of another token, but with privileges and SIDs deleted and an optional list of restricting SIDs.
Privileges are for things like loading a driver or shutting down the system. Normally you delete all the privileges on a restricted token.
SIDs give you identity, both as a user and for group membership. A token has a SID for the user himself and each group he belongs to. There's a SID for the Users group, one for the Administrators group, etc. Deleted SIDs can't be used to gain access to resources (but will still be considered for deny entries). If you delete the Administrators SID from the restricted token, new processes created with it won't have admin access.
If a list of restricting SIDs exists, then access checks must succeed using the normal SIDs AND the the list of restricting SIDs. (See the description on the CreateRestrictedToken page)
There's two ways that I know of to use restricted tokens:
1. Use the "protect my computer" option of RunAs; this runs the program with the Administrators group and your personal SID disabled, all privileges deleted, and a list restricting SIDs the same as yours, plus the SID named RESTRICTED. This way, you can explicitly deny RESTRICTED access to things that you would normally have access to, such as sensitive things in your own profile. See Aaron Margosis's blog for a good description.
2. You can use my program, jobprc. It's a command line program that's more complicated but exposes virtually all of the power of restricted tokens and job objects.
For example, you could run Internet Explorer without admin privileges with jobprc iexplore -dsid administrators -dprivmax. IE would still have access to your profile, but it doesn't get the access granted by the Administrators group or any special privileges.
As an application developer, you could check to see if your app was started with an appropriate token, and if not, have it relaunch itself with a restricted token.
When you direct NT to make a memory dump on BSOD, it uses disk space already reserved for the pagefile. You need to have a page file on the boot volume large enough to hold whatever size memory dump. Since the sectors are already allocated, it's as simple as writing memory directly into them; the filesystem need not be involved for this. The next time the system boots, it copies the memory dump contents into a new file (which is now safe to create) before the pagefile is used for paging again. Another area is pre-allocated to hold space for a crash event in the event log.