[THIN] Microsoft Standard User Analyzer
- From: "Rick Mack" <ulrich.mack@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Mon, 18 Dec 2006 06:36:08 +1000
Hi People,
Microsoft have released a new application deployment tool that is going to
make life hugely easier in terms of getting difficult applications ported to
terminal services.
To quote Microsoft:
*The Standard User Analyzer helps developers and IT professionals diagnose
issues that would prevent a program from running properly without
administrator privileges. On Windows Vista, even administrators run most
programs with standard user privileges by default, so it is important to
ensure that your application does not have administrator access as a
dependency.*
*Using the Standard User Analyzer to test your application can identify the
following administrator dependencies and return the results in a graphical
interface:*
*Details of functions provided:*
**
*
Tab
Details
File
Lists file system access issues.
For example, an application attempting to write to a file that normally only
administrators can access.
Registry
Lists system registry access issues.
For example, an application attempting to write to a registry key under
HKLM, which is a location that normally only administrators can access.
INI
Lists WriteProfile APIs issues.
WriteProfile APIs were originally used for 16-bit Windows but are still
popular some modern applications.
One example is the Calculator in Windows XP. If the view is changed from
"Standard" to "Scientific", calc.exe calls WriteProfile API to write into
windows\win.ini, which is only writable by administrator users.
Token
Lists access token checking issues.
If an application explicitly checks for the "Builtin\Administrators"
security identifier (SID) in a user's access token, the application most
likely will not work for a standard user.
Privilege
Lists privilege issues.
For example, if an application explicitly enables "SeDebugPrivilege", it
will not work for a standard user.
Name Space
Lists issues that are caused when an application creates system objects (e.g.
events, memory mappings) in restricted namespace. Applications that have
this error will not work for a standard user.
Other Objects
Lists issues related to accessing objects other than files and registry
keys.
Process
Lists issues related to process elevation.
On Vista, if an application uses CreateProcess API to launch executables
that require elevation, the application will not work for a standard user.
*
**
This basically extends the LUA Analyzer so that you can see any activity by
the application that requires increased privileges on the users part.
No more privilege auditting and messing around with the registry and file
monitors plus you'll get an idea whether vitualiztion will be able to "fix"
things.
If only we could have had this tool a few years ago.
regards,
Rick
--
Ulrich Mack
Commander Australia
Other related posts:
