StripMyRights.exe

Copyright (C) 2005 Kåre Smith, Systemintegrasjon AS

http://www.sysint.no

Usage:

    StripMyRights.exe [/D] [/DW] [/L N|C|U] {exefile} [arguments]

Requirements:

The program is made for Windows XP, Windows Server 2003 and newer.

Purpose of the utility:

If you are using a Windows computer logged on as an administrator, you are taking a risk. Especially if running Web browsers like Internet Explorer or email clients like Outlook. To lower the risk, it would be nice to be able to start Internet Explorer, Outlook and other potential risk-exposing applications in an ordinary user context. With Windows 2000 you had to use the RunAs command, which is cumbersome. With Windows XP Microsoft introduced the API calls SaferCreateLevel and SaferComputeTokenFromLevel, which allows one to create a token with reduced rights to be used when starting new processes. Michael Howard, Microsoft Security Engineering, released a utility, DropMyRights to take advantage of this new feature.

So StripMyRights is based on the idea of DropMyRights, but adds a few new features: The ability to pass command line arguments, the ability to be started from the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key and the abillity to be run as a replacement of the original program.

As the DropMyRights utility, one can choose to start new processes with one of three trust levels:

BTW: The recommended way of operating a Windows computer is to log on as an ordinary user, and then use the RunAs and log on as an administrator when running programs needing more access rights. 

Installation:

The program StripMyRights.exe should be copied to the Windows System32 folder, normally C:\Windows\System32.

Another approach is to copy StripMyRights.exe to another program folder and make sure this folder is in the PATH of the computer.

Operating modes:

1. Modified shortcut

In this mode you have to manually modify the shortcuts of the insecure applications, like for instance the Internet Explorer.

Valid command line:

	StripMyRights.exe [/L N|C|U] {exefile} [arguments]

Exefile is the full path to an executable to run. Must be enclosed in "" if the path contains spaces.
Arguments is any arguments to pass to the executable.
Important: /D and /DW must not be used in this operating mode!

To launch Internet Explorer as a Normal user, use this command line (the full path to iexplore.exe must be modified according to your system):

StripMyRights.exe /L N "C:\Program Files\Internet Explorer\iexplore.exe"

This mode has a couple of disadvantages: You must change all relevant shortcuts and maybe also some registry keys used to launch the insecure application, and for applications installed by Windows Installer packages, the path to the executable is not modifiable in the shortcut. The path is hidden somewhere in the registry. An important disadvantage is that if you run a URL, for instance http://www.sysint.no, from the Run menu item in the Start menu, Internet Explorer will be started with full trust access rights, if not already running.

2. Image File Execution Options registry key

When Windows is told to start a program, it checks for the precense of the program name as a subkey of the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key.

For Internet Explorer the executable file is iexplore.exe, and the registry key should be named: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe.

If this key exists and a value named Debugger is defined in that registry key, the program configured there is run as a debugger for the application.

The Debugger value should be of type REG_SZ and should contain this command line: "StripMyRights.exe /D /L N"

Full example, in the form of a Regedit export:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]
"Debugger"="StripMyRights.exe /D /L N" 

This mode has the advantage that it is simple to install, since there are only two steps:

  1. Copy StripMyRights.exe to the Windows System32 folder, normally C:\Windows\System32
  2. Add the necessary registry keys and values below Image File Execution Options

Another advantage is that it affects all users on the computer, and the only way to run the configured programs with full access rights is to copy the program to another name.

A disadvantage in this mode is that some functionality in Windows, like the ability the open a URL from the Run menu choice in the Start menu, will cause an error message if there is no Internet Explorer running already (if, of course, Internet Explorer has been set up ro run with lesser trust). A retry will solve the problem since the program was started by the first try.

To allow the original application to return return-values to the calling application, for instance when running batch-files, use /DW in the Debugger value instead of /D.

Valid command line:

	StripMyRights.exe {/D | /DW} [/L N|C|U]

Either /D or /DW must be used in this operating mode. Windows will itself add the executable filename and any arguments, so please don't add them to the command line.

3. Renaming the original program file

In this mode the original program file should be renamed to executable-name.orig, for instance iexplore.exe.orig. The StripMyRights.exe must then be copied to the original executable name, for instance iexplore.exe, in the same folder as the original program file.

When launched in this mode, the copied StripMyRights.exe gets it's running program name, for instance iexplore.exe, and then checks for the presence of a file named program-name.orig, for instance iexplore.exe.orig. If this program exists, it runs that program with the same arguments as StripMyRights was called with.

In this mode it is impossible to specify the wanted trust level for the application, and it will be run as a Normal user (defaults to /L N).

The advantage with this mode is that it affects all users on the computer, and it is also possible to run the application with full trust access rights from the command line by running the executable-name.orig file.

The disadvantage is that the file renaming will confuse upgrades or repairs, which probably will replace the renamed StripMyRights.exe with the original program.

Another disadvantage is that some functionality in Windows, like the ability the open a URL from the Run menu choice in the Start menu, will cause an error message if there is no Internet Explorer running already (if, of course, Internet Explorer has been set up ro run with lesser trust). A retry will solve the problem since the program was started by the first try.

User License Agreement:

The program is delivered AS-IS, that is without any form of guarantee. You may freely use the program for any legal purpose, and you may freely distribute it as long as this file is distributed with the program file.

Incorrect use of this program may make it impossible to log on to the computer. All use of this program is at the risk of the user. Systemintegrasjon AS does not accept any liability for any damage the program might cause.

If you do not accept these terms, you must delete the program, StripMyRights.exe, at once!

Developed by Kåre Smith, 26. december 2005