Windows AutoPlay programs ignored by RAA
Brought to you by:
istvan_hoffmann,
valerypryamikov
Menu
▾
▴
#46 Windows AutoPlay programs ignored by RAA
Hello,
RAA seems unable to detect and elevate the privileges of programs invoked from Windows XP AutoPlay mechanism. For example:
1) Install ImgBurn (http://imgburn.com/), which registers some Autoplay Event Handlers.
2) Add a new AlwaysTrustedLevel policy condition for ImgBurn.exe. Condition can be path or hash-based, it doesn't matter.
3) Test the new policy by double-clicking on ImgBurn.exe from an Explorer window. Program starts with Administrator rights.
4) Insert a DVD movie into the DVD drive, and select "Create an Image using ImgBurn" from the AutoPlay window.
5) ImgBurn.exe starts up only with User rights, not Administrator rights.
I have had this same problem with SuRun, as well. It's strange, because according to the Windows Security audit log, the parent process of the AutoPlayed ImgBurn.exe process is Windows' Explorer.exe. Shouldn't RAA be able to detect and elevate this new process?
By the way, thank you for RAA, Istvan. It's very impressive!
I think this has something to do with how rundll32.exe calls processes. I have a background task that sits in the notification area:
"C:\WINDOWS\system32\rundll32.exe" C:\PROGRA~1\Thinkpad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
When I double-click it, it starts PWMUI.EXE, but the Parent process is Window's Explorer.exe, not rundll32.exe:
C:\PROGRA~1\Thinkpad\UTILIT~1\PWMUI.EXE
No matter what I do, I can't get RAA to elevate PWMUI.EXE when started from the rundll32.exe tray application. Starting it from the start menu elevates privileges as expected from my Policy.xml.
I wrote a small program called "shimrun.exe" to use in the Image File Execution Options "Debugger" value, that would simply pass arguments and spawn a new process for ImgBurn.exe. The "Debugger" works fine when running ImgBurn.exe normally, but when called from Windows AutoPlay, shimrun.exe is unable to create the ImgBurn.exe process and keeps retrying endlessly.
Also tried with a .VBS script, and the result is the same. I wonder what's going on?