Running Legacy Applications as a Least-Privileged User

Use this toolkit to help reduce compatibility problems

Russell Smith

December 25, 2006

7 Min Read
ITPro Today logo in a gray background | ITPro Today

SOLUTION SNAPSHOT


PROBLEM
Running legacyapplications while loggedon as a least-privilegeduser
SOLUTION
With tools found in theWindows ApplicationCompatibility Toolkit(ACT), you can configurean application thatrequires write operationsto protected areas of thefile system or registry toredirect those operationsto the user's profile.
WHAT YOU NEED
Windows XP, ACT 4.1, a sample application (e.g., Maxthon)
DIFFICULTY
2.5 out of 5

Anyone who has ever tried to manage Windows XP desktops in an enterprise environment in which Least-Privileged User Accounts (LUAs) are deployed knows what a challenge it can be. I'm not going to discuss the benefitsof running your desktops as limited accounts, but I'llshow you a useful technique for overcoming problems related to limited access and legacy applicationcompatibility.

LUA and Compatibility Problems


Legacy applications (and sometimes even new applications) that fail to run under the security modelfor a least-privileged user can be a huge headachefor IT administrators. Often such programs requireaccess to areas of the file system and registry thatleast-privileged users aren't permitted to modify,causing applications to lose certain functionality ornot work at all.

Users have several methods they can use to runlegacy applications when logged on as a LUA (e.g.,the Runas command). Many are workarounds thatrequire the user to take some additional action or thatintroduce authentication problems when connectingto networked resources, and are rarely accepted byusers. However, you might consider using the following options, which are transparent to the end user:

  • Changing the ACL on the affected files, folders or registry keys

  • Modify the user's security token only for the affected application

  • Use the Application Compatibility Engine to redirect file system or registry writes

The most commonly used method for runninglegacy applications as a least-privileged user is tomodify ACLs on registry keys and files or foldersthat an application needs to access to be able to runsuccessfully. There are two main drawbacks to thismethod. First, you need to identify the registry keys,files, and folders that are causing the problem. Evenusing file and registry access tools, this can be a timeconsuming job. Second, after you modify the necessary ACL, you potentially leave once-protected areasof the system open to change, which could causethe application to stop working at some point in thefuture. One case in point is if you need to give usersmodify access to a particular application directory.

Third-party solutions (such as Winternals Software's Protection Manager and BeyondTrust's Privilege Manager) can provide the ability to modify theuser's security token on the fly. When a user launchesan application, the token is given administratorprivilege to run only that particular process. This iscompletely transparent to the user. The main disadvantage of using this method is the cost.

XP has a built-in solution for dealing with LUAcompatibility problems—the Application Compatibility Engine. Using it in conjunction with the Application Compatibility Toolkit (ACT), you can analyzean application and configure XP to automaticallyredirect writes in protected areas of the file systemand registry to the user's profile.

Configuring Application Fixes


Let's look at a sample legacy application and how touse ACT to make the application run correctly undera LUA account. The example is simple for the purposeof illustrating the process. You can use ACT to solvemore complex problems, but the basic steps remainthe same.

The application we'll use is Maxthon 1.5, whichis a replacement shell for Microsoft Internet Explorer(IE) 6.0 and IE 5.5 that has tabbed browsing, RSS, anad blocker, and other useful features that make Web browsing a more pleasant experience. Maxthon isavailable as a free download at http://www.maxthon.com. If you run this application as a LUA user, anypreferences or options that you configure are lostwhen you close it because Maxthon saves preferences in a folder under Program Files, for which aleast-privileged user doesn't have Write permission.Maxthon isn't aware of multiple users.

After you download ACT, which you can doat http://www.microsoft.com/downloads/details.aspx?FamilyID=4005DA79-933A-4CC8-BF86-FE2E28B792FD&displaylang=en&Hash=V3N34CF, logon to Windows as anadministrator and installACT. Then install Maxthon, but clear the optionfor running the programbefore you click Finish. You want to find outwhere Maxthon saves allits preferences, so you'llneed to let ACT analyzethe application the firsttime that you run it.

Although we're lookingfor a solution to run Maxthon under LUA, we needto run ACT and analyzeMaxthon while logged onas an administrator. To do so, perform these steps:

  1. Launch the Compatibility Administrator program by opening All Programs, Microsoft Application Compatibility Toolkit 4.1, then clicking Tools.

  2. Under Custom Databases, you'll see New Database. Right-click it and rename it to Maxthon, as Figure 1 shows.

  3. Right-click the database again and select Create New, Application Fix. In the Program information dialog box, enter the name of the application, the vendor, and the path to the executable, which in this case is C:Program FilesMaxthonMaxthon.exe. Click Next.

  4. Next, you'll see the Compatibility Modes screen, which is where you can choose to solve a LUA problem. For OS mode, select None, then select LUA from the list on the right, as Figure 2 shows. Click Next.

  5. In the Compatibility Fixes screen, scroll through the list of fixes. Make sure that LUARedirectFS and LUARedirectReg are selected and click Next.

  6. The Matching Information screen lets you modify the criteria that the Application Compatibility Engine uses to identify the Maxthon executable. Accept the default values and click Next.

  7. Make sure that Yes, customize these fixes now is selected and click Finish.

Customizing the Application Fix


We now want to let ACT analyze Maxthon as itruns to detect when it writes to protected areasof the OS and automatically customize the fix as necessary. When you click Finish in the previous step, a page opens that givesyou the option to monitor the program. Runprogram to collect data will be the only optionavailable. Click Next. The path to the Maxthonexecutable will already be entered, so simply click OK. ACT will automatically launchMaxthon.

  1. As Maxthon runs for the first time, follow the Configuration Wizard prompts, then select Options, Maxthon Options.

  2. Go to the General tab to see the available options, which Figure 3 shows. Select the Allow only one instance of Maxthon option, then click OK.

  3. Close Maxthon and select Don't show me the message again in the Exit Maxthon dialog box. Click OK.

Maxthon will then close and you'll be returned to the ACT Exclude File Extensions screen. For this example, we don't want to exclude anything, so make sure that no file extensions are listed and click Next. In the Edit the File Redirection List, which Figure 4 shows, you'll see that ACT has identified all instances of writes to protected files. Select all of them and click Next. ACT will display a summary of the redirects in the Redirection Location screen. Click Finish.

Installing an Application Compatibility Database


From the main Compatibility Administrator window, save the Maxthon database as c:maxthon.sdb. Then install the database by opening a command line and typing

sdbinst c:maxthon.sdb 

After installing the database, log on as a LUA and clear the Allow only one instance of Maxthon check box under Maxthon Options. Close and restart Maxthon. Check the options to make sure that the application has remembered the setting. You'll see that the redirected configuration files are now stored in the hidden Application Data folder in the least-privileged user's profile.

Next, uninstall the compatibility database to see how Maxthon behaves when the database isn't installed. To uninstall the database, log on as an administrator and type the following command:

sdbinst -u c:maxthon.sdb 

When you restart Maxthon as a least-privileged user, you'll find that without the compatibility database installed, the application doesn't retain the options you set.

Going Forward


ACT can provide quick and easy solutions tomany LUA problems that occur with legacyapplications. The user will be unaware of theproblem and can run the application without the need for any manual workarounds. Administrators can simplify the process evenmore by using Group Policy to deploy compatibility databases. In Windows Vista's UserAccount Control (UAC) Microsoft has furtherdeveloped the redirection feature to automatically redirect writes to a virtualized space foreach user without the need to run ACT. Thisfunctionality will help even home users run asleast-privileged users.

SOLUTION STEPS

  1. Create an application compatibility database.

  2. Customize an application fix.

  3. Install the database.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like