| Limited User Account Predictor Verification Layer |
The Limited User Account Privilege Predictor (LuaPriv) has two primary goals:
-
Predictive: While running an application with administrative privilege, predict whether that application would work as well if run with less privilege (generally, as a normal user). For example, if the application writes to files that only allow Administrators access, then that application won�t be able to write to the same file if run as a non-administrator.
-
Diagnostic: When running as a non-administrator, identify potential problems that may already exist with the current run. Continuing the previous example, if the application tries to write to a file that only grants members of the Administrators group access, the application will get an ACCESS_DENIED error. If the application doesn�t operate correctly, this operation may be the culprit.
The types of problems that LuaPriv identifies are as follows:
Potential Issue | Description |
Restricted Namespaces | Creating a named synchronization object (Event, Semaphore, Mutex, etc) without a namespace may complicate running without privilege on some operating systems because the operating system may choose to place the object in a restricted namespace. Creating such an object in a restricted namespace (such as the Global namespace) requires SeCreateGlobalPrivilege, which is only granted to administrators. LuaPriv flags both these issues if it detects them. |
Hard Administrator Checks | Some applications interrogate the user�s security token to find out how much privilege he/she has. In those cases, the application may change its behavior depending on how much power it thinks the user is granted. LuaPriv flags API calls that return this information. |
Requesting Privileges | An application may attempt to enable a security-relevant privilege (such as SeTcbPrivilege or SeSecurityPrivilege) prior to performing an operation that requires it. LuaPriv flags attempts to enable privileges that are security-relevant. |
Missing Privileges | If an application attempts to enable a privilege that the user doesn�t have, it probably signals that the application expects the privilege, which can cause behavior differences. So, LuaPriv flags failed privilege requests. |
INI-file operations | Attempts to write to mapped INI files (WritePrivateProfileSection and similar APIs) can fail as a non-administrator user. LuaPriv flags such operations. |
Access Denied | If the application attempts to access an object (File, registry key, etc) but the attempt fails due to insufficient access, then the application probably expects to be running with more privilege than it has. LuaPriv flags object-open attempts that fail with ACCESS_DENIED and similar errors. |
Deny ACEs | If an object has Deny ACEs in its DACL, then it explicitly denies access to specific entities. This is uncommon, and makes prediction difficult, so LuaPriv flags Deny ACEs when it finds them. |
Access Restricted | If an application attempts to open an object for rights that are not granted to normal users (for example, trying to write to a file that�s only writeable by administrators), then the application probably won�t work the same when run as a normal user. LuaPriv flags such operations. |
MAXIMUM_ALLOWED | If an application opens an object for MAXIMUM_ALLOWED, then the actual access check on the object will occur elsewhere. Most code that does this doesn�t work correctly, and will almost certainly work differently when run without privilege. LuaPriv thus flags all incidents of MAXIMUM_ALLOWED. |