Results 1 to 9 of 9
  1. #1
    5 Star Lounger
    Join Date
    Jul 2002
    Location
    Hatsukaichi, Hiroshima, Japan
    Posts
    904
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Devcon, Batch Files and Limited User Accounts

    Hello, not sure if this is the most appropriate forum but it is security related. I'm using Windows XP Pro SpII and today I set up a limited user account by first duplicating my admin account and then changing the setting of the original admin account to limited user. That seemed to go OK and now I am adjusting to using a limited user account. One problem I have found is that my keyboard shortcuts to enable and disable the LAN are not working. At first I couldn't even enable the network manually but I found I could do so by changing the setting for this using the Local Group Policy Editor:

    Local Computer Policy - User Configuration - Administrative Templates - Network - Network Connections

    However my shortcuts to automate the process are using devcon and a limited user account doesn't seem to be able to access this. I'd like to avoid a solution using runas as typing in a password defeats the purpose of using the keyboard short cut in the first place. One idea I do have is to use AutHotKey which has a built in runas. This would mean compiling an exe file containing my user name and password but I wonder how secure that is. So my questions are:

    1. Is there any way to change windows XP settings so that a limited user account can access devcon?
    2. If not, how secure is it using an AutoHotKey compiled exe containing my account and password?

    I don't think I've ever had a file on my computer containing my user account passwords. Being able to to enable and disable the LAN is important to me as I have automated shutdown routines and I don't like starting my computer up when the LAN is on as I feel it is insecure.

    I hope what I have written makes some kind of sense and someone can give me some good advice!

    Thanks,

    Chris (Hunt)

  2. #2
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    3,414
    Thanks
    33
    Thanked 195 Times in 175 Posts

    Re: Devcon, Batch Files and Limited User Accounts

    Chris

    Although the DevCon writeup doesn't specifically state that it requires administrator mode, I should be very surprised if Microsoft had intended such a powerful utility for use by any level of user. Another example of why it's so difficult to run systems-type XP programs in anything other than Administrator...
    BATcher

    Time prevents everything happening all at once...

  3. #3
    5 Star Lounger
    Join Date
    Jul 2002
    Location
    Hatsukaichi, Hiroshima, Japan
    Posts
    904
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Devcon, Batch Files and Limited User Accounts

    Thanks Batcher, I suspected as much. What do you think about my idea of writing an AutoHotKey script that includes runas and my password? That could temporarily raise my rights enough to use devcon. Once compiled I'd delete the original text file. As an exe file would that be reasonably secure? There is an option in the compiler to prevent decompiling, though I've no idea if it works. One downside of the approach is that I'll need to redo and recompile the exe file every time I change my password which currently is about every 90 days. If you or someone tells me that I'm being overly paranoid worrying about a password inside an exe file then I'll give that method a go.

    Cheers,

    Chris

  4. #4
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,572
    Thanks
    5
    Thanked 1,057 Times in 926 Posts

    Re: Devcon, Batch Files and Limited User Accounts

    You could use a tool such as Process Monitor to see what registry keys are modified when you disable a device. Then give your limited user access to those keys. Setup a batch run to disable the device by modifying the registry and another to enable the device modifying the registry.

    I'm not sure why you think you need to do this anyway. With XP SP-2 and newer OSes the Micrososft Firewall is started very early in the boot process regardless of whether you have a third party firewall or not. I'm pretty sure this happens before the network stuff is initialized. So, you have an active firewall blocking inbound attempts very early on. Then much later in the boot process the third party firewall notifies the OS that it has initialized and the Windows firewall is disabled.

    Joe
    Joe

  5. #5
    5 Star Lounger
    Join Date
    Jul 2002
    Location
    Hatsukaichi, Hiroshima, Japan
    Posts
    904
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Devcon, Batch Files and Limited User Accounts

    Thanks Joe, perhaps I'm just being superstitious but I've never liked closing a computer down with access to the Internet Running. I didn't know about the Microsoft Firewall coming in before third party firewalls but I still feel that is more vulnerable than not being connected at all. I may check out Process Monitor but I'm not sure I want to rely on batch files that write to the registry. MY limited user account can't access the registry unless I give it manual permission so I would need to over-ride that.

    I'm still interested in hearing opinions about the vulnerability of putting passwords into exe files. If something can get at an exe file wouldn't that mean that the Limited User Account Defence had already failed?

    Chris

  6. #6
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,572
    Thanks
    5
    Thanked 1,057 Times in 926 Posts

    Re: Devcon, Batch Files and Limited User Accounts

    Running as a limited user prevents YOU (or someone else that may use that account) from inadvertantly changing system files or settings. If someone else is able to logon to your system as an admin or you lose physical control, your limited user account won't make any difference.

    You can still 'get at an exe file' with a limited account as you must be able to access the file to execute it.

    BTW, I find it much better to run a router and disable the internet connection at the router if I have to. Either power the router down or some have a button to immediately disable the internet connection.

    Joe
    Joe

  7. #7
    5 Star Lounger
    Join Date
    Jul 2002
    Location
    Hatsukaichi, Hiroshima, Japan
    Posts
    904
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Devcon, Batch Files and Limited User Accounts

    Hi Joe, I understand that to run an exe file one needs to be able to access it but is accessing and decompiling the same thing - or rather requires the same level of permissions? Regarding a router my wife set up our connection so I'm not sure how it works but I do know that I want a solutio that I can run through batch files or autohotkey. I know I can physically remove a cable (for example) but I want to be able to perform actions via keyboard shortcuts. I find it ironic that since switching to a Limited User Account I can't power the computer down automatically or disconnect the LAN automatically. This is not only less convenient but feels less secure.

    Chris

  8. #8
    5 Star Lounger
    Join Date
    Jul 2002
    Location
    Hatsukaichi, Hiroshima, Japan
    Posts
    904
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Devcon, Batch Files and Limited User Accounts

    Well, I found a solution that allows me to enable and disable the LAN without using runas, devcon or going anywhere near a password! What I did was create a shortcut to the LAN and then put it in my start menu and use an AutoHotKey Sendkeys script:

    <code>SendInput {LWin}
    SendInput {Down 5}
    SendInput {AppsKey}
    SendInput {b}
    SendInput {enter}
    SendInput {esc} </code>

    This script simulates doing things by hand and switches the LAN off. I have another script with Send {a} instead of SendInput {b} to switch it on again. I get a small flash as the start menu activates but I'm happy to live with that if it means avoiding entering my account password. I've also created another script so that when I press the windows key and L it moves to switch the LAN of first before bringing up the change user dialogue. So I think it's sorted!

    Cheers,

    Chris (Hunt)

  9. #9
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,572
    Thanks
    5
    Thanked 1,057 Times in 926 Posts

    Re: Devcon, Batch Files and Limited User Accounts

    Great!!! Glad you got it worked out. Thanks for posting the solution.

    Joe
    Joe

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •