Last month, in "Chml Fills the Gap" (InstantDoc ID 95973), I introduced you
to Chml, a utility I created for exploiting the new Windows Vista integrity
levels to potentially shore up your computer's security. You'll recall from
my past two columns that integrity levels resemble file permissions—but
they also override file permissions. In other words, if integrity levels deny
you access to an object, you're denied access to that object even if you have
Full Control permission on that object.
Last month, I wrote that integrity levels support a largely
undocumented but useful notion called no read up, which
denies Read access to an object that holds a higher integrity
level than the process (e.g., Microsoft Internet Explorer—IE,
Word) trying to read it. This month, I return to the more
well documented integrity-level feature called no write up,
which blocks any lower-integrity process from modifying a
higher-integrity object. But I take the discussion a bit further
by exploring how to assume the System integrity level.
You're Kidding!
Vista recognizes five levels of integrity: Untrusted, Low, Medium, High, and
System. (Another, even higher level called Protected Process isn't accessible
or in use, as far as I can see.) Standard users typically operate as Medium
integrity, and administrative users operate as High integrity. Notice, however,
that Windows recognizes an integrity level higher than the level that administrators
enjoy: the System level.
When I first learned that Vista included an integrity level
above that of administrators, I freaked out: "What!? Microsoft has placed things on my own Vista laptop that I can't
delete?" Indeed, early versions of Vista kept administrators
from accidentally deleting system files by giving those
files the System integrity level. But when Vista beta testers
complained that they couldn't delete items on their own
computer, Microsoft removed the System integrity level
from the files in the Windows folder.
Nevertheless, the System integrity level still worries me. What if a malicious
user figures out how to install malware on my system and grant it the System
integrity level? I wouldn't even be able to delete that malware, despite the
fact that the Administrators group has Full Control permissions on every folder
on the computer. Would my only option be to simply wipe the hard disk clean
and start over? Thankfully, no.
Triple Play
I've discovered three ways to run Chml with the System integrity level. The
first way to run Chml with the System integrity level is to simply boot your
system with a Windows Preinstallation Environment (PE) CD-ROM. When you run
Windows PE, you're running in the context of the System account, and—not
surprisingly—the System account runs with the System integrity level.
So, if you were to come across some malware installed at the System integrity
level, you'd need only to boot the afflicted computer with Windows PE and use
Chml to lower the malware's integrity level, as I demonstrated last month:
chml <file or folder name> -i:m
After you lower the malware's integrity level to Medium,
you can delete the malware. Of course, you'd need to add
Chml to the Windows PE disk to use this solution, because
the tool isn't built into Windows PE. Alternatively, you could
just run Chml from a USB drive.
The second way to run Chml with the System integrity level is to go to Sysinternals
(http://www.sysinternals.com),
download the latest version of Psexec (psexec.exe), and exploit its new Vista-compatible
-s switch, which lets you run any command in the context of the System account.
So, for example, if you have Chml in a folder called C:\stuff and you want to
lower the integrity level of a folder named C:\malware, you'd type
psexec -s C:\mystuff\chml.exe C:\malware -i:m
The third way to run Chml with the System integrity level is to use the new
Task Scheduler, whose command-line interface lets you run any application in
the context of the System account. For example, you can type (all on one line)
schtasks /create /tn dochml /ru "nt authority\system"
/sc once /st 09:28 /tr "C:\mystuff\chml.exe
C:\malware -i:m -b"
In this command, the /create option creates a new task. The /tn dochml option
names the task dochml. The /ru "nt authority\system" option instructs
Task Scheduler to run the command in the context of the System account. The
/sc once /st 09:28 portion of the command runs the task once, at 9:28. (Unfortunately,
Schtasks doesn't support the option to "do it now," as the Task Scheduler GUI
does.)
Paranoid Much?
Yes, worrying about malware with a System integrity level might seem the height
of paranoia. However, you're now equipped to defeat that malware—should
it appear.
End of Article
Register
