Tuesday, February 12, 2008

Programming, RunAsAdminExplorer Shim v2.0.0.Beta9

We are happy to announce the new beta which contains a lot of new features and bug fixes, please see detailed list below.

IMPORTANT!!! This release has a new installer which currently unable to detect and cleanup installations of RAA prior to Beta8!
Please REMOVE any previous version of the software prior to Beta8!
Sorry but the new beta still has not been fully translated to all the supported languages, except Hungarian, Catalan and Spanish.

*** We are looking for translators to the languages supported earlier yet and an English corrector also! ***


    Here are the summary of changes made:

    v 2.0.0.Beta9
    Global changes
    - Added FileHash.vbs to Samples and RunAsAdminPolicy.pdf to Doc installation directories. Usage of FileHash.vbs: cscript newhash.vbs "file1ToBeHashed" "file2ToBeHashed" "fileNToBeHashed"
    - Added Turkish translation of setup, thanks to Muhammat! To compile innosetup you need Turkish translation file that you can get from here http://www.jrsoftware.org/files/istrans/
    - Added support of w2k sp4.
    Known limitations are on that OS:
    - Currently only Normal and Unrestricted levels supported.

    In Explorer.exe
    - Command dialog is now runs modeless totally.
    Note: Earlier modal behavior caused the following problems:
    - A stop dialog at runtime to close the open command dialog(s) before exit
    - Running a file from the context menu was delayed until the command dialog(s) not closed.
    - Drag and drop onto our tray icon blocked until the command dialog(s) not closed.
    If you still find problem like mentioned above please sign us.
    Attention! Although these limitations are eliminated by the new modless dialog but when you drop a file onto the tray icon and choosed the command dialog be opened in that case and also you have opened command dialog at that time, than the file will be appended to the 'Run' line of the dialog.
    - Drag and Drop feature on our tray icon and command dialog is enhanced. Also added balloon tooltip when D&D started or when has other tipp about the D&D process (currently when any of the run command dialogs are open). You can disable this balloon tooltip window at 'Options\Drag options\Show balloon tooltips'.
    - BUG FIX: #1686842 fixed, Tasks run as normal user now have shutdown and undock privileges in their token. The new self made token now works (at least we hope it;) on every supported OSes. Also that token made possible to support w2k also.
    - FEATURE REQUEST IMPLEMENTED: #139070, the task manager will start by the configured hotkey at a restriction level depending on policy setting.
    - Similar to the solution of task #127552, the file have to be run from our command dialog now also can be start with options 'Always run as' ands/or 'Always run with priority'. Note: Currently 'Always run with priority' is enabled only if the targeted file is an executable (.com;.exe)!
    - BUG FIX: #1758345 fixed, RAA was unable to start windows shell as normal user if local policy have been set 'System objects: Default owner for objects created by members of the Administrators group' to 'Administrators group'. The normal user token now has a deafult DACL contains full rights for Admins, System and the Logon ID Sid.
    - BUG FIX: #1599717 fixed.
    - BUG FIX: #1415310 fixed, RAA now updates it's environment variables from the actual user and system environment variables in case of runtime changes occurred.
    - Added built in confirmation option of unrestricted file start and/or RAA's policy modification. The implementation of the confirmation dialog is not perfect yet. TODO: The confirmation dialog can be closed by any window that become active. This must be corrected, only SHIFT+CTRL+ESC (task manager), CTRL+ALT+DEL (login window or task manager) or CTRL+ESC (start menu) should close our dialog.

    In RAAShellContextMenu
    - TASK FINISHED: #131949. You can add rule to RAA Policy for a given file based on it's path or hash to get the file always be started at a given startup restriction level. Simply use any of the 'Always run as' menu items from the context menu.
    - TASK FINISHED: #127552. Added implementation of priority policy. You can control startup priority of a given file just like for startup level, simply use any of the 'Always run with priority' menu items from the context menu. Note: Currently only executable files (.com;.exe) can be added to the policy as 'Always run with priority' rule this way!
    - Added new option to let paths to be copied automatically surrounded by double quotes. You can select the behavior this way of the CTRL key held down during the copy.
    - BUG 1491386 fixed: The 'New Folder' button now works fine in the Save (as) dialogs.

    In RAACommCtrls
    - FEATURE REQUEST IMPLEMENTED: #139070, the task manager will start by the configured hotkey at a restriction level depending on policy setting.
    - TASK FINISHED: #139069. The taskmanager started by winlogon under NT AUTHORITY\SYSTEM acc now disabled if required.
    - TASK FINISHED: #139068. The two old property priority-realtime-allow and priority-high-restrict finally not removed from the policy, they have global restriction meaning from now. The policy settings has priority over the user settings therefore if the policy restricts the priority level the user settings can add a more restrictive rule only. The state of the controls representing the user settings of the two startup priority restriction level now set also corresponding to the restriction level set in the policy. It means they can appear in disabled state or can be hidden depending on the global restriction level of the policy and depending on the state of the user settings. f.e. If the policy has priority-realtime-allow="0" priority-high-restrict="0" level setting then the user can only set the 'Priority high restricted' option and would not see the realtime priority level in the context menu or the command dialog of RAA. As earlier priority-realtime-allow="1" priority-high-restrict="1" means no restriction on level 'high', priority-realtime-allow has priority over priority-high-restrict if enabled, this is true in the options dialog also, which also signed by the state of the corresponding controls.
    - TASK FINISHED: #139097. Load and Save settings functions now handles admin options separately reads and stores admin settings under HKLM\SOFTWARE\RunAsAdmin\AdminSettings\%COMPUTERDOMAIN%\%USERNAME%. User settings stored at HKCU\SOFTWARE\RunAsAdmin\UserSettings. Any admin option presented will overwrites the usersettings at Load time and will be saved separately under the HKLM key at Save time. Via this new feature finally we can perfectly control access of admin options of RAA and protect settings of file startup with unrestricted level. The new sample at https://sourceforge.net/forum/forum.php?thread_id=1734421&forum_id=543633 shows you how to enable access of admin options and 'Run As Unrestricted' possibilities from menus and dialogs for specified users only.
    - TASK IMPLEMENTED: #127557 80% ready, Now you can choose privilege info to be shown in shell windows also. Actually you can select text to be shown just like for normal windows earlier (the same controls used for that) and can select if you'd like to change the colors of the shell window with admin privilege. The text would be ADMIN and NONADMIN (for the English version, your translator can change it). The colors itself now could not be customized from the program, turned this option on the admin shell background color changes to Bright White and the text color to Light Red. The non admin shell keeps the default color settings. If you'd like to change colors to a custom value please see: http://tinyurl.com/398hw5. RAA implements this feature very similar, just check the HKCU\SOFTWARE\Microsoft\Command Processor\AutoRun Value and the help of the 'color' command. Our shell command privilege info not set directly in the autoruns reg key, but using now 2 separated command files AutoRuns.cmd and RAAAutoRuns.cmd. They are stored at %APPDATA%\RunAsAdmin\Command Processor\. The first one is specified in autoruns and calls the other. Also merged into the first file at creation the previously defined autoruns if any. This way the user can henceforward customise autoruns and also RAA can call the required commands to support privilege caption info (till the user do not remove our reference from the first file) Enabling controls of the shell privilege info setting enhanced. Now you can not deselect 'Show text' if 'Show in shell window also' selected and 'Change shell window color' not selected, because that setting would not have affect on the shell window (neither caption nor color would have been changed). Also if both 'Show text', 'Show in shell window also' and 'Change shell window color' were deselected turning on 'Show in shell window also' will turn on 'Change shell window color' automatically.Currently only the built in windows shell modified, to get the modified a custom shell f.e. PowerShell please see http://tinyurl.com/2yzg23. Thanks for Aaron Margosis and other contributors write on his blog page for the FSUTIL trick.
    - Added new option to let paths to be copied automatically surrounded by double quotes. You can select the behavior this way of the CTRL key held down during the copy.
    - Added new option to let the user control which privileged action be confirmed. (Unrestricted file run, RAA's policy modification...)

    In Policy
    - Added handling of the new policy attribute allow-priority-override, which is by defult enabled. If allow-priority-override false then the priority policy checking functions does not let it's allowed priority return value to be set higher than defined by the priority-realtime-allow and priority-high-restrict attributes even if the examined subject has a priority rule with higher value allowed.
    - TASK FINISHED: #127552. Added implementation of priority policy. You can control startup priority just like startup level, just use 'priorities' element like 'levels' f.e.

    <record groupName="AlwaysBelowNormalPriority"/> 

    Note: If allow-priority-override is "0" in RAA's policy the 'priorities' elements still could not override the global priority-realtime-allow and priority-high-restrict level settings of policy. Any higher value than the allowed by priority-realtime-allow and priority-high-restrict fall back to that allowed maximum level.
    Note: The current implementation of this feature might cause a bit overall system performance overhead (because of periodical registry and file system reading) due to our policy not yet cached!
    You can turn off this feature at "Options\Performance options\Adjust all listed in policy"
    - Added two new signal element 'always-priority-rule' and 'always-level-rule' to handle the two corresponding policy modification requests.

No comments: