another free-thinker joins your gathering here

Hi to All, and a big THANKS for this forum & all the learnings available here!

I change names across fora and don't post much - mainly b/c I've nothing to "prove" to anyone
and therefore no precious time to waste-invest in debating/arguing.

So, though I recognize most of you here from other places, it'd be very rare for you to know me, as I prefer anonymity like the wind.

But, I do really like the tone here, & finally decided to register because I'll soon be in a position,
having studied & implemented much of what's here,
to offer some time/equipment for testing the ideas that get brought up here for testing as a benefit to "the community of users" -

I'm not an I.T. pro, (I do wanna be when I grow up! ) but I have multiple machines to test on -
to destroy/infect/reimage, etc etc (though they're from 2 - 6 yrs old tech).

I mainly run XP Pro/sp3 (also Win.7 Ult/Enterprise), Sandboxie Lifetime sub, Sully's excellent PGS, SuRun,
alternate between various firewalls (yes, because I test/experiment with THAT kind of software & don't allow any phone-homes)
and most importantly to me - am an adept user of BOTH Drive Snapshot & ShadowProtect.

******************************

I would like to ask ssj100 for a clarification in his settings tutorial referencing dedoimedo's SuRun article :

"However, there’s just one problem in that tutorial –
please don’t strip an administrator account down to a limited account with SuRun.
Instead, just SuRun an already created limited account. "

Would you kindly explain your reasoning or refer me to any posts already addressing this?
as I was unable to locate any, Thanks.

Cheers

Welcome gordiank! Nice to have you on board.

The question you asked has a rather complicated answer (for me anyway). The problem with changing an already created administrator account into a limited account is that the inheritance of rights for various files and folders (that were already created in the administrator account) may get passed on into the limited account. The issue is for files/folders/registry keys that are in C:\Program Files and C:\Windows. More here:
http://www.wilderssecurity.com/showpost.php?p=1201866&postcount=146

Normally, when a user creates a securable object, such as a file, folder, or registry key, that user becomes the “owner” of the object and by default is granted Full Control over it.

If I use MakeMeAdmin (or use SuRun to strip an already created administrator account to a limited account) to install programs, my normal account will be granted ownership and full control over the installation folder, the program executable files, and any registry keys the installation program creates. Those access rights will remain even when I am no longer running with administrator privileges. That’s not what I want at all. I want to be able to run the app, create and modify my own data files, but not to retain full control over the program files after I have installed it.

You can avoid such issues by using an already created limited account and "Surunning" this instead.

However, to be honest, when combining LUA with SRP, this might not be so much of an issue (since potential malware can't even execute to modify files and settings).

YES! i knew i'd read the reference to that principle in tlu's post,
thx very much for making the time to link that -
it will probably help others as well.

It's the similar reasoning why SuRun is superior,
or at least doesn't involve the downsides,
of the previous attempts at LUA implementations.

No problem. In my "tutorial", I did recommend reading that whole thread in its entirety (for reasons such as this). However, I doubt most people would do that, since it pretty much involves reading half a book of complex nerdy computer discussion haha.

Welcome to the site my friend