dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5184
share rss forum feed


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1

2 recommendations

The FAQ and User Accounts

Just got asked a question I honestly don't know the answer to. hold on, . . . have to add it to the list of 973 I've already got . . .

When you're working your way through the FAQ and using the various tools, which (if any) of them have to be run separately for different user accounts?

Most of the machines here have multiple accounts on them, but are, in reality, used almost exclusively by a single person. However, when you get to a single machine actually shared by multiple people, do some of these utilities need to be run separately against each account? (I guess HiJackThis would be the obvious example.)

Question arose in the context of a Win XP Home (I think) box. One Limited Account seems okay; the other keeps changing the MSIE browser home page to a search page and has random pop-ups not found on the other account.
--
Regards, Joseph V. Morris


psloss
Premium
join:2002-02-24
Lebanon, KS

said by jvmorris:
Most of the machines here have multiple accounts on them, but are, in reality, used almost exclusively by a single person. However, when you get to a single machine actually shared by multiple people, do some of these utilities need to be run separately against each account? (I guess HiJackThis would be the obvious example.)
I believe the answer is a qualified "yes."

In order for a program to scan all the user profiles, I believe it would have to have administrative rights, so you wouldn't get comprehensive results running it from a limited account.

But beyond that, like you I'm not sure which utilities will automatically scan all loaded user profiles (as opposed to the one that is "current" within the active desktop's context). It could be done by enumerating from HKEY_USERS down. For completists, even currently unloaded profiles are good candidates for scanning, as they could have been infected at an earlier time. (The list of profiles is available in the Registry.)

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org


TerryMiller
Premium
join:2003-10-23
reply to jvmorris

I've never used HJT, but Spybot and Adaware definitely need to be run on each used account. My wife and I both use this box and the findings are different. I've never tried running from the administrator account, so I don't know if that would change things.
--
My family site



jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to jvmorris

Looks like it may be time to query CalamityJane and maybe have keith make some changes to the FAQ.
--
Regards, Joseph V. Morris



TerryMiller
Premium
join:2003-10-23

I just tested Spybot & AdAware on an administrator account and (2) user accounts, and the results are definitely different.
--
My family site



javaMan
The Dude abides.
Premium,MVM
join:2002-07-15
San Luis Obispo, CA

said by TerryMiller:
I just tested Spybot & AdAware on an administrator account and (2) user accounts, and the results are definitely different.

What were the differences when they were run with the Admin account?
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20


TerryMiller
Premium
join:2003-10-23
reply to jvmorris

Nothing on the admin account, it's never used. 1 tracking cookie on my account from last night (I think from here "www.cgi-index.com"), and several on my wifes account from shopping sites.
--
My family site



jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to jvmorris

Okay, that puts AdAware and Spybot S&D on the list. I would assume that HiJackThis would have similar requirements (I can't see how HJT could be otherwise).

Now, the standard AV/AT/keylogger scanners: What about them? I would tend to assume that running them from an Admin account (Win NT/2K/XP, again) would suffice, but results from a restricted user account might be more circumscribed.
--
Regards, Joseph V. Morris



TerryMiller
Premium
join:2003-10-23
reply to jvmorris

Tauscan (and I assume most AT/AV) scans whatever portion of the disk that it has permission to access. I would assume that selecting "run as:" and using the administrator account would suffice, but I'll test to be sure.
--
My family site



jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1

Danke.



javaMan
The Dude abides.
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
reply to jvmorris

said by jvmorris:
Okay, that puts AdAware and Spybot S&D on the list. I would assume that HiJackThis would have similar requirements (I can't see how HJT could be otherwise).

Now, the standard AV/AT/keylogger scanners: What about them? I would tend to assume that running them from an Admin account (Win NT/2K/XP, again) would suffice, but results from a restricted user account might be more circumscribed.

I *think* most of these scanners, at least the AV's, are dual purpose, that is, they scan during the current user session but also have the ability to do system wide scans. Whether a system scan can be used with a limited account I can't say. If the programs' help files don't say, an email to the various vendor's support on the question might yield the answer.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20


keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
reply to jvmorris

Hum, I'd just assumed that all users could be checked from an admin account, so all users were checked when it was run from any admin account.

I wonder if the makers of the products realize the products are missing things. I don't remember seeing anything ever in any help or directions suggesting running on multiple IDs was necessary.

And wouldn't this mean the products would miss anything in System Restore (System Volume Information\_Restore... , since normally even admin accounts can't read files in there (at least I seem to recall having to change the permissions to be able to do that when I started to investigate the KAV 5 fragmentation issue).

Terry, I assume that since you don't normally use your admin account you hadn't previously revoked any permissions from your administrator account.

Also, it was the original Administrator admin account that you used? If I recall, some folders are owned by the Administrator Group and some by Administrator, and I corrected this on my XP machine.
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ)



keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
reply to jvmorris

I'm going to run some tests on this. I'll be back later.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to psloss

said by psloss:
It could be done by enumerating from HKEY_USERS down.
You need to load a user's profile into the registry before it shows up under HKEY_USERS; therefore you need to know what profiles exist a priori so that you can load the profile.

(I use 'profile' here to mean stuff that's stored in the registry, not the stuff that's stored on disk).

psloss
Premium
join:2002-02-24
Lebanon, KS
reply to keith2468

said by keith2468:
Hum, I'd just assumed that all users could be checked from an admin account, so all users were checked when it was run from any admin account.

I wonder if the makers of the products realize the products are missing things. I don't remember seeing anything ever in any help or directions suggesting running on multiple IDs was necessary.
My speculation would be that the more invasive a product is (or has to get), the more aware the vendor is likely to be.

But there are lots of factors in terms of awareness and still others for feature adoption. Such as the popularity of simultaneous multi-user setups...it may be that the vendors are only slightly more aware of "Fast User Switching" than users in general. And if most users still run XP from a single account and desktop, then how urgent is this functionality?

You also point out that there aren't just the "current" user profiles, but also archived profiles in the System Restore Points. (Obviously, the threat varies from one profile and set of profiles to another.)

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to TerryMiller

said by TerryMiller:
Tauscan (and I assume most AT/AV) scans whatever portion of the disk that it has permission to access. I would assume that selecting "run as:" and using the administrator account would suffice, but I'll test to be sure.
Terry, coupla quick questions:

First, were the two limited user accounts active when you tested from the admin account (AdAware and SpyBot S&D)?

Second, are any of your executables (applications) restricted as to which users can use them? (in reference to the Tauscan test)
--
Regards, Joseph V. Morris


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to javaMan

said by javaMan:
. . . Whether a system scan can be used with a limited account I can't say. If the programs' help files don't say, an email to the various vendor's support on the question might yield the answer.
It might be usable (in the sense that the AV/AT scanner could still be run), but that doesn't necessarily mean that • Even in a 'full system' scan from a limited user account that it would necessarily be able to scan executables/applications to which that account does not have permissions, and • that it would then be able to quarantine or delete an executable/application installed under another user account (limited/admin may make no difference). And please note the issue here is malware, not perfectly decent executables/applications.

This is starting to get interesting.
--
Regards, Joseph V. Morris


javaMan
The Dude abides.
Premium,MVM
join:2002-07-15
San Luis Obispo, CA

said by jvmorris:
said by javaMan:
. . . Whether a system scan can be used with a limited account I can't say. If the programs' help files don't say, an email to the various vendor's support on the question might yield the answer.
It might be usable (in the sense that the AV/AT scanner could still be run), but that doesn't necessarily mean that • Even in a 'full system' scan from a limited user account that it would necessarily be able to scan executables/applications to which that account does not have permissions, and • that it would then be able to quarantine or delete an executable/application installed under another user account (limited/admin may make no difference). And please note the issue here is malware, not perfectly decent executables/applications.

Yes, that was really what I was suggesting, running a system scan from limited account may not be able to accomplish the tasks to which you refer. Sorry for not being more precise.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20

psloss
Premium
join:2002-02-24
Lebanon, KS
reply to dave

said by dave:
You need to load a user's profile into the registry before it shows up under HKEY_USERS; therefore you need to know what profiles exist a priori so that you can load the profile.

(I use 'profile' here to mean stuff that's stored in the registry, not the stuff that's stored on disk).

Yeah, but that may be a consideration in terms of where a vendor draws a line for feature implementation. I would assume that aside from special cases, all the "immediate" subkeys under HKEY_USERS represent some part of the currently loaded profiles (not necessarily interactive logins). So maybe one draws the line there.

All these locations need to be known prior to scanning, but even knowing them, one might choose not to scan some of them. (As some vendors already do, although it isn't clear this was an active choice.)

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org


TerryMiller
Premium
join:2003-10-23
reply to jvmorris

quote: from keith2468 See Profile



Terry, I assume that since you don't normally use your admin account you hadn't previously revoked any permissions from your administrator account.

Also, it was the original Administrator admin account that you used? If I recall, some folders are owned by the Administrator Group and some by Administrator, and I corrected this on my XP machine.



No on both counts. It was an additional account with admin rights. I know that this is bad form, but it's convenient, since my wife likes the graphical login and the original admin account doesn't show there. I'm re-running the spybot test from the original account now.

quote: from jvmorris See Profile

First, were the two limited user accounts active when you tested from the admin account (AdAware and SpyBot S&D)?

Second, are any of your executables (applications) restricted as to which users can use them? (in reference to the Tauscan test)



I'm not sure exactly what you mean by active. I don't use fast user switching so none of the accounts were loaded. All were available to be logged into.

No app is restricted to certain accounts. Tauscan apparently requires the license key in each users documents and settings folder so I had to activate it on my daughter's account. It did scan all folders when I chose "run as:" and used the administrator account. It refused to run under my daughter's account which is only a "user". I'm not certain why that is, which is the reason for the delayed reply.
--
My family site


TerryMiller
Premium
join:2003-10-23
reply to jvmorris

Spybot S&D did not scan any other registry entries other than the original admin's from the admin account.
--
My family site


gds4141
Premium
join:2003-08-10
Omaha, NE
reply to jvmorris

I have a trojan-keylogger on one of my limited user accounts. It has never been found by any scans that I have done from the admin account unless that user account is log on.



TerryMiller
Premium
join:2003-10-23
reply to jvmorris

I'll admit I'm a long way from an MCSE. I just tried the spybot and adaware test from my account after enabling fast user switching and switching from my wife's account. I got the same result as I did before with just logging into my account.

Is there something else I should be doing?
--
My family site



javaMan
The Dude abides.
Premium,MVM
join:2002-07-15
San Luis Obispo, CA

said by TerryMiller:
I'll admit I'm a long way from an MCSE. I just tried the spybot and adaware test from my account after enabling fast user switching and switching from my wife's account. I got the same result as I did before with just logging into my account.

Is there something else I should be doing?

Probably not. As psloss See Profile has suggested, both programs are probably limited in how the author's have implemented the scans. Which helps provide some answers to jvmorris See Profile's question.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20

dannyboy 950
Premium
join:2002-12-30
Port Arthur, TX
reply to jvmorris

It may also require the apps to be installed in each profile or at least shared between the profiles.
Now My AV seems to work across profiles without haveing to do anything to it but my malware programs and my firewall have to be installed on each profile except 2 that I tried shareing. They work but the set up was cumbersum, I had to map to the resource.

Dont know if this will help or just muddy the waters more.


Bobby_Peru
Premium
join:2003-06-16
reply to jvmorris

Once again, you guys/gals seem to have turned over a very interesting rock, hidden, again, in plain site....

Good work! Thanks!



javaMan
The Dude abides.
Premium,MVM
join:2002-07-15
San Luis Obispo, CA

1 edit

said by Bobby_Peru:
Once again, you guys/gals seem to have turned over a very interesting rock, hidden, again, in plain site....

Good work! Thanks!

I have wondered about this question from time to time but never really gave serious thought to investigating. I use a single account so it has never really been an issue for me. But it seems I have been making some wrong assumptions about what these programs actually check they run on machines with multiple accounts.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to javaMan

said by javaMan:
. . . Probably not. As psloss See Profile has suggested, both programs are probably limited in how the author's have implemented the scans. Which helps provide some answers to jvmorris See Profile's question.
Exactly.

There are a couple of things going on in parallel here. psloss is doing some investigation on his own and keith is also (oriented toward determining if any modifications are necessary in the FAQ).

My initial question, on the other hand, was a pass-through from a query I got via e-mail, so the answers received so far are certainly helpful to that individual also.

Where's CJ, haven't seen her all day? Did Steve keep her out dancing all night? I'm pretty sure that if it's necessary to do what Terry has had to do with AdAware and SpyBot, the same would be true of HJT.

Now, the programs mentioned in the FAQ below Step 5 are largely utilities that I've never had an occasion to use, so I'm totally uncertain on them.
--
Regards, Joseph V. Morris


TerryMiller
Premium
join:2003-10-23
reply to jvmorris

I knew that Spybot & Ad-aware didn't by default check all accounts (at least on XP), but I thought maybe I was missing some trick to actually make them do that. It wouldn't work for me because my wife considers tracking cookies an advantage.
--
My family site



jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to javaMan

said by javaMan:
. . . I have wondered about this question from time to time but never really gave serious thought to investigating. I use a single account so it has never really been an issue for me. . . .
Yes, that's our situation here, also. Whie there are multiple accounts on each machine in the house for the various users here, typically only one account is routinely used on a given machine.
quote:
. . . But it seems I have been making some wrong assumptions about what these programs actually check they run on machines with multiple accounts.
However, I'm now starting to worry a bit more about small business LANs. In a large, centrally-managed business LAN, this would probably not be an issue, but small LANs are seldom blessed with this sort of tight policy and configuration management.
--
Regards, Joseph V. Morris