Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


August 2007

Thwarting Integrity Attacks with Chml

Don’t freak out—here are 3 ways to run with the System integrity level
From the August 2007 Edition
of Windows IT Pro
Mark Minasi
Windows Power Tools
InstantDoc #96306
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Tips Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Last month, in "Chml Fills the Gap" (InstantDoc ID 95973), I introduced you to Chml, a utility I created for exploiting the new Windows Vista integrity levels to potentially shore up your computer's security. You'll recall from my past two columns that integrity levels resemble file permissions—but they also override file permissions. In other words, if integrity levels deny you access to an object, you're denied access to that object even if you have Full Control permission on that object.

Last month, I wrote that integrity levels support a largely undocumented but useful notion called no read up, which denies Read access to an object that holds a higher integrity level than the process (e.g., Microsoft Internet Explorer—IE, Word) trying to read it. This month, I return to the more well documented integrity-level feature called no write up, which blocks any lower-integrity process from modifying a higher-integrity object. But I take the discussion a bit further by exploring how to assume the System integrity level.

You're Kidding!
Vista recognizes five levels of integrity: Untrusted, Low, Medium, High, and System. (Another, even higher level called Protected Process isn't accessible or in use, as far as I can see.) Standard users typically operate as Medium integrity, and administrative users operate as High integrity. Notice, however, that Windows recognizes an integrity level higher than the level that administrators enjoy: the System level.

When I first learned that Vista included an integrity level above that of administrators, I freaked out: "What!? Microsoft has placed things on my own Vista laptop that I can't delete?" Indeed, early versions of Vista kept administrators from accidentally deleting system files by giving those files the System integrity level. But when Vista beta testers complained that they couldn't delete items on their own computer, Microsoft removed the System integrity level from the files in the Windows folder.

Nevertheless, the System integrity level still worries me. What if a malicious user figures out how to install malware on my system and grant it the System integrity level? I wouldn't even be able to delete that malware, despite the fact that the Administrators group has Full Control permissions on every folder on the computer. Would my only option be to simply wipe the hard disk clean and start over? Thankfully, no.

Triple Play
I've discovered three ways to run Chml with the System integrity level. The first way to run Chml with the System integrity level is to simply boot your system with a Windows Preinstallation Environment (PE) CD-ROM. When you run Windows PE, you're running in the context of the System account, and—not surprisingly—the System account runs with the System integrity level.

So, if you were to come across some malware installed at the System integrity level, you'd need only to boot the afflicted computer with Windows PE and use Chml to lower the malware's integrity level, as I demonstrated last month: 

chml <file or folder name> -i:m

After you lower the malware's integrity level to Medium, you can delete the malware. Of course, you'd need to add Chml to the Windows PE disk to use this solution, because the tool isn't built into Windows PE. Alternatively, you could just run Chml from a USB drive.

The second way to run Chml with the System integrity level is to go to Sysinternals (http://www.sysinternals.com), download the latest version of Psexec (psexec.exe), and exploit its new Vista-compatible -s switch, which lets you run any command in the context of the System account. So, for example, if you have Chml in a folder called C:\stuff and you want to lower the integrity level of a folder named C:\malware, you'd type 

psexec -s C:\mystuff\chml.exe C:\malware -i:m

The third way to run Chml with the System integrity level is to use the new Task Scheduler, whose command-line interface lets you run any application in the context of the System account. For example, you can type (all on one line) 

schtasks /create /tn dochml /ru "nt authority\system"  
  /sc once /st 09:28 /tr "C:\mystuff\chml.exe 
  C:\malware -i:m -b"

In this command, the /create option creates a new task. The /tn dochml option names the task dochml. The /ru "nt authority\system" option instructs Task Scheduler to run the command in the context of the System account. The /sc once /st 09:28 portion of the command runs the task once, at 9:28. (Unfortunately, Schtasks doesn't support the option to "do it now," as the Task Scheduler GUI does.)

Paranoid Much?
Yes, worrying about malware with a System integrity level might seem the height of paranoia. However, you're now equipped to defeat that malware—should it appear.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

More fun TechEd 2005 Resources

Kevin points out some more TechEd resources ...

What service packs and fixes are available?

...
Windows OSs Whitepapers Why SaaS is the Right Solution for Log Management

Are You Satisfied?

A Preliminary Look at Deployment Plans for Microsoft Windows Vista
Related Events Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Microsoft Exchange & Windows Connections event returns to Las Vegas Nov 10 - 13
Connections returns to Las Vegas for this exciting event where each attendee will receive SQL Server 2008 standard with 1 CAL. Co-located with Microsoft ASP.NET, SQL Server, and SharePoint Connections with over 250 in-depth sessions.

Free Online Event! Virtualization:Get the Facts!
Register now and attend this free, live in-depth online conference on November 13 and 20, 2008, produced by Windows IT Pro. All registrants are eligible to receive a complimentary one-year digital subscription to Windows IT Pro (a $49.95 value)!

Check Out Hyper-V Video on ITTV
Watch Karen Forster's interview on Hyper-V's performance on ITTV.net.

Ease Your Scripting Pains with the Flexibility of PowerShell!
Join MVP Paul Robichaux on December 11, 2008 at 11:00 AM EDT as he equips you with PowerShell basics in 3 introductory lessons, each followed by a live Q&A session—all on your own computer!

PASS Community Summit 2008 in Seattle on Nov 18-21
The don’t-miss event for Microsoft SQL Server Professionals. Register now and you’ll enjoy top-notch Microsoft and Community speakers and more.



Solving PST Management Problems
In this white paper, read about the top PST issues and how to administer local/network PST Files.

Get Protected -- Data Protection Manager 2007
Protect your virtualized environment with Data Protection Manager

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Maximize Your SharePoint Investment: Get Your Data Moving
Watch this web seminar now to learn how to maximize your SharePoint investment! Join us as we take a look at the complex business of securing, accessing and managing vast amounts of information in a global network and various ways to get your data moving.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing