henrypp
"Skip UAC" doesn't prompt normal user for block/allow notifications
Windows setup:
One admin account protected with password One normal account protected with password UAC on max setting
Test:
- Log into normal account
- Run simplewall.exe
- Type admin password on UAC prompt
- Activate "Skip User Account Control prompt warning" on simplewall settings
This will create an entry in task scheduler marked with "Run only when user is logged on" (the admin in this case).
If you logoff and login back into the normal account you'll see simplewall.exe running in the background but it won't appear in the system tray and opening any program which connects to the internet will not prompt the user to allow or deny the connection, it will always default to deny.
The ONLY ""workaround"" I've found is creating
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run]
"simplewall"="\"C:\\Program Files\\simplewall\\simplewall.exe\" -minimized"
That will make it so simplewall appears on tray and prompts the user for decisions but only after passing the UAC prompt each time you login into your normal account, which is annoying. Another problem with the regedit method is that it seems to be slower to run than task scheduler and since the windows firewall is deactivated, this will allow all connections(???) until the user does type the admin password on the UAC prompt(?).
From my experience even anti-viruses will allow a normal user to block/allow a connection and appear in the tray and will ask for elevation for specific more important tasks, is there a particular reason this isn't the case in simplewall?
And I've checked, nothing on issue #336 helps.
Hey,
For simplewall to work the way you want, as soon as you log in as a different user, it would either have to fork (yes, that's possible on Windows, even though it's a bit of a PITA to implement) or create a second process, which then connects to the Administrator instance using a pipe or other ways of Interprocess Communication.
"Skip UAC" does not work the way you think, since modern Windows versions are shipped with UAC set to "Always Notify", which breaks bypassing / skipping the prompt, and I think that's a good thing (being a security / privacy advocate).
Since it is not at all advised to use your administrator account for work like you are doing, here's my advice:
Create two user accounts, give one Administrator rights and a password and make the work user just a standard user, then set UAC to "Always Notify" if it's not already set to that - it's a useless feature otherwise, from a security standpoint.
Now, always use the work user, this way you only have to start simplewall once using the Administrator password, it will run as Administrator and it will also stay in your tray.
simplewall would also not work without elevated privileges, so in my opinion this is the way to go, I don't know why you were switching between users constantly anyway.
The only "downside" this has is getting used to the constant UAC prompts, but then again you also downloaded and installed a firewall, which makes me think you are trying to secure your system. :-)
Friendly notice: This post was created with me being in a bit of a hurry, so please tell me if I misunderstood the point of your question / ask if you have further questions.
Since it is not at all advised to use your administrator account for work like you are doing, here's my advice:
Create two user accounts, give one Administrator rights and a password and make the work user just a standard user, then set UAC to "Always Notify" if it's not already set to that - it's a useless feature otherwise, from a security standpoint. Now, always use the work user
This is exactly how I use my system, that's why simplewall not notifying my normal user account is a issue and I opened this.
This way you only have to start simplewall once using the Administrator password, it will run as Administrator and it will also stay in your tray.
Yes that's how I'm doing it, not ideal though
I don't know why you were switching between users constantly anyway.
I wasn't
@dumpsters So you are saying that notifications are broken on your system, even though you log in to your normal user then manually run simplewall as Administrator?
That definitely would be a bug, and I have no idea what would cause it. Notifications for new programs work fine on my Windows Server 2019 (1809 / 17763.2686) installation, but notice that blocking network access for a program also silences them indefinitely.
Skip UAC has been broken for a long time, or never really worked - at least not on Windows 8(.1) or later. As far as I understand, it's a convenience option for people who have given up on securing their computer totally and turned UAC off completely, because Microsoft has mislead them by saying that "UAC is not a security function". What else is it then?
Off topic:
I currently work for a large corporation which recently, was the victim of a large scale malware attack - if UAC was properly configured, this would have been prevented entirely, since Administrator passwords are not given to employees. But no, the previous system administrator listened to Microsoft and disabled it, even on high-security appliances.
This is not the first time we were called in to fix a mess Microsoft has (at least partially) caused.
Yes that's how I'm doing it, not ideal though
Refer to my first paragraph please, it is highly unlikely that Henry will add the code necessary for multi-user support with a master process since it's not at all that easy and most people have a dedicated user anyway.
Someone else please confirm that this is wanted behavior, as I'm not 100% sure myself. OP, if no one replies during the next few days, please tag Henry yourself and ask if this is not a bug, but if I recall correctly, I have seen a message by him stating that the code behind it won't be changed / fixed (?).
I hope we can somehow find a solution anyway.
Again, off-topic: I feel that the project could need a dedicated sponsor, or a second developer with some (or preferably, a lot) of free time to contribute some code. I will donate some money soon, please note that he lives in a pretty poor country so even $20 is a lot. I'm also doing my best trying to answer questions on here, since there is no moderator or if there is one he's inactive, but I already work full-time and have a family to care for.
So you are saying that notifications are broken on your system, even though you log in to your normal user then manually run simplewall as Administrator?
I said the "Skip UAC"/Start on login option in simplewall creates a task scheduler entry which does start, however that instance started from task scheduler won't ask a normal user for input whether to allow/deny programs and you can't interact with it.
I also said you can make it so simplewall will start on logon for the normal user but this will cause a UAC prompt each time you login to allow simplewall to start which imo isn't ideal as background connections can happen during that time and you'll have your firewall down until you pass the UAC prompt.
It might be that the only way to get a better experience is with the interprocess communication/forking thing yeah.
Okay, thank you for clarifying, I should have postponed my reply until I had more time to read your report more thoroughly, sorry for wasting some of your time.
This could be an issue with the task configuration itself, since you can set all sorts of flags, and whether the program should be ran in an interactive session or not, et cetera - the task scheduler GUI is lacking a few configuration options which could be critical here, these can however be set if you use the respective programming API's to create a task, maybe that is the issue. GitHub's search is not being my friend however and I can't find the code responsible for creating the task (apparently they decided I'm a robot and I only get HTTP 429 aka "Too Many Requests" replies from their web servers right now, probably a side effect from using privacy.resistFingerprinting in Firefox).
Background connections can happen during that time and you'll have your firewall down until you pass the UAC prompt.
This is not true at all - once simplewall has parsed your config and rules, and activated all filters using the WFP API, you can close all simplewall processes, it is no longer needed to maintain protection - your rule set has already been activated, and will stay active until you either reboot or indefinitely, if you have chosen the "Permanent filters" option. The continuous presence of the filters is further ensured by these two configuration options, which are enabled by default.
-> Enable protection of installed filters (recommended)
-> Enable boot-time filters (recommended)
So unless you have malware with administrator or higher privileges on the machine that simplewall is protecting, or a kernel rootkit, namely a malicious driver, which both could influence the filtering framework, then the small delay of the UAC prompt is not an issue, and background connections won't happen - the only downside is you not being able to utilize the logger to see what was blocked during the "downtime".
However, presence of the filters can be verified by opening the command prompt and trying to ping any host, if you correctly configured simplewall, only the DNS resolution should work, however the actual sending of the ICMP or ICMPv6 packet should fail:
C:\Users\Worker>ping github.com
Pinging github.com [140.82.121.3] with 32 bytes of data:
General failure.
General failure.
General failure.
General failure.
Ping statistics for 140.82.121.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\Worker>
So, I would just delete the task and disable the respective options in simplewall, and get used to entering a password (which you would have to do anyway, if you wanted to do any significant system changes). A bit disappointing, I know - it's late where I am, maybe tomorrow, with a new IP address, I can take a look at the task creation code.
Hope I could provide at least a bit of helpful information.
This is not true at all - once simplewall has parsed your config and rules, and activated all filters using the WFP API, you can close all simplewall processes, it is no longer needed to maintain protection - your rule set has already been activated, and will stay active until you either reboot or indefinitely, if you have chosen the "Permanent filters" option.
That's not as bad as I thought then. Still, being prompted even as a normal user would be appreciated.
Being prompted as a normal user for what? Just making sure I understood you correctly.