Trusted Installer

Discussion in 'Windows Vista Installation' started by MikeV06, Nov 21, 2007.

  1. MikeV06

    MikeV06 Guest

    I looked at Users & Groups and do not find a user or group named
    TrustedInstaller. However, that user is listed as owner of the C:\ drive.
    Do I need to add a user or something?

    Thanks.

    Mike
     
    MikeV06, Nov 21, 2007
    #1
    1. Advertisements

  2. Hello Mike,

    This is part of the new ACLS to help improve security in Windows Vista

    From this link below: I am posting a couple of paragraphs that talk about
    Trusted Installer:

    http://www.microsoft.com/technet/technetmag/issues/2007/06/ACL/default.aspx

    Trusted Installer The Trusted Installer is actually a service, not a user,
    even though you see permissions granted to it all over the file system.
    Service hardening allows each service to be treated as a full-fledged
    security principal that can be assigned permissions just like any other
    user. For an overview of this feature, see the January 2007 issue of
    TechNet Magazine. The book Windows Vista Security (Grimes and Johansson,
    Wiley Press, 2007) explores service hardening in detail, including how it
    is leveraged by other features, such as the firewall and IPsec.

    Trusted Installer In Windows Vista, most of the OS files are owned by the
    TrustedInstaller SID, and only that SID has full control over them. This is
    part of the system integrity work that went into Windows Vista, and is
    meant specifically to prevent a process that is running as an administrator
    or Local System from automatically replacing the files. In order to delete
    an operating system file, you thus need to take ownership of the file and
    then add an ACE on it that lets you delete it. This provides a thin layer
    of protection against a process that is running as LocalSystem and has a
    System integrity label; a process that has lower integrity is not supposed
    to be able to elevate itself to change ownership. Some services, for
    instance, can run with medium integrity, even though they are running as
    Local System. Such services cannot replace system files so an exploit that
    takes over one of them can’t replace operating system files, making it a
    bit harder to install a rootkit or other malware on the system. It also
    becomes more difficult for system administrators who are offended by the
    mere presence of some system binary to remove that binary.

    Thanks,
    Darrell Gorter[MSFT]

    This posting is provided "AS IS" with no warranties, and confers no rights
    --------------------
    |> From: MikeV06 <>
    |> Subject: Trusted Installer
    |> User-Agent: 40tude_Dialog/2.0.15.1
    |> MIME-Version: 1.0
    |> Content-Type: text/plain; charset="us-ascii"
    |> Content-Transfer-Encoding: 7bit
    |> Organization: None
    |> Date: Wed, 21 Nov 2007 15:46:38 -0600
    |> Message-ID: <3qswqoz2foke$>
    |> Archive: yes
    |> Newsgroups: microsoft.public.windows.vista.installation_setup
    |> NNTP-Posting-Host: r74-194-81-60.htspcmta01.hspvar.lr.dh.suddenlink.net
    74.194.81.60
    |> Lines: 1
    |> Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
    |> Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.windows.vista.installation_setup:29474
    |> X-Tomcat-NG: microsoft.public.windows.vista.installation_setup
    |>
    |> I looked at Users & Groups and do not find a user or group named
    |> TrustedInstaller. However, that user is listed as owner of the C:\ drive.
    |> Do I need to add a user or something?
    |>
    |> Thanks.
    |>
    |> Mike
    |>
     
    Darrell Gorter[MSFT], Nov 29, 2007
    #2
    1. Advertisements

  3. MikeV06

    MikeV06 Guest

    Thank you for your post. The comments and the link are very useful.

    Happy holidays.

    Mike

    On Thu, 29 Nov 2007 04:57:45 GMT, "Darrell Gorter[MSFT]" wrote:

    > Hello Mike,
    >
    > This is part of the new ACLS to help improve security in Windows Vista
    >
    > From this link below: I am posting a couple of paragraphs that talk about
    > Trusted Installer:
    >
    > http://www.microsoft.com/technet/technetmag/issues/2007/06/ACL/default.aspx
    >
    > Trusted Installer The Trusted Installer is actually a service, not a user,
    > even though you see permissions granted to it all over the file system.
    > Service hardening allows each service to be treated as a full-fledged
    > security principal that can be assigned permissions just like any other
    > user. For an overview of this feature, see the January 2007 issue of
    > TechNet Magazine. The book Windows Vista Security (Grimes and Johansson,
    > Wiley Press, 2007) explores service hardening in detail, including how it
    > is leveraged by other features, such as the firewall and IPsec.
    >
    > Trusted Installer In Windows Vista, most of the OS files are owned by the
    > TrustedInstaller SID, and only that SID has full control over them. This is
    > part of the system integrity work that went into Windows Vista, and is
    > meant specifically to prevent a process that is running as an administrator
    > or Local System from automatically replacing the files. In order to delete
    > an operating system file, you thus need to take ownership of the file and
    > then add an ACE on it that lets you delete it. This provides a thin layer
    > of protection against a process that is running as LocalSystem and has a
    > System integrity label; a process that has lower integrity is not supposed
    > to be able to elevate itself to change ownership. Some services, for
    > instance, can run with medium integrity, even though they are running as
    > Local System. Such services cannot replace system files so an exploit that
    > takes over one of them can’t replace operating system files, making it a
    > bit harder to install a rootkit or other malware on the system. It also
    > becomes more difficult for system administrators who are offended by the
    > mere presence of some system binary to remove that binary.
    >
    > Thanks,
    > Darrell Gorter[MSFT]
     
    MikeV06, Dec 7, 2007
    #3
  4. MikeV06

    Guest

    Hello Darrell,

    I know this post is very old. But still, want to ask you this. If I wanted to add a registry that has TrustedInstaller as ownership, I wanted to change the ownership to Administrator first, only then I can add it. But do I have a provision of doing this job in command prompt.?? Or do I have any executables to achieve this. I wanted to do the job only in command prompt.

    Thanks,
    Badhri
     
    , Jun 20, 2013
    #4
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    11
    Views:
    851
    Hal Hostetler [MVP P/I]
    Jun 3, 2008
  2. Eric

    mailto not trusted even when click from trusted site with IE7 & Vi

    Eric, Apr 30, 2007, in forum: Windows Vista General Discussion
    Replies:
    7
    Views:
    589
    Robert Aldwinckle
    May 5, 2007
  3. Eric
    Replies:
    8
    Views:
    432
    Robert Aldwinckle
    May 5, 2007
  4. Andreas Kuhn
    Replies:
    0
    Views:
    443
    Andreas Kuhn
    May 14, 2004
  5. TimS
    Replies:
    4
    Views:
    2,809
Loading...