Tool Bounty -- "AutoCapture" from Optical Drive
We have a winner! (No more submissions, please.) Check out this labor of love for the full details.
Altiris awarded 1,000 Juice Points as a bounty for this commonly requested tool!
Background
Altiris is planning a feature for the next major release of SVS ("AutoCapture") that will allow end users to install their own software without breaking corporate standard apps. AutoCapture will also give IT the ability to make this personal stuff go away cleanly if they need to.
Two new things need to be done to support AutoCapture. First, a service needs to be built that reliably recognizes installation processes run from anywhere (including the Web) and triggers the SVS capture function to create a new layer. Also, SVS needs to be able to do a capture while other layers are active. With the current product, as you all know, the end user would need to back out of and deactivate virtualized applications before creating a new virtual layer. This will be one of the key new features in Lightning.
Regardless, while the world waits for Lightning and AutoCapture, some SVS customers want to take advantage of this type of functionality now, within the limitations of SVS 2.x.
The Use Case
The specific use case that's coming up is machines that are not otherwise using SVS. That is, there are no pre-existing apps in layers, so no concern about having to deactivate before capture. Also, the installers that need to be captured into new layers are always on removable media in an optical drive (CD/DVD) with a predictable drive letter (that is, it will always be the E: drive, or F:, or whatever).
The user needs to be able to insert a CD or DVD and install a document viewer or some other small application from that disk, for temporary use. IT needs assurance that the app a) will not conflict with pre-existing standard apps installed into the base and b) that the app will go away and leave nothing behind when the single use is over.
Other Requirements
There's some flexibility on how you handle the new layer getting deactivated and/or deleted. Creative suggestions welcomed. The newly created layers should not be flagged to "Start Automatically," so that a reboot "clears" the machine and makes it ready to receive another CD with another installer. The ideal is to make this functionality completely invisible to the end user. But you may decide that some sort of "clear" icon on the desktop or in the system tray (to deactivate/delete an existing layer) is the best approach. Some configuration options for the administrator are ok (like which drive letter to automatically capture from), but nothing should be exposed to the actual end user except maybe a single "clear" type of icon.
Since three people so far have made this incorrect assumption, let me be clear: The ability to allow reduced privilege users to install software is a different issue, out of the scope of this bounty hunt. Altiris already has a product for that -- Application Control Solution.
So to be honest...
We (developers) should invent "AutoCapture" for the 2.x version, which will not be neccesary when the new version of SvS comes out, because it will be in the new version?
______________________________________________
Frank Bastiaens
Senior Technical Consultant
Vanderlet B.V.
Of Course
There are plenty of features that have been done by external developers already -- or that are being worked on -- which Altiris may eventually bring into the regular SVS product, or some other Altiris product.
Whenever we wish to directly leverage someone else's work, Altiris of course does so with their permission and under the relevant license terms.
In the case of Juice tools, that's usually the AJSL, which is an open source, BSD-style license. If you want to do the work but not share it on the Juice under that license, obviously as the owner of the IP you have that option. As indicated on the download submission page, you can specify any license you like.
Or if you prefer a different distribution method, we're constantly speaking with developer partners about commercial arrangements for intellectual property (a lot of whom seem to be in the Netherlands, btw... ).
In this case, since the functionality being asked for today is technically different from what we intend to build in Lightning, we did two things. First, we disclosed our roadmap ("to be honest"). Second, we took it to the community and invited cooperation in the FOSS spirit.
After 2.1 is in the can, I'm sure one of our testers will have the bandwidth to write a simple Windows service that monitors a drive letter and calls the SVS API to create a new layer when a process is launched from that drive letter... And we could put that out on the Juice. We just figured it would be faster (and fairer) to give you a shot at this.
Scott Jones
Product Manager
Altiris, Inc.
No wonder
Scott,
In the Netherlands there is a big SvS adaptation, and that is the answer to a question wy there are so much tools and other stuff coming from the Netherlands.
We (the Dutch people) are inovative, and want to go ahead on stuff.
For instance the work i did ( Svs on Citrix and terminal server)
Scense and do not forget Starf0x's tools.
Regards
Erik
Regards
Erik
www.DinamiQs.com
Dinamiqs is the home of VirtualStorm (www.virtualstorm.org)
Security issue
Dear Scott,
It's an interesting idea. I have some questions regarding security.
To install, software administrative rights need to be granted to the installation process. And since it is not known which other processes this process needs to start to complete its task the child processes will inherit the same privileges. Thus an installer with admin rights is a security breach. E.g. when the installer opens a command shell it could be used to execute malicious code or even if the installer only offers to choose a directory by browsing, the dialog can be used to start the command shell with the elevated rights (right click menu works in the dialog).
This said, I think it is equivalent to give that user the password for an account on that machine with administrator rights.
Then the user could be asked to enter the password for that admin account when he wants to install a software product. This has the advantage that not all processes started with a file (.exe, .msi, .bat) on an optical disc get administrative privileges by default. The user has to give his permission.
But this violates the request, "nothing should be exposed to the actual end user except maybe a single [...] icon".
Could you please shed some light on how this is supposed to be handled?
Ciao
toralf
Security issue
First, sorry, I should have specified that XP-only is sufficient. No need to worry about the added complexities of Vista security.
Also, it's taken as a given here that the customer has already configured Windows security to their standards and that the logged in user has rights to install the software in question.
As per a previous discussion, SVS in the absence of Altiris Protect cannot do anything to resolve certain security threats on Windows. Like SVS itself, this tool isn't intended to be a security solution; it's intended to be a manageability solution. Nothing that SVS (or this tool) does should ever reduce the security of a machine, but neither is it a requirement to increase security.
No additional privilege!?!
Just to get this straight:
You say that the user has the rights to install the software AND to use SVSCMD which writes to the registry and file repository, right? So there is no need to grant any additional privilege to any process or I/O involved in the capturing process.
Ok, then I think I have a solution. Where should I post it when finished?
Ciao
toralf
Ok
I'm out of the picture as a VB6 developer, the issues I would need to cope with are way too open for bugs, here they are:
1. indeed, user privileges, they will not have sufficient rights to install software, also in XP, so you need to create a service with system rights, who will then use the API that calls SVS to install the software, SVSCMD is a no go.
2. Detecting an application starting and most important, before it can do anything you need to start the capture process.
3. Detecting sub processes. What I mean is, if a CD/DVD has and autorun.exe (which is ussually the menu), you need to detect the process started from that menu, and capture that.
These 3 issues are (almost) impossible in VB6, I'm sorry I won't join this challenge.
Kind Regards, Starf0x
______________________________________________
Frank Bastiaens
Senior Technical Consultant
Vanderlet B.V.
Tool Bounty Q&A
1 - I was envisioning a service using the API anyway, but not for this reason. As stated above, the ability to allow reduced privilege users to install software is a different issue, out of the scope of this bounty hunt. Altiris already has a product for that -- Application Control Solution.
2 - Yah, that's the big challenge...
3 - SVS tracks subprocesses. If you trigger on the root of the process tree, everything else will get captured automatically.
Coincident
By coincident I was just starting today to work on my second approach. I should be done in a few hours. But need someone to test it with a virtual machine. Scott, do you want to test it again??? :)
Ciao
toralf
Submit second version
Dear Scott,
I submitted my second version. This time reboot works. I tested it on my machine (no virtual machine). Hopefully it doesn't crash yours again.
Ciao
toralf
Not in for the bonus
It is very easy changing the registry setting that starts the Microsoft installer as soon as an .exe or a .msi is started.
Track down the capturing with filemon, and change the default installer in the registry with the svscmd.exe
As soon as a user starts an .exe or a .msi, the capturing will start.
After finishing there is a new layer.
Then you need some code to track the layer, and activate it.
The question is more difficult then the program you need to solve it.
Regards
Erik
Regards
Erik
www.DinamiQs.com
Dinamiqs is the home of VirtualStorm (www.virtualstorm.org)
Easy?!?
It is not as easy as you describe. Since you do not want to capture all exe/msi/bat/cmd files started. Only those on the monitored drives.
Sorry, I do not understand your last sentence. What do you mean by: "The question is more difficult then the program you need to solve it."
Ciao
toralf
Last sentence
The question that scott was asking is not that difficult.
In the registry you have to create a entry that captures all .exe and all .msi.
.Bat and .cmd are locked for security purposes.
Believe me, solving this is not that difficult.
I'm out of the bounty hunt because i'm no programmer, but i understand how windows handles stuff. Even in Vista with UAC enabled it is quite easy to do this.
Regards
erik
Regards
Erik
www.DinamiQs.com
Dinamiqs is the home of VirtualStorm (www.virtualstorm.org)
Well that method wouldn't
Well that method wouldn't work with exe since most, if not all, program launch files are exes so that wouldn't do you any good to have SVS trying to capture you running Word or another program when it launches.
If a forum post solves your problem please flag is as the solution
I you like an article, blog post or download vote it up
Exe like word
Jordan, a executable that tries to install software is handled different than a exe like winword.
Microsoft sees the difference.
When you start winword, the registry is handling a different routine than a exe that installs.
regards
erikw
Regards
Erik
www.DinamiQs.com
Dinamiqs is the home of VirtualStorm (www.virtualstorm.org)
Capture AutoRuns?
Dear Scott,
Do you think it is still necessary to capture autorun processes? I think I have found a way that could work. Let me know and I will update the code. It could be optional.
Ciao
toralf
Would you like to reply?
Login or Register to post your comment.