Managed control of processes including privilege escalation

US 20070199068A1
Filed: 02/05/2007
Published: 08/23/2007
Est. Priority Date: 02/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, from a driver executing on a computing device, a request for an execution role of a process selected by a user for execution on the computing device;

accessing configuration data relating to the user, the computing device, and the process, said accessed configuration data defining rights for execution of the process;

determining the rights based on the accessed configuration data for the process;

providing the determined rights as the execution role to the driver executing on the computing device, wherein the driver applies the provided execution role to the process.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Determining execution rights for a process. A user selects a process for execution. A driver intercepts the execution and communicates with a service or its remote agent. Configuration data is accessed to determine an execution role specifying whether the process should be denied execution or should execute with particular rights to access or modify system resources. The execution role is provided to the driver, and the driver allows or denies execution of the process in accordance with the provided execution role.

61 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, from a driver executing on a computing device, a request for an execution role of a process selected by a user for execution on the computing device;
  
  accessing configuration data relating to the user, the computing device, and the process, said accessed configuration data defining rights for execution of the process;
  
  determining the rights based on the accessed configuration data for the process;
  
  providing the determined rights as the execution role to the driver executing on the computing device, wherein the driver applies the provided execution role to the process.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the user has limited access to system resources, and wherein the determined rights enable greater access to the system resources, and wherein the driver applies the execution role to the process to provide the process with the greater access to the system resources.
  - 3. The method of claim 1, wherein the process is selected indirectly by the user as a result of executing another process.
  - 4. The method of claim 1, wherein the execution role comprises one or more of the following:
    - deny, allow, run as limited user, run with user privileges, run as administrative user, and run with administrative privileges.
  - 5. The method of claim 1, wherein creating the execution role comprises modifying a token.
  - 6. The method of claim 1, wherein one or more computer-readable media have compute-executable instructions for performing the method recited in claim 1.

7. A method comprising:
- storing configuration data relating to a plurality of processes, said configuration data indicating whether each of said processes has an administrative execution role or a user execution role associated therewith;
  
  receiving, from a driver executing on a computing device, a request for an execution role associated with one of the plurality of processes, said one of the plurality of processes being selected by a user for execution on the computing device;
  
  searching the stored configuration data for the requested execution role as a function of the user, the computing device, and the selected process;
  
  determining the requested execution role for the selected process based on the searched configuration data as either the administrative execution role or the user execution role; and
  
  providing the determined execution role to the driver executing on the computing device, wherein the driver allows the selected process to execute according to the provided execution role.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, wherein the administrative execution role has greater access to system resources relative to the user execution role.
  - 9. The method of claim 7, wherein storing the configuration data comprises storing the configuration data for each of the plurality of processes as a function of the user.
  - 10. The method of claim 7, wherein storing the configuration data comprises storing the configuration data for each of the plurality of processes as a function of the computing device.
  - 11. The method of claim 7, wherein one or more computer-readable media have computer-executable instructions for performing the method recited in claim 7.

12. A system comprising:
- a memory area on a first computing device for storing privilege data relating to a plurality of processes for execution on a second computing device, said privilege data defining access by each of the plurality of processes to resources associated with the second computing device, said privilege data including an execution role for each of the plurality of processes;
  
  a processor configured on the first computing device to execute computer-executable instructions for;
  
  receiving, from a driver executing on the second computing device, a request for an execution role of a particular process to be executed on the second computing device, said particular process being one of the plurality of processes;
  
  accessing the privilege data stored in the memory area for the particular process to retrieve the execution role associated therewith;
  
  providing the retrieved execution role to the driver executing on the second computing device, wherein the driver considers the provided execution role when determining whether to allow the particular process to execute on the second computing device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, further comprising the driver executing on the second computing device.
  - 14. The system of claim 12, further comprising means for managing execution of a process on the second computing device.
  - 15. The system of claim 12, further comprising means for elevating an execution privilege of a process to be executed on the second computing device.
  - 16. The system of claim 12, further comprising means for constraining a process to execute on the second computing device with limited rights to access resources of the second computing device.
  - 17. The system of claim 12, wherein the first computing device comprises a server-side communications and management infrastructure.
  - 18. The system of claim 12, wherein the second computing device comprises one or more of the following:
    - a delegated management console and a client computing device.
  - 19. The system of claim 12, wherein the plurality of processes spawn from one or more of the following:
    - an executable file, an executable image, and an installation file.
  - 20. The system of claim 12, wherein at least one of the plurality of processes relates to installation and use of a hardware device on the second computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Cogswell, Bryce, Russinovich, Mark

Granted Patent

US 8,490,093 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/16
CPC Class Codes

G06F 12/1491 in a hierarchical protectio...

G06F 9/468 Specific access rights for ...

Managed control of processes including privilege escalation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Managed control of processes including privilege escalation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others