Managed control of processes including privilege escalation

US 8,806,494 B2
Filed: 07/03/2013
Issued: 08/12/2014
Est. Priority Date: 02/03/2006
Status: Active Grant

First Claim

Patent Images

1. A computer storage memory having computer-executable instructions stored thereon that when executed cause a computing device to perform a method comprising:

receiving a request for an execution role of a process selected by a user for execution on the computing device, said process having limited access to system resources;

accessing configuration data relating to the process, said accessed configuration data defining rights for execution of the process;

determining the rights for the process based on the accessed configuration data;

accessing privilege data stored in a memory area to retrieve the execution role associated with the process based on the determined rights;

receiving a request from the user for modification of the execution role for the process; and

modifying the execution role based on the determined rights to enable the process a different level of access to the system resources.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Determining execution rights for a process. A user selects a process for execution. A driver intercepts the execution and communicates with a service or its remote agent. Configuration data is accessed to determine an execution role specifying whether the process should be denied execution or should execute with particular rights to access or modify system resources. The execution role is provided to the driver, and the driver allows or denies execution of the process in accordance with the provided execution role.

Citations

20 Claims

1. A computer storage memory having computer-executable instructions stored thereon that when executed cause a computing device to perform a method comprising:
- receiving a request for an execution role of a process selected by a user for execution on the computing device, said process having limited access to system resources;
  
  accessing configuration data relating to the process, said accessed configuration data defining rights for execution of the process;
  
  determining the rights for the process based on the accessed configuration data;
  
  accessing privilege data stored in a memory area to retrieve the execution role associated with the process based on the determined rights;
  
  receiving a request from the user for modification of the execution role for the process; and
  
  modifying the execution role based on the determined rights to enable the process a different level of access to the system resources.
- View Dependent Claims (2, 3, 4)
- - 2. The computer storage memory of claim 1, wherein the process is selected indirectly by the user as a result of executing another process.
  - 3. The computer storage memory of claim 1, wherein the execution role comprises one or more of the following:
    - deny, allow, run as limited user, run with user privileges, run as administrative user, and run with administrative privileges.
  - 4. The computer storage memory of claim 1, wherein creating the execution role comprises modifying a token.

5. A method comprising:
- receiving a request for an execution role associated with one of a plurality of processes, said one of the plurality of processes being selected by a user for execution on a computing device, said one of the plurality of processes having limited access to system resources;
  
  accessing configuration data relating to the process, said accessed configuration data defining rights for execution of the process;
  
  determining, based on the configuration data, the rights for execution of the selected process;
  
  retrieving, based on the determined rights, the requested execution role for the selected process;
  
  receiving a request for modification of the execution role for the selected process; and
  
  modifying the execution role based on the determined rights to enable the selected process a different level of access to the system resources.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The method of claim 5, wherein the retrieved execution role for the selected process comprises either an administrative execution role or a user execution role.
  - 7. The method of claim 6, wherein the administrative execution role corresponds to greater access to system resources relative to the user execution role.
  - 8. The method of claim 5, further comprising storing a local copy of the configuration data relating to the plurality of processes, said configuration data indicating an execution role associated with each of said processes.
  - 9. The method of claim 8, wherein storing the configuration data comprises storing the configuration data for each of the plurality of processes as a function of the user.
  - 10. The method of claim 8, wherein storing the configuration data comprises storing the configuration data for each of the plurality of processes as a function of the computing device.
  - 11. The method of claim 8, wherein accessing the configuration data comprises performing a process lookup for the selected executing process in the stored configuration data, said performing comprising, when the performed process lookup does not yield the selected process, receiving and searching an updated copy of the configuration data.

12. A system comprising:
- a memory area for storing privilege data relating to a plurality of processes for execution, said privilege data defining access by each of the plurality of processes to resources, said privilege data including an execution role for each of the plurality of processes;
  
  a processor configured to execute computer-executable instructions for;
  
  receiving a request for the execution role of a particular process to be executed, said particular process being selected by a user for execution, said particular process being one of the plurality of processes and having limited access to system resources;
  
  accessing configuration data relating to the particular process, said accessed configuration data defining rights for execution of the particular process;
  
  determining the rights for the particular process based on the accessed configuration data;
  
  accessing the privilege data stored in the memory area to retrieve the execution role associated with the particular process based on the determined rights;
  
  receiving a request from a user for modification of the execution role for the particular process; and
  
  modifying the execution role based on the determined rights to enable the particular process a different level of access to the system resources.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, further comprising means for elevating or lowering an execution privilege of a process to be executed.
  - 14. The system of claim 12, further comprising a first computing device and a second computing device, said first computing device including the memory area and the processor and said second computing device executing the process.
  - 15. The system of claim 14, further comprising means for constraining a process to execute on the second computing device with limited rights to access resources of the second computing device.
  - 16. The system of claim 14, wherein the first computing device comprises a server-side communications and management infrastructure.
  - 17. The system of claim 14, wherein the second computing device comprises one or more of the following:
    - a delegated management console and a client computing device.
  - 18. The system of claim 12, wherein the plurality of processes spawn from one or more of the following:
    - an executable file, an executable image, and an installation file.
  - 19. The system of claim 12, wherein at least one of the plurality of processes relates to installation and use of a hardware device.
  - 20. The method of claim 12, wherein the user is an administrator, wherein the determined rights for the process indicate limited access to the system resources, and wherein the execution role is applied to the process to constrain the process to execute with the limited access to the system resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Russinovich, Mark, Cogswell, Bryce, Miller, Wesley G.
Primary Examiner(s)
SWIFT, CHARLES M

Application Number

US13/934,309
Publication Number

US 20130298128A1
Time in Patent Office

405 Days
Field of Search

None
US Class Current

718/100
CPC Class Codes

G06F 12/1491 in a hierarchical protectio...

G06F 9/468 Specific access rights for ...

Managed control of processes including privilege escalation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Managed control of processes including privilege escalation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links