Chrome & AppContainer Tweak

Status
Not open for further replies.
Mr.X

Mr.X

Level 8
Verified
Well-known
Aug 2, 2014
368
Umbra said:
Untrusted = low box token
Appcontainer = low-box token modified based on "capabilities" set by the developer of the Metro App.
Click to expand...
This is isolated info that is good to know but barely answers my original question, why Process Hacker shows chrome.exe processes an integrity level of Untrusted instead of AppContainer. While both @dmex and @ionescu007 concur and quote:
AppContainers are unrelated to Integrity labels so why should Process Hacker show 'AppContainer' instead of the integrity label value (e.g. Untrusted) ?

Chrome also doesn't use the AppContainer infrastructure and chrome processes don't have any AppContainer SIDs in their process token.
Click to expand...
Dmex is right, that's actually a 'bug' in Process Explorer.

However here's an actual bug, for a Chrome process, PE shows the NULL SID
correctly/restricted, while PH does not.

Best regards,
Alex Ionescu
Click to expand...
Obviously they and here you guys assume I have knowledge clearly I have not. So it's kinda hard to put together all infos
 
  • Like
Reactions: Weebarra and SHvFl
SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,346
Mr.X said:
This is isolated info that is good to know but barely answers my original question, why Process Hacker shows chrome.exe processes an integrity level of Untrusted instead of AppContainer. While both @dmex and @ionescu007 concur and quote:


Obviously they and here you guys assume I have knowledge clearly I have not. So it's kinda hard to put together all infos
Click to expand...
Process hacker chose to show the correct integrity level. Process explorer decided to go with the name given to the special container microsoft gave so it's easier to identify which is which. I assume people prefer different things but i for sure prefer to know when it's in appcontainer and when it's just untrusted.
 
  • Like
Reactions: Deleted member 178, Mr.X, shmu26 and 3 others
Mr.X

Mr.X

Level 8
Verified
Well-known
Aug 2, 2014
368
SHvFl said:
Process hacker chose to show the correct integrity level. Process explorer decided to go with the name given to the special container microsoft gave so it's easier to identify which is which. I assume people prefer different things but i for sure prefer to know when it's in appcontainer and when it's just untrusted.
Click to expand...
Now, this is a clearer way to say things. And it responds to my original question. Thanks @SHvFl
 
  • Like
Reactions: shmu26 and SHvFl
A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
They should simply add a new setting for users that want to see if process is using appcontainer. Disabled by default.
 
  • Like
Reactions: SHvFl
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
SHvFl said:
Process hacker chose to show the correct integrity level. Process explorer decided to go with the name given to the special container microsoft gave so it's easier to identify which is which. I assume people prefer different things but i for sure prefer to know when it's in appcontainer and when it's just untrusted.
Click to expand...
What is more secure: untrusted, or appcontainer?
I understood from @Umbra's post that appcontainer does two things: it grants a low trust status, but it also allows certain permissions specifically needed by that app. So it is in a sandbox but with a policy that allows some actions.
Please correct if I misunderstood the concept.
 
  • Like
Reactions: Deleted member 178 and SHvFl
5

509322

Thread author
@Mr.X

Process Hacker nightly build shows Chrome running in Appcontainer.

Oooo, my mistake. It doesn't.

Process Explorer, Process Hacker, System Explorer... you only need all three if you are doing extensive in-depth analysis.

You have the text for Process Explorer so just use it. Process Hacker only has the advantage of having TCPView equivalent integrated into it, but TCPView has the advantage of identifying protocol by name (e.g. NetBIOS).
 
Last edited by a moderator:
  • Like
Reactions: XhenEd, Deleted member 178, SHvFl and 1 other person
5

509322

Thread author
shmu26 said:
What is more secure: untrusted, or appcontainer?
I understood from @Umbra's post that appcontainer does two things: it grants a low trust status, but it also allows certain permissions specifically needed by that app. So it is in a sandbox but with a policy that allows some actions.
Please correct if I misunderstood the concept.
Click to expand...

Appcontainer

There's articles here at MT that cover it in-depth
 
  • Like
Reactions: shmu26, XhenEd and SHvFl
SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,346
shmu26 said:
What is more secure: untrusted, or appcontainer?
I understood from @Umbra's post that appcontainer does two things: it grants a low trust status, but it also allows certain permissions specifically needed by that app. So it is in a sandbox but with a policy that allows some actions.
Please correct if I misunderstood the concept.
Click to expand...
Read this. The whole article is interesting but this part is probably the one you care about based on your question.
Sandbox
 
  • Like
Reactions: shmu26, Deleted member 178 and Tiny
D

Deleted member 178

Thread author
SHvFl said:
Read this. The whole article is interesting but this part is probably the one you care about based on your question.
Sandbox
Click to expand...
@shmu26 there you have your answer completing mine ;)

@Mr.X The appcontainer feature isn't the realm of mere mortals, so i don't blame you for asking, i add the same reaction than you when it was implemented on Win8 and was also surprised about it being not referenced by PH ;)
 
  • Like
Reactions: SHvFl, shmu26 and XhenEd
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
SHvFl said:
Read this. The whole article is interesting but this part is probably the one you care about based on your question.
Sandbox
Click to expand...
Thanks. Good reading.
Yep, like @Umbra commented, this appcontainer business is a bit involved. There seem to be two restricting mechanisms:
1 Low integrity level (this concept is not new )
2 Low Box token.
I guess I gotta read about what box token is. If anyone has a reading suggestion...
 
  • Like
Reactions: SHvFl
Status
Not open for further replies.

Similar threads

MuzzMelbourne
    • Like
    • +Reputation
    • Applause
New Update Win32 App Isolation now available in preview
Replies
1
Views
1,194
Microsoft Defender
Ink
Ink
silversurfer
    • Like
    • +Reputation
Deprecated Microsoft to discontinue Application Guard app and browser extensions in May 2024
Replies
4
Views
416
Web Extensions
Can't Decide
C
silversurfer
    • Like
    • +Reputation
New Update Chrome will get improved text rendering thanks to Microsoft
Replies
1
Views
214
Chrome & Chromium
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top