Andy Ful

Level 45
Verified
Trusted
Content Creator
'Run By Smartscreen' is a very simple idea to run new executable files with SmartScreen check using right click Explorer context menu. It covers in a smart way file execution in the User Space ( = everything outside C:\Windows, C:\Program Files, C:\Program Files (x86)), that is welcome because dropping files to the User Space is not guarded by UAC.

Why the SmartScreen?
The SmartScreen technology is one of the best for fighting 0-day malware files.

Why 'Run By SmartScreen'?
This technology is only half-way adopted in Windows. SmartScreen on the run can check executables with "Mark of the Web", that is attached to files after downloading from the Internet by popular Web Browsers, Windows Store or Windows OneDrive. There are many cases when files do not have "Mark of the Web", and then SmartScreen Filter simply ignore them on the run (see REMARKS).


INSTALLATION

'Run By Smartscreen' works only with Windows 8 and higher versions.
Unzip the RunBySmartscreen.zip - there should be 4 files in unpacked RunBySmartscreen folder: RunBySmartscreen.au3 (source script), RunBySmartScreen(x64).exe (for 64Bit system), RunBySmartScreen(x86).exe (for 32Bit system), and RunBySmartscreenHelp.txt (help file).

For 64Bit OS:
1. Copy RunBySmartScreen(x64).exe to C:\Windows, and then run this file with Administrative Rights ('Run As Administrator' option in Explorer context menu).
2.After that, the 'Run by SmartScreen' option should appear in Explorer context menu. If not, the log out/log on procedure should help.
3. Please do not change the name and the path of RunBySmartScreen(x64).exe - they are hard-coded in the program, and are necessary to its proper functioning.

For 32Bit OS
Do as in the case of 64Bit, but choose RunBySmartScreen(x86).exe

Running one of above executables adds/removes "Run By SmartScreen" option to Explorer context menu. This option forces file execution with SmartScreen check for: BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, SCR and VBE files, located in the User Space. Files with other extensions will not be allowed to execute. If the file is located in the System Space (inside C:\Windows, C:\Program Files, C:\Program Files (x86)), then it is executed without SmartScreen check.


UNINSTALLATION

For 64 Bit OS
Navigate to RunBySmartScreen(x64).exe in C:\Windows folder, and run this file with Administrative Rights. The message:
"Do you want to have 'Run By SmartScreen' option in Explorer context menu?" will be shown.
Choose NO button to disable it.

For 32Bit OS
Do as in the case of 64Bit, but choose RunBySmartScreen(x86).exe

After that the executable can be deleted.


REMARKS

The SmartScreen Filter in Windows 8+ allows some vectors of infection listed below:

A) You have got the executable file (BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, PIF, SCR and VBE) using:
* the downloader or torrent application (EagleGet, utorrent etc.);
* container format file (zip, 7z, arj, rar, etc.);
* CD/DVD/Blue-ray disc;
* CD/DVD/Blue-ray disc image (iso, bin, etc.);
* non NTFS USB storage device (FAT32 pendrive, FAT32 usb disk);
* Memory Card;
so the file does not have the proper Alternate Data Stream attached ('Mark of the Web').

B) You have run the executable file with runas.exe (Microsoft), AdvancedRun (Nirsoft), RunAsSystem.exe (AprelTech.com), etc.


'Run By SmartScreen' covers all vectors of infection listed in the A) point.
Alternatively to "Run By SmartScreen", you may simply upload the file to One Drive (or mailbox) , and download it again. This procedure also activates SmartScreen check automatically.

Registry changes:
HKEY_CLASSES_ROOT\*\shell\Run By SmartScreen\


PROGRAM INFO

'Run By Smartscreen' was coded and compiled with AutoIt v3.3.14.2 (see RunBySmartscreen.au3 source file).
This is the first beta version.
Download files:
GitHub - AndyFul/Run-By-Smartscreen

This post was edited to clarify the installation process, after some Av Gurus notes.
 
Last edited:
W

Wave

...in the User Space...which folders are that (C:\Users)?
I think he was just differentiating between the protected directories (e.g. Windows folder, Program Files) to the default unprotected folders (such as Documents, Desktop, Pictures) which can be accessed from a non-elevated process. :)

User Space = everything outside 'C:\Windows', 'C:\Program Files', and 'C:\Program Files (x86)' folders.:)
Sorry, I didn't see this response before I replied to @Av Gurus... Oops!
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
The User Space is adopted from AppGuard:
"User-space refers to the computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives. AppGuard will either block or protect the execution of any programs contained in user-space directories. "
 
W

Wave

The User Space is adopted from AppGuard:
"User-space refers to the computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives. AppGuard will either block or protect the execution of any programs contained in user-space directories. "
That explains why I am not familiar with it then, since I normally just explain that term regarding non-admin users accessing non-protected directories as opposed to using the term "User Space" for folders... Thanks :)
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
Last edited:

Andy Ful

Level 45
Verified
Trusted
Content Creator
Last edited: