Update Run by Smartscreen utility

[Andy Ful]

'Run By Smartscreen' is a very simple idea to run new executable files with SmartScreen check using right click Explorer context menu. It covers in a smart way file execution in the User Space ( = everything outside C:\Windows, C:\Program Files, C:\Program Files (x86)), that is welcome because dropping files to the User Space is not guarded by UAC.

Why the SmartScreen?
The SmartScreen technology is one of the best for fighting 0-day malware files.

Why 'Run By SmartScreen'?
This technology is only half-way adopted in Windows. SmartScreen on the run can check executables with "Mark of the Web", that is attached to files after downloading from the Internet by popular Web Browsers, Windows Store or Windows OneDrive. There are many cases when files do not have "Mark of the Web", and then SmartScreen Filter simply ignore them on the run (see REMARKS).


INSTALLATION

'Run By Smartscreen' works only with Windows 8 and higher versions.
Unzip the RunBySmartscreen.zip - there should be 4 files in unpacked RunBySmartscreen folder: RunBySmartscreen.au3 (source script), RunBySmartScreen(x64).exe (for 64Bit system), RunBySmartScreen(x86).exe (for 32Bit system), and RunBySmartscreenHelp.txt (help file).

For 64Bit OS:
1. Copy RunBySmartScreen(x64).exe to C:\Windows, and then run this file with Administrative Rights ('Run As Administrator' option in Explorer context menu).
2.After that, the 'Run by SmartScreen' option should appear in Explorer context menu. If not, the log out/log on procedure should help.
3. Please do not change the name and the path of RunBySmartScreen(x64).exe - they are hard-coded in the program, and are necessary to its proper functioning.

For 32Bit OS
Do as in the case of 64Bit, but choose RunBySmartScreen(x86).exe

Running one of above executables adds/removes "Run By SmartScreen" option to Explorer context menu. This option forces file execution with SmartScreen check for: BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, SCR and VBE files, located in the User Space. Files with other extensions will not be allowed to execute. If the file is located in the System Space (inside C:\Windows, C:\Program Files, C:\Program Files (x86)), then it is executed without SmartScreen check.


UNINSTALLATION

For 64 Bit OS
Navigate to RunBySmartScreen(x64).exe in C:\Windows folder, and run this file with Administrative Rights. The message:
"Do you want to have 'Run By SmartScreen' option in Explorer context menu?" will be shown.
Choose NO button to disable it.

For 32Bit OS
Do as in the case of 64Bit, but choose RunBySmartScreen(x86).exe

After that the executable can be deleted.


REMARKS

The SmartScreen Filter in Windows 8+ allows some vectors of infection listed below:

A) You have got the executable file (BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, PIF, SCR and VBE) using:
* the downloader or torrent application (EagleGet, utorrent etc.);
* container format file (zip, 7z, arj, rar, etc.);
* CD/DVD/Blue-ray disc;
* CD/DVD/Blue-ray disc image (iso, bin, etc.);
* non NTFS USB storage device (FAT32 pendrive, FAT32 usb disk);
* Memory Card;
so the file does not have the proper Alternate Data Stream attached ('Mark of the Web').

B) You have run the executable file with runas.exe (Microsoft), AdvancedRun (Nirsoft), RunAsSystem.exe (AprelTech.com), etc.


'Run By SmartScreen' covers all vectors of infection listed in the A) point.
Alternatively to "Run By SmartScreen", you may simply upload the file to One Drive (or mailbox) , and download it again. This procedure also activates SmartScreen check automatically.

Registry changes:
HKEY_CLASSES_ROOT\*\shell\Run By SmartScreen\


PROGRAM INFO

'Run By Smartscreen' was coded and compiled with AutoIt v3.3.14.2 (see RunBySmartscreen.au3 source file).
This is the first beta version.
Download files:
GitHub - AndyFul/Run-By-Smartscreen

This post was edited to clarify the installation process, after some Av Gurus notes.

 

[Av Gurus]

...in the User Space...which folders are that (C:\Users)?

 

[_CyberGhosT_]

Make sure to share this over at Wilders too,
if you haven't already

 

[Andy Ful]

...in the User Space...which folders are that (C:\Users)?

User Space = everything outside 'C:\Windows', 'C:\Program Files', and 'C:\Program Files (x86)' folders.

 

[Andy Ful]

Make sure to share this over at Wilders too,
if you haven't already

I'am not a member of Wilderssecurity forum, but I read it every day, and I like it very much.

 

[Av Gurus]

User Space = everything outside 'C:\Windows', 'C:\Program Files', and 'C:\Program Files (x86)' folders.

I installed that but there is no Run Smart Scan in Menu?

 

[Andy Ful]

Did you log out/log on ?

 

[Av Gurus]

Yes

 

[Andy Ful]

Sorry, I have forgotten to write that first run must be with Administrative Rights
Edited. Thanks for pointing it to me.

 

[Av Gurus]

First run of what? - Run by SmartScan or...?

 

[Wave]

...in the User Space...which folders are that (C:\Users)?

I think he was just differentiating between the protected directories (e.g. Windows folder, Program Files) to the default unprotected folders (such as Documents, Desktop, Pictures) which can be accessed from a non-elevated process.

User Space = everything outside 'C:\Windows', 'C:\Program Files', and 'C:\Program Files (x86)' folders.

Sorry, I didn't see this response before I replied to @Av Gurus... Oops!

 

[Andy Ful]

If you have 64Bit Windows, you have to copy RunBySmartscreen(x64).exe to C:\Windows and run this file with 'Run As Administrator'. After that the 'Run By Smartscreen' option should be seen in Explorer context menu.

 

[Andy Ful]

The User Space is adopted from AppGuard:
"User-space refers to the computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives. AppGuard will either block or protect the execution of any programs contained in user-space directories. "

 

[Av Gurus]

Now is working OK.
But, every time i click "Run by SmartScan" I have to choose app to open .exe?

 

[Wave]

The User Space is adopted from AppGuard:
"User-space refers to the computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives. AppGuard will either block or protect the execution of any programs contained in user-space directories. "

That explains why I am not familiar with it then, since I normally just explain that term regarding non-admin users accessing non-protected directories as opposed to using the term "User Space" for folders... Thanks

 

[Andy Ful]

Now is working OK.
But, every time i click "Run by SmartScan" I have to choose app to open .exe?

View attachment 121694 View attachment 121695 View attachment 121696 View attachment 121697

No, it is probably the side effect of running with Administrative Rights. Open Windows Explorer with Medium Rights and try 'Run By Smartscreen' again.
Sorry I misunderstood your post. Please, wait a moment.

 

[Av Gurus]

Some FP on VT...

 

[Andy Ful]

Now is working OK.
But, every time i click "Run by SmartScan" I have to choose app to open .exe?

View attachment 121694 View attachment 121695 View attachment 121696 View attachment 121697

If I understand correctly, You right click HitmanPro_64.exe, choose "Run By SmartScreen", and then the alert is shown: "You need a new app to open this .exe file".
Please check if RunBySmartscreen(x64).exe (or RunBySmartscreen(x86).exe for 32Bit) is copied to C:\Windows ?

 

[Andy Ful]

Some FP on VT...

View attachment 121698

Yes, it is a standard for utilities compiled with AutoIt, especially if they are changing important registry keys.

 

[Av Gurus]

Yes, it's on C:Windows
And HitmanPro is on C:\PortableAPP\HitmanPro