Run KeyView with Reduced Privileges

KeyView, by default, runs as the same user and has the same privileges as the application that calls it. When you run KeyView in-process this cannot be changed. When you run KeyView out-of-process, you can choose to run KVOOP (the out-of-process server) as a different user with reduced privileges. This feature might be useful if your application has to run with elevated privileges, but you want to run KeyView with limited privileges.

To run KVOOP with reduced privileges on Windows

  • Use KVStructInit() to initialize a KV_SET_OOP_USER structure and provide the username, password, and domain of the user to run KVOOP as. Pass this structure to fpSetConfig(), using the option KVFLT_SETOOPUSERWIN.

    This will log on the user and create a window station and desktop for the user. KeyView does not store the credentials passed to fpSetConfig. The KVOOP process will then restart and run as the specified user. Whenever KVOOP is restarted after this, it will start as the specified user, unless the option is disabled or a different user is specified by calling fpSetConfig again.

    NOTE: The main application needs sufficient privileges to start a process as another user. For example, add the user running the main application to the Administrators group, grant the “Replace a process level token” right in addition to the rights that the Administrators group has by default, and run the application with elevated privileges. If your application does not run with these privileges then the call to fpSetConfig will fail.

To run KVOOP with reduced privileges on Linux or MacOS

  • Use KVStructInit() to initialize a KV_SET_OOP_USER structure and provide the user ID and group ID to use for running KVOOP. Pass this structure to fpSetConfig(), using the option KVFLT_SETOOPUSERUNIX.

    After the KVOOP process has been created, it changes user and group to those specified, by passing uid to setreuid(), and gid to setregid(). If the current effective user is root, supplementary group IDs are also removed, using setgroups(). This means that once completed, the real, effective, and saved user IDs are set to uid, and the real, effective, saved, and supplementary group IDs are all set to gid.

    The KVOOP process then checks to ensure that an attacker cannot regain additional privileges. KVOOP attempts to change to the root user and group, and then attempts to change to the original user and group. If either of these succeed, the KVOOP process terminates immediately.