Under XP I have observed that EQ does not run as a regular user account. It does run as an administrative account.

Does anybody know why this is or exactly what specific privileges EQ needs to run?

I ask this because getting EQ to run as a non or limited privileged account goes a long way to preventing EQ from detecting any key sniffing activities.

People on chat last night were saying to install it as a non-admin user and it should work, as long as that user has sufficient permissions to do the install.

I did not have time to verify this.

I did some experiments last night with a user account. No matter what I did, it would not get past the password screen unless the account was a member of the local administrators group. I gave my test account full control to the root of the C: drive, AND gave them user rights (rights, not permissions) the same as the administrators group. No good. It is perhaps checking to make sure that the user is a member of the local admins group. I'm going to look in to it further, as I dislike the idea of running the thing as admin...

From EQ-Live tech forum ... have not complete read it and not tested ...

Have fun :D



Your problem is your security permissions, and you do not in fact need to give people admin priveleges (or access to the admin account) to be able to play EQ, what you DO need to do is fix the permissions from the default way there were assigned to the folder.
Now, your installation folder itself may differ, but what you want to do is browse with explorer to the Everquest folder (the folder with eqgame.exe and all the other files in it). On some systems, this is C:\Program Files\Everquest, on others it is C:\Program Files\Sony\EverQuest Trilogy\ , etc. You get the idea, go find that folder. You don't want to go INTO the folder with the files, you just want to see it listed.

Right click the EQ folder, and select Properties.
Click on the Security tab.
In the top box, you see a listing of current accounts with security settings on the object (in this case, your EQ directory). These can be group OR user names.
Click on the Users group.
In the bottom pane, listed as Permissions for Users, you now see the permissions allowed to people in the "Users" group on your system. By default, as far as I know on any default XP install, the permissions will be set to Read & Execute, List Folder COntents, and Read.

This will NOT allow you to patch EQ, modify ini settings (such as saving settings in game), etc.

Another thing you will notice, is the permission boxes are probably grayed out, with checks in them. This means the properties are "inherited" from the parent.

Now, to fix it so members you put in the Users group (with your user/group manager snapin in control panel and/or administrative tools), you would do this from that Security tab:

Click on Users group in top, now at the bottom, click on Advanced button.
In the window that comes up, you will be on the Permissions tab. You should in the pane see it say like Allow/Users/Read & Execute.

The FIRST thing you should do, is in the bottom part of the window, DESELECT (turn the checkbox off) for Inherit from parent .....
When you click this, a window will pop up asking you to copy parent permissions, remove current permissions to previous default, or cancel. SELECT COPY.
Next! SELECT (turn the checkbox ON) for the option Replace permission entries on all child objects....
Now, with the top box "Users" line still selected, click the Edit... button.
In the window that comes up for your "Permission Entry for xxxx", where xxxx is the name of the folder you are changing permissions for (for example, EverQuest), change the permissions to include at least these (turn the checkbox on):
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Read Permissions

That's all you need. In the bottom of this window, make sure you DO NOT select the option to "Apply these permissions to objects and/or containers withing this container only".

Now, click the OK button.

Now back in your "Advanced Security for xxx" window, in the edit box you should see it saying Allow Users Special, <not inherited>, and the "Apply to" column should list it as "This folder, subfolders and files"

Now click on the OK button at the bottom of this window. A warning box will come up telling you that 1) this will remove any defined permissions on child objects (you want this to happen), and 2) enable propagation of inheritable permissions to those child objects (a fancy way of saying, files & subfolders of this folder will have the same permissions as those you just chose for THIS folder). It further informs you that ONLY permissions from the current folder you were modifying security settings for, will be so propagated (again, this is fine).

In other words, where it asks "Do you wish to continue?", click the Yes button.

A little window should pop up showing it changing all the settings of each file in the eq folder, and subfolders, and it'll show each file really fast making it basically a pretty, but useless, information window.

Once done with that, you will be back in the "Properties" window for the EQ folder. When you NOW select Users in the top box, and look at permissions in the bottom box, they should NOT be grayed out, and it SHOULD list the following permissions as turned on (allow, or checked):
Read & Execute
List Folder Contents
Read
Write
Special Permissions (this one is checked, but grayed out)

Now click the OK button at the bottom.

Congratulations, you just gave permission for any user account on your system, who is a member of the "Users" group, to run EQ, modify the EQ files (patch, log, save settings).

You also gave them permission to delete the whole thing, but that's the way it goes, if you want it to work completely for them.

This only allows such permissions on the everquest directory (and it's files, and sub-directories) however, so at least you're not giving away admin access (i.e., full system access & control).

This may seem like a lot to do, but it's not really that difficult if you are at all familiar with dialog & edit boxes within windows.

And finally, since we set the main eq folder to make it's children inherit its permissions, then any NEW file downloaded by the patcher, or created by the game, or even copied by you into the directory (such as you adding a new UI folder & files), will get these new permissions by default, making it basically maintenance free for you from now on.

Ok, I said finally, but actually one more comment. If you have your OWN group you created, or have put them in some other group (such as Power Users), then just use the above instructions to modify it for that group instead of the "Users" group. You can even set permissions by user name, but IMHO, that's a tad tedious.

Good luck, and any issues post back here and we can help ya out.

This doesn't work on xp... It drops back to the desktop just like every other security combo I've tried.

Have not tried on 2k yet, but I expect similar results.

If you are running XP Home edition you don't have full access to file permissions unless.... You boot into safe mode. At that point you have full access to the permissions from Windows Explorer.

As always, I could be completely missing the point, if so, be gentle :)

i have win xp pro, and i followed the instructions step by step and it didnt let me play eq, i even went as far as giving FULL access and it still wont let me play eq crashed at password screen
if anyone comes up with a way to fix this don't hesitate to let us know

Hmmm... Now I'm going to have to go home and start playing with this...

I dont' see any reason why Sony (formerly VI) would NEED to run as a local Admin... The whole point of having the local Administrator and Users is to prevent the "Gumby" end user from completely screwing up a machine... by like, say installing a game? Or having a game or "utility" install some sort of low level app, etc...

Also, I don't remember anything on the box stating that it needed (under Windows 2000) to run as a local Admin.

AND if they recommend that you change your security on your machine, that I don't like either.

"Something's rotten in Denmark"

I don't know if this means anything to anyone, but there's a debug.txt file in the eq dir, and when run as admin, I get:

SisaOpenComms rdp_create beginSisaOpenComms rdp_create endSisaOpenComms rdp_create success

But when run as a normal user (with full rights to the eq dir), I get:
SisaOpenComms rdp_create beginSisaOpenComms rdp_create endSisaOpenComms rdp_create failed

Makes me think it might be insufficient rights to do some sort of network call or something, but I'm not quite sure where to go from here.

Edit: Oh, and to make absolutely sure it wasn't a file rights issue, I completely uninstalled eq and then reinstalled it as the normal user. Unless I have some really funky rights somewhere, it oughta be able to read anything it wrote.

Try giving your user "use this computer from the network" (sic) rights - this is done on the user itself.

Yueh

If EQ runs in XP Home as non-administrator, then how they COULD have access to read other processes memory, and catch our sniffers using that approach?

Correct me if I am wrong, but ReadProcessMemory will fail if you are not allowed, doesn't it?

I am running it at XP Home, and I think that if you are a member of the Power User Group your programs have the rights to do that inherited from the standard Policy.

mad are you talking about in the local security settings/local policies/User Rights Assignment/


Policy
Access this computer from the network

Securtiy Setting
Has users, and i added the user i wanted in there to make sure




that didnt work for me, but you could be talking about something completely different, i am pretty ignorant when it comes to nt/2000/xp

Beside any guesses how to accomplish this - *HAS* anybody running this on XP (perferable prof) with User-Rights not admin ?

I have tried for about 2 hours last night...

Using Runas from the dos prompt, creating .bat files to pull up the game, logging into an "everquest" user, right clicking on Everquest.exe to Runas from there

(now that I think about it... my main account is a AD account, and the everquest accout is a Local Machine accout.... not that it should make a difference but something more for me to try)

Most of the time under the Everquest account I would error out at the Patcher when it was trying to update some .png file (sorry, at work, don't remeber the error right now).

Once, from the Right-click/Runas I once got the patcher screen working when I connected, It looked like Explorer crapped out!, Background was fine, but I didn't see anything else (ctl-alt-del, killed explorer, brought it back up, all is good)

The everquest account always stayed in the "users" or "Guest" group although I have given the sony directory Full rights (and less....)


Under my Admin account, runs just fine....

This doesn't bode well......



-Gj-

I also tried getting it to work as for about 2 hours yesterday.
Tried everything I could think of (RegMon, FileMon, Full file and Registry Auditing, Grant all non-system special rights) without getting it to work.
The only way I got the new user past the logon screen was by making him a member of the Administrators group.
Another interesting note is that removing my 'normal' EQ user from the admin group stopped him from going past the logon screen too.
This is the account used to originally install EQ.

I'm 100% sure that it is not related to file/directory permissions. I gave my test user (non admin) full control to the root of the drive, and no go. I also ran filemon, and there were no failures related to access.

It is also not related to system rights (covered in the local security policy application). I added my user directly to each user right conveyed to the admins group. No go.

My next theory is to look to see if it makes registry calls to keys that only admins can access. From disassembly, I know that it makes registry calls -- just don't know to where.

Of course, it could simply be doing an "if member of" style lookup for the Administrators group. If so, I doubt that it is to catch keysniffers and the like. More than likely, they didn't want the support headaches of setting up rights and permissions for all the users out there who muck up their settings. "Run it as admin" is a nice easy way to insure that permissions, etc, don't get in the way.

I have a little utility for XP that will monitor what registry keys are changed when a program is run - if you want it let me know and I'll post it (it is a binary however I have no source for it).

I don't have EQ on XP atm - I might have to remedy that soon - you *can* change the permissions on registry keys - we had to do that for 'normal' users for them to run citrix on XP.

:)

Let me know if you want the file...

Monitors

Regmon
Filemon

www.sysinternals.com

Apimon

MS - don`t remeber the URL ... serching my bookmarks (/em perhaps i should have more order in here :p )

...

Lord Crush... Thanks for the link!

The File Monitor is gonna keep me busy for a LONG time :)

Right now all I wan to know is why:

Why is Everquest.exe looking at my Temp Internet files and Cookies!?!?!

Are they snooping what I'm doing on the net?

Ooo... It's also reading my Autoexec.bat.........

..... Don't think I'll be leveling tonight.....

-Gj-

Well, I just did my thing to try and figure out what permissions are needed...

As far as I can tell, EQ needs Admin Privs for whatever reason. Power Users isn't even good enough. I even tried granting the account the permissions to lock pages in memory and that didn't work.

Without admin, each time I ran it, it crashed to the desktop after entering my account info, and I have to actually power off the machine each time.

Anyone else have any better luck that I did?

Oh, I'm running XP Pro, SP1

I think they not really need it - they just check if user is in admin grp.
if not crash to desktop ... perhaps anyone with disassm skill better than mine (-1 ;) ) can proof this thought ...

/random thoughts on

I'm just thinking, as an MCSE, what right do they have to "scan" the "Administrator" group on a local machine? This is a game after all, and what the hell do they need to do to know what security level the loged in account is at?

What is to stop them from scanning something at the "Domain" level is the machine was attached to (say) a corporate LAN? This to me seems like something they 1) shouldn't do and 2) have absolutly no need to do.

They don't need this kind of permission since there using DirectX for all the multimedia work. The ONLY reason (and I can't prove this either way at the moment since I'm at work) MIGHT (and I stress the might) be is if they were changing the priority on the eqgame.exe while its running to give it more CPU time (i.e. trying to make the game faster).

/random thoughts off

LOL,

What I see happening here is that Sony has forced a group of relatively contented Linux hacks to start asking questions about the internal operations of Winblows, an operating system that they otherwise would not waste their time on.

I wonder if they will be happy with the results after the crew here gets done picking and prodding at how their product runs on Microsloths virus....er operating system?

No the issue here is that the code is not set to run with windows NT security permissions.

Most API's are setup so that you can code for old windows (no security) or pass security info to the API - if you try to use some of these calls without security you will get a program that will not run correctly.

Which is what we are seeing here - this is a bug in the EQ game code and how it calls the API's - that's the underlying problem.

Has anyone tried running the program in compatability mode?

right click the .exe - choose compatability and then make the game think it's running on a 98/2000 box - see if that helps.

Ok, please don't slam me here, this is my first post.

<ooh and aah>
First off let me say that I think all of you who design and contribute to this project are geniuses. I have been using this tool for a few years now and it blows my mind that you guys have been able to do so much so quickly when new hurdles are thrown at us.
</ooh and ahh>

<disclaimer>
I have no idea what I'm talking about here, so please, be gentle
</disclaimer>

<question1>
Is there some way to design a memory driver that would load eq, or some portion of eq, into the driver's space or a vm inside it's own vm, make eq think it had administrator privileges without actually granting it (optional), and have the memory driver itself report the key, without alerting eq that it's memory had ever been read?

or is that what's already been going on?
</question1>

<question2>
Same scenario as above, but swap out the necessary memory block of eq to disk, using virtual memory, then have a second driver or app read it from disk, so all EQ sees is that it had a portion of itself swapped to disk?
</question2>

Now understandably, these approaches would most likely have to be modified every time Sony put out a new version of eqgame, the same way seq has needed modification every time the key or key scheme changed.

Once again, please be gentle. I know more about this than I'm capable of fully processing already...

Hmm i cannot oversee the possibilities and/or chances that are in your thoughts ... i am not a programmer, but i think the most important thing here ist to know *why* EQ needs the admin-mode

is it only hardcoded in the exe that you need to be member of the admin grp or are there some rights needed and if that is true what rights are needed.

Can we give that rights without granting admin ... ?

I have a bit of windows experience and can give you something to look at. If you are running WinXP Pro or Win2K which don't have the security permissions crippled (like WinXP Home) you can create an Audit group to see what the program is using.

In order to do this you need to create a new group (I call mine Audit). Then you need to add the audit flag to the files and registry settings you want to audit. For the files you do this from explorer in a similar manner to changing permission. Add group "Audit" to the auditing list (via the advanced tab on the securities properties in WinXP Pro). Do this from the root directory and force it to be propagated to all child objects on the drive. Do this on every drive you want to audit. To audit registry accesses you need to set the same audit rules on the root hives (Hkey_local_machine, Hkey_Hardware, etc.). You do this by running regedit, right clicking on the hive and selecting permissions, and then clicking advanced. You will get a dialog that looks just like the one for the files. Again, put the group Audit in and select both successes and failures to audit. Also force this change to be propagated to all child objects and replace all child objects. Make sure not to mess with the actual permissions though, just the auditing.

Once you are done with that go into the user manager and add the group Audit to the userid you are running EQ from. From that point on every file or registry access that EQ makes will be put in the event log under the security tab. Note that you will see a lot of garbage in there, especially when the userid logs on. Someone earlier in the post made reference to seeing accesses to the temp directory, cookies, etc., and this may be a result of the userid logging on as opposed to something EQ did directly. However, if you compare what it looks like when running EQ with an administrator enabled ID versus where it stops when running with a non-administrator ID you may find out why, assuming it's a file or registry access, as opposed to using an API call that's restricted to administrators only.

One last thing you can also try auditing, but note that these are on a global scale, not a per userid or group, are some global objects. Go to control panel, administrative tools, local security policy, audit policy. You will see things like audit logon events, audit object access, etc. Turn on "failure" audit for all of these things. Don't turn on success audit for things like object access, privledge use, as you may flood the event log and bog down the system if you do. It's ok to turn on sucess audits for low volume things like logon events, account mgt events, or policy changes if you wish. I'm not sure what's generated by the "process tracking" audit. I've got failure audit turned on in my system and never seen an entry. I'm a bit leary of turning on sucess for it as I'm concerned it may bring the system to its knees. Try that if you are braver than me.

Good luck!

Mudtoe

Good idea - ill try :)

Just a polite bump to LordCrush. ))

Just wondering if you had any success or have had the time to play with this anymore?

Keep on keepin on

I am on this topic, but have not much time this week...
I will not be able do do anything till next Tuesday or Wednesday

I run filemon myself and found that the calls to these directories do not read data, but rather indexing like calls. Since you can not conclude from the seek to the content it is unlikely that they are actually caused by EQ to spy us.

They are highly correlated with the minipatcher for the real patcher, so my guess is that the small window looking for patcher updates uses some IE API calls, which in turn do regular checks of the IE cache, etc.