Going Deep

Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

Download this episode

Download Video

Description

If you write code on Windows or like to know what goes on under the hood in Windows, then you've no doubt heard of Mark Russinovich. He's an OS kernel expert and a co-founder of Winternals; a company that produced must-have operating system and development utilities for Windows (Winternals is now a Microsoft subsidiary as we purchased them in July, 2006. Yay!).

Mark is now a Technical Fellow in Windows and is a member of the Windows Core Architecture team (you met some of the other big brains on the CoreArch team last year).

Here we talk frankly about Mark's history, his coming to Microsoft, Windows security, what the CoreArch team does, what his role is, etc. Tune in.

Embed

Format

Available formats for this video:

Actual format may change based on video formats available and browser capability.

    The Discussion

    • jhu
      Great interview! Mark, you're my hero!
    • TimP

      Great interview so far (still watching). Any reason it was cut at around 31:02?

    • Charles
      Yes. I made a few edits in this video. I know it's rare for me to do this, but in this case I had to.

      C

      EDIT: I am a terrible editor. Jeez... I'm not sure why I made the first chop where I did. Oh well. So it goes.
    • danielhyam
      Good interview. Vista internals , system calls and UAC explained well.
      Awsome.
    • TimP

      After watching the whole thing, I have to agree with the other comments that this is a fantastic video. Mark explains everything crystal clear. I really liked the explanation of the different user roles.

    • Charles
      I remember now. At 31-something in the interview I made a rude comment about Apple relating to their ads which target Vista UAC in a Matrix kind of way and felt it appropriate to remove it.

      Mark's lessons on Vista's fundamental security model was much more interesting.


      C
    • Richard1975
      Charles,

      Just my 2 cents worth.

      One of the best interviews you have done.

      Good work.

    • Xaero_​Vincent
      Good interview.

      Mark described alot of complicated stuff in human language.
    • kettch
      Charles wrote:
      Mark's lessons on Vista's fundamental security model was much more interesting.


      Indeed.

      However, you made my head spin trying to think about how a system could by architected that would do away with the admin/standard user concept. It's a very easy thing to say, but practically turns computer science on it's head.

      I totally understand why you guys didn't use the name of the idiot company that tried to rootkit everybody, but that was really when I got into reading Mark's blog. He's a good writer, and it was like reading some sort of techno-thriller mystery.
    • tomkirbygre​en
      Great interview Mark. Like everyone here I owe you a huge dept of thanks. Sys Internal tools have been invaluable over the years in helping me both with my personal software development and at my work. The Windows world would be much the poorer without you!
    • someone

      Pls pls pls do more interviews with Mark. Tongue Out

    • littleguru
      This was a great interview Smiley
    • AthemeX

      Really great interview, Mark is really great too Big Smile

      Thanks for the video Cool

    • RichardRudek
      Yeah, the first edit-point does break the thought, so here's a filler for you... Smiley

      I wrote a short (colourful) article (many years ago) that talked about being aware about unexpected behaviours, which I think is relevant to this topic of UAC spoofing. The article I wrote was specifically about floppy-based virus infections, and how, through the dicipline of keeping the write-protect tabs in place at all times (yes, 5.25" floppies), I was able to detect suspicious behaviours, like the floppy being accessed at (repeatedly) inappropriate times.

      By familarising myself with what were expected behaviours, awareness of any unexpected ones [1] would trigger an investigation, checking for viruses, etc.

      So in the case of UAC spoofing (without the Secure Attention Sequence - Ctrl-Alt-Del), if you see more than one elevation request, be suspicious !


      Do I think that's a sustainable practice, having to train users into what are expected and unexpected behaviours ?  No, but until UAC is nailed down and "hardened", so that it does become a (first-class) security boundary, then you are stuck with having to re-live (some of) the past... Smiley



      [1] Because one of the aims of a virus (at that time) was to spread itself via floppies, a virus would repeatedly attempt to write itself to the floppy until it finally succeeded. In some cases, however, the virus would continue to (regularly) check, even though it had successfuly written itself (infected) a floppy. Given that the floppy drives were quite noisy, it wasn't difficult to notice.

    • unforgiver
      I think this is good video. But the question is - why there is a cut at minute 31? Does he said too much there? Can we see "directors cut" version of this video? Second question is: If debugger knows where the exes and dlls reside what is the problem to take the debugger, see what it is doing and use the same techniques to mess around with the system?
    • Charles
      unforgiver wrote:
      I think this is good video. But the question is - why there is a cut at minute 31? Does he said too much there? Can we see "directors cut" version of this video? Second question is: If debugger knows where the exes and dlls reside what is the problem to take the debugger, see what it is doing and use the same techniques to mess around with the system?


      As I said above, I made a stupid comment about Apple and I did not want to release it to the public. It has nothing to do with the interview and its removal does not impact content quality.

      The next time the debugger runs (assuming a reboot happens beforehand), the dlls and exe it was attached to will not be located in the same memory locations. That's the point of the defense mechanism. If a hacker is on your machine running a debugger, then she probably won't be on your machine running a debugger...
    • staceyw

      Thanks Mark and Charles.  In vista context, is there any changes/improvements/apis for Services that need to impersonate users (i.e. job scheduler, etc)?  Or you still need to use LogonUser api with a stored/encrypted password?  It would seem, if your admin, you should be able to impersonate a user without a password (and maybe just a audit entry to show you did).  Or maybe even a policy to allow admin impersonate right only from a service or something.  tia

    • Mark Russinovich

      Passwords are still required to logon user accounts. While its technically possible to create a session that represents a user without using their password, there would be many serious limitations that make that approach problematic. For example, a user's protected storage area, including their EFS keys, can only be unlocked with their password. In addition, Kerberos network authentication requires the password and so none of the user's network resources would be accessible.

      Thanks for the nice feedback, everyone. Glad you enjoyed the interview Big Smile

    • staceyw
      Mark Russinovich wrote:
      

      Passwords are still required to logon user accounts. While its technically possible to create a session that represents a user without using their password, there would be many serious limitations that make that approach problematic. For example, a user's protected storage area, including their EFS keys, can only be unlocked with their password. In addition, Kerberos network authentication requires the password and so none of the user's network resources would be accessible.

      Thanks for the nice feedback, everyone. Glad you enjoyed the interview



      Thanks for the info Mark, that helps.  Hope to see more and nice work on the 3 technet articles!  Cheers.

    • karnokd
      The UAC is indeed a big leap forward. But I understand 'her' issues as well. Apart from the user experience clicking many times on 'Do you accept...' dialog boxes, I would feel much safer when running an installer there were much finer grained acceptance rules. For example: extra warning if installer wants to add a service or kernel mode component - not just a complete or none elevation.

      Anyway, thanks for the SysInternals!
    • AJenbo
      I think apple forgot that they to promt for admin access an has all the system settings littred with theas little lock icons you have to lock and unlock when they made that add where they make fun of UAC, atleast in windows you don't have to type in you username and password to change settings.
    • pdhot

      Mark Russinovich might be the best mind at Microsoft.  Clear spoken, he makes even the most complicated topics somewhat understandable to the rest of us.  I would give up my next child to spend some time with him (that's a figure of speach).

      PsTools, Filemon, and Regmon not only simplified my life, but gave some insight into what my network was really all about.   

      We need more of this guy on channel 9, he is the great communicator of the IT world!!!

      Thanks for having him.

    • Lofote
      Quote:
      I totally understand why you guys didn't use the name of the idiot company (sony) that tried to rootkit everybody, but that was really when I got into reading Mark's blog


      Oh my god, there are still people out there, who can't see the difference between "Sony" and "Sony BMG"? I mean, you do realize there are a few more letters behind that first word, even capitalized??
    • mbluett
      With regard to a virus and the ASLR mechanism:  Wouldn't it be possible for a virus to try each of the 256 locations looking for the function address it requires?

      Also, with regard to the UAC, many users of Vista will not understand what the UAC message is actually attempting to convey and in some cases they will just click Continue. Do you have any words of wisdom as to how to instruct these people how to handle the UAC events given this lack of understanding?
    • Deactivated User

      Comment removed at user's request.

    • frick123

      I had a really good read on this, very detail,
      and very useful information.Thanks.

      Hot iPhone Converter
      http://www.iphoneconverter.com

    • vedala
      Mark, please, could you give us the list of books sitting behind you?
      I could figure out only few.

      Cheers.
    • Jim Carr

      mark is king of hte kernal

    • nkav_au
      Can anyone else make out the names of books on Mark's bookshelf. The one on the far right is the O'Reilly Active Directory book.

      Great interview! More Mark on channel9!
    • SoakinItIn
      Great interview. More of why Mark is a fill-the-room-to-capacity draw at TechEd and other events... Regarding " made a rude comment about Apple relating to their ads which target Vista UAC in a Matrix kind of way and felt it appropriate to remove it" -- bushleague. If you can't not do that, bail out. Apple kicks MS (I need to watch my language) in a lot of areas and smarmy doesn't cut it as a "come back". Quality products DO make a great comeback. Make more of those. Hire more quality people like Mark. That's a key!!! And quit worrying about when MS "loses" to a competitor. Go get better, don't whine about it...
    • jinx4848

      With regard to ~19:00 of the video and the discussion about the *Setup|Install*.exe heuristic:

      Didn't Mark miss an important point about the finding?

      The claim was that any file with setup or install in it would automatically be given admin privileges which is a security risk, and Mark's rebuttal is that it's not a security risk because "99.9%" of those files are indeed installers.

      But the problem isn't with the executables that *are* installers, they never had security issues to worry about in the first place. The problem is with executables that are *not* installers and pose as one to get free admin rights. Is there anything else guarding an application from exploiting that? If not, then how is that a secure heuristic? I'm confused as to how Mark missed that, and I hope it's because it's something that I missed in my understanding of the issue.

    • ahmed_baluc​h2001

      i want how to securing cluster and bad sector in hard drive?becuse the bad cluster and bad sector very cover the hard drive free space and do'nt read in there secter and cluster:):O

    • blad3runn69
      this man is a genius, and a very eloquent speaker. I could sit on the porch & drink that shiraz? on the desk (hehe Tongue Out) & listen & learn all night. Thank you for sharing your wisdom. Standing on the shoulders of giants.
    • dandare934
      Excellent video.  Now I know where Ross went after Friends!
    • nvictor
      Great talk!

      Man I also like that green shirt, mind if I ask what it is?
    • Griddle

      What an interview it was!

      I second the positive comments here about the great video, and Mark Russinovich is awesome indeed.

    • jeeny

      娘子convert to iphone我convert to iphone欠convert to iphone你convert to iphone太多convert to iphone的溪边河口

    Comments closed

    Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.