A: You need a flavour of Windows NT for the i386 platform. This could be NT 3.51, NT4, Windows 2000, Windows XP, Windows 2003 Server or one of the betas for Windows Longhorn. However, I never tested it on Windows XP Home Edition, so if you want to volunteer, let me know about your experiences. You cannot run it on Windows 9x/ME because there is no need to have such an application on 9x/ME, where there is no built-in security anyway. It also simply refuses to install on Windows 9x/ME so just don't waste your time with 9x/ME and SUperior SU. I also have no idea yet, how SUperior SU runs on a 64-bit Windows XP platform. Again, I would be grateful for someone volunteering and trying the latest version of SUperior SU on a 64-bit platform.

Q: Does SUperior SU run on Windows Vista?

A: No, there is no specific support for Windows Vista. The latest Version that SUperior SU has been tested for was the Beta 4051 of Longhorn, which was a quire early beta.

Q: Can we expect a Vista-capable version of SUperior SU any time soon?

A: No, I currently do not have any such plans. Besides, I currently do not have the time for that.

Q: I have installed SUPerior SU on Windows Vista and now it refuses to uninstall, what should i do now, is my Vista installation toast?

A: Start an elevated command prompt, next stop the SUPerior SU service by typing net stop superior. Now cd in that command prompt to the SUperior SU installation directory, and type susrvc.exe -remove. Start regedit.exe and delete the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUperior SU. Kill all running swtchsvc.exe instances using Task Manager. Next delete the SUperior SU installation directory and the file supsu.cpl in the Windows system32 directory.

Q: What is the difference between Windows XP Fast User Switching and SUperior SU's desktop switcher? Do I need the SUperior SU desktop switcher if I have Windows XP Fast User Switching?

A: From a purely technical point of view, Fast User Switching (FUS) is preferrable to SUperior SU's desktop switcher because FUS uses a much stricter division of logon sessions than the SUperior SU Desktop Switcher. However, FUS cannot be used in a domain environment while SUperior SU works very well in a domain environment. Additionally, FUS is not as fast and convenient as the SUperior SU desktop switcher is and it needs much more resources. Actually, FUS is not really "Fast" in comparison to SUperior SU because each time you switch the logon session you have to provide a user name and password pair. In contrast, with the SUperior SU Desktop Switcher you only have to provide username and passwords when switching to desktops you created as "password protected desktops". FUS uses Terminal Services technology and creates a so-called interactive "session" for each user. SUperior SU's desktop switcher uses an existing session and creates desktops for individual users within that session. So it is even perfectly possible to have multiple desktops provided by SUperior SU within one FUS-session.

Q: My favorite application xyz (MS Outlook,..) refuses to start in a secondary desktop if it has already been started on another desktop. What can I do?

A: All you can do currently is to wait. This is a problem that is on the agenda for the next release of SUperior SU. Oh, and please let me know what the name of this application is so I can make tests.

Q: When I start a secondary desktop, all of a sudden my CPU load is 100%. What the hell is SUperior SU doing?

A: Chill. There are, unfortunately, a few programs out there that really behave badly when running on an interactive desktop other than the default desktop. One such example on a machine of mine is an anti-virus tool application that lives in the system tray. Another one is an application on my notebook computer that starts my web browser or my email client when pressing one of the knobs on the notebook's case. Both of them start to run as soon as a user logs in so they are also always started when a new desktop for another user gets started. In order to prevent such an application from running on a secondary desktop you could either kill this application each time you start a new desktop, using the task manager, or you could run the SUperior SU Anti-CPU-Hog from the SUperior SU Administration start menu entry. If you know the name of the application that behaves weird, identify it in the list this wizard provides to you and disable its start for secondary logons. Then the next time you start a new desktop, this ill-behaving application will not be started. Needless to say, that the settings you make via the SUperior SU Anti-CPU-Hog Wizard won't affect the application's start on the default desktop (the primary desktop) which is started when you log in in to your computer initially.

A: The behaviour of task-manager start from Ctrl-Alt-Del is hardwired into windows. A remedy comes with version 2 of SUperior SU: Start the SUperior SU control panel applet and choose the second tab, labeled "Desktop switcher". Tick the check box labeled "Smart Task Manager invocation on secondary desktops". From now on, task manager should be created for you from Ctrl-Alt-Del.
An alternative is: Get used to the standard Ctrl-Shift-Esc hotkey! This also starts the task manager and works on all desktops even without the aforementioned setting for SUperior SU.

Q: Are there plans to enhance SUperior SU with functionality I know from NetExec, such as additional groups for a logon session, or executables that run SUID-like?

A: No. The additional groups feature in NetExec is a feature that doesn't work anymore with Windows 2003 Server anyway. SUID functionality will also definitely never be incorporated in SUperior SU the way it is incorporated in NetExec, because embedding a password in a binary - even if encrypted - is never a good idea - this is something you learn in security 101. What SUperior SU might offer one day is to start a process with an optionally "restricted token", i.e. with less privileges than normally would be granted for a specific user.
As to SUID, I am considering to implement this functionality as a separate product the way I think it should be done, as an additional authentication package.

Q: Why can't I type my username in the usual style domain\user or user@domain in the SUperior SU dialog boxes? Why do I have to choose the domain separately from a combo box?

A: Go ahead and grab SUperior SU version 2. It is not anymore an issue there.

Q: I copied over su.exe, suui.dll and runasusr.dll to another computer. If I now start su.exe I get an error message <fill in your favourite error message here>. What am I doing wrong?

A: You didn't install SUperior SU properly. Please use the setup program in order to do a proper install on a given machine. If you want to install it remotely on one or more machines across the network, use the SUperior SU Remote Console Installer.

Q: I want to deploy SUperior SU on a number of machines in my network. Is there a way to do this remotely?

A: Yes. SUperior SU always supported a silent installation using "-s" as a command line parameter for the self-extracting executable. With version 2 you should give the remote installation facilities of SUperior SU with its SUperior SU Remote Console Installer a try. It is a real cool tool that allows to remotely administer all aspects of SUperior SU installations across the network.

Q: Windows 2000 comes with the runas command. What is the difference between runas and su?

A: Good question! Both actually do the same, runas via its own service[...] and su with susrvc.exe as its service. There are a few things that runas can't: It can't create a process on another desktop, it can't start another process asynchruonosly and it always needs the password typed in. As for the last issue: SUperior SU - much like Microsoft's original SU - allows to pipe in the password via stdin or be set via an environment variable. If you need to know more about this please consult the SUperior SU online help.
Also: In some companies, runas is disabled because of the potential misuse one can do by guessing passwords and throwing out legitimate users by guessing their passwords if the domain policy is that passwords get reset after a number of unsuccessful domain logins. While such a DoS attack is also possible with SUperior SU, it might not yet be on your boss's black list :-)...

Q: I want to have the source code for SUperior SU. How much does it cost?

A: The source code for SUperior SU is not for sale. It will either follow me into my grave or it will be GPL'ed some day. At least, SUperior SU will be kept free as long as I earn enough money elsewhere.

Q: My scripts use the syntax of Microsoft's SU. Are there any differences between SUperior SU and the Microsoft SU in this respect?

A: The 1.x versions of SUperior SU were developed with 100% compatibility in mind. Whilst Microsoft doesn't seem to do any further developments for their SU anymore (it isn't even part of the Resource Kits anymore), SUperior SU has relaxed this strive for compatibility somewhat: In SUperior SU version 2 you can provide the username in the domain\user or user@domain style also on the su command line. Note that this doesn't render old scripts unusable but instead only provides an alternative for supplying credentials.

Q: What additional system DLLs will SUperior SU install on my system?

A: None. At least on all platforms except NT4. SUperior SU links statically against all those libraries that can possibly be linked statically. It won't contribute to DLL hell on your computer. After all, SUperior SU still runs on NT 3.51 SP5, so there are virtually no dependencies on runtime DLLs or whatnot. This may all contribute a bit to the distribution size of SUperior SU, but for the sake of stability, it's worth it. On NT4, SUperior SU checks during setup for the existence of shfolder.dll and if it is missing or if its version is less than version 5.50.4027.300, it will run the official redistributable package of shfolder and will install this version of it.

A: The core of SUperior SU has been designed to run on NT 3.51 and higher, but the fact that it still runs on current Operating System versions flawlessly with only minor modifications since the initial release, can be considered a proof of the correctness of its initial design. Newer functionality is implemented via on-the-fly-discovery of the Operating System's features or via a feature of the newer development systems called "delayloading". Both these features allow for starting processes that self-adapt to the particular Operating System they are running under and allow the process to use only those features that the Operating System is capable of. This way, SUperior SU can leverage the features of the latest and greatest NT-based Operating System while still maintaining backwards compatibility to "Downlevel Operating systems" like NT 3.51 or NT4.

Q: Why isn't the "Smart Task Manager invocation on secondary desktops" setting turned on by default?

A: This setting is something really cool, but it comes at a price. The price is, that an application that comes with SUperior SU, suthmlpr.exe, acts as a system-wide debugger for taskmgr.exe. This is not really terribly worrisome, but if you accidentally delete suthmlpr.exe, you will have some trouble getting task manager to start again on your machine. Therefore, this file is also installed into %systemroot%\system32, because normal users are usually scared to death to delete something there. Needless to say, that the SUperior SU uninstall scheme will remove this debugger of the Task Manager without a glitch from your system. Bottom Line: If it works for you and if you are sure you will uninstall SUperior SU the official way with its uninstaller, then turn on the "Smart Task Manager invocation on secondary desktops" feature permanently . This feature is turned off by default because people tend to remove applications by deleting files from the hard disk instead of invoking the application's uninstall programs. In our case such user behaviour would lead to a system that cannot start task manager anymore. Because this would mean too much of an intrusion into the user's system, this feature is disabled by default.

Q: SUperior SU's Desktop Switcher as of Version 2 seems to be much slower to me than the 1.x versions. What's wrong?

A: SUperior SU version 2 with all possible settings turned on, goes to great lengths in order to apply all of the user's desktop settings when switching to another desktop. Because all applications need to react to these changed settings, this takes a fair amount of time. You can tweak the behaviour if you go to the third tab of SUperior SU's control panel applet, labeled "Desktop Switcher Advanced". On this page, turn off all user settings that SUperior SU should ignore when switching desktops.

Hint: A desktop switch is much faster if you turn off the following settings:
"Load user's window border size and font settings"
"Load user's icon size and font settings"

A: I have no idea yet, why this happens with Mozilla, but it should not happen with default settings after installation turned on. If it happens, most likely one or both of the following settings is turned on on the third tab of SUperior SU's control panel applet (labeled "Desktop Switcher Advanced"):

"Load user's window border size and font settings"
"Load user's icon size and font settings"

If you turn off these two options, the flickering should go away.

A: No. SUperior SU and the Remote Consoles use only standard technologies that are already on the target computers, like remote Registry Access and File Access over SMB. For those computers where the WMI core is installed (all W2K computers and higher), additional information is gathered via WMI.

Q: After switching desktops, my taskbar looks strange with ugly icons, etc.! What's wrong?

A: You might want to change the settings on the third property page (labeled "Desktop Switcher Advanced") of SUperior SU's control panel applet. The weird behaviour might go away if you turn off the following two settings:

"Load user's window border size and font settings"
"Load user's icon size and font settings"

Q: Are there any plans for a native 64-bit Windows version of SUperior SU?

A: Sure. As soon as Windows XP for AMD64 gets released and gains momentum, I will try to get the hardware and a suitable compiler package for AMD64 in order to provide a native version. However, don't expect this to happen before the end of 2004.

Q: I am not so fluent in English, are there localized variants of SUperior SU available in my native language?

A: Not yet. As soon as I know whether or not the Microsoft Resource Localization Toolset also works with Binaries for 64-bit Windows, I will start a localized variant that allows to have an English and a German version of SUperior SU. Volunteers for other languages are welcome and should drop me a note. When starting a translation, I want to have at least two people per language so they can verify each other's work.

A: You most probably started su from a command console that had its current directory on a network drive. This happens if you are logged on in a domain environment and you have a home directory/drive. In that case, the command prompt is started for you in your home directory which is almost always a directory on a network drive. The command line su passes this directory as the new current working directory to the process you create with su. If it is a network drive, it is almost always the case, that this drive/directory doesn't exist or is invalid for the new logon session you create with su, therefore the process creation fails. There are two ways to get around this:

Always start su from a local directory where the user of the newly created logon session has at least read access (c:\ will probably suffice in the majority of all cases).

Create an environment variable named SU_WORKINGDIRECTORY and assign it as its value a directory where all users have read access. You can do this globally for the computer on which you are working, or if you run su from a script or batch file, you can do so by defining this environment variable in your script only.

A: The underlying API that the SUperior SU service calls on behalf of su.exe simply cannot deal with relative paths other than files it can find via the system-wide PATH environment variable. However, starting with SUperior SU patch level 2.0.0.15, there is builtin functionality in SUperior SU that works around the limitation of the CreateProcessAsUser API. The only thing you have to do is create a named DWORD value under HKEY_LOCAL_MACHINE\SOFTWARE\SUperior SU\suui\Settings with the name "ConcatenateSUPaths" and give it a non-zero value. This setting will be officially supported in the next version of SUperior SU via the SUperior SU control panel applet so you need not tinker with regedit to get this working. However, this setting will probably turned off by default in order to stay compatible with the behaviour of the SU utility from the NT4 Resource Kit.

Q: The SUperior SU desktop switcher starts new shells for users but it doesn't log in to my NetWare Directory as the normal windows logon does when running in a NetWare environment. What can I do?

A: Wait. And contact me for being a beta tester. Native Novell NetWare NDS support is on the agenda for the next minor version (probably version 2.1) if I can find a number of beta testers. So please drop me a note if you are an NDS user and would like to volunteer in beta testing.

Q: If I run su.exe from within an ASP page or started from a service I get the error "CreateWindowStation error! (rc=5) Access is denied.". What's wrong?

A: Please install patch version 2.0.0.18 or higher, where this bug is fixed. Please notice also the next FAQ entry in this list:

A: You probably have configured SUperior SU the standard way, i.e. with the SUperior SU service doing the authentication of the user whose password you supply to su.exe. In that case, the application that is started via su.exe always runs on the interactive desktop (of the console session, if you happen to run a Terminal Server). If you really want to use SUperior SU in that case with authentication done by the SUperior SU service, make sure you have at least patch level 2.0.0.18 installed and additionally supply the command line parameter -h or /h to su.exe. This will start the application's main window as a hidden window (if the application supports this). An alternative would be to configure SUperior SU in such a way that authentication of the user is done with the user's own access token. In fact this is one of the few legitimate uses of this setting and will lead to much higher performance of su. Additionally, winlogon will not come into your way by changing the window station and desktop ACLs when interactive users log off (you probably want su to be started from your web page or service even when no one is logged on or during someone logs off or on). Please consult the SUperior SU online help for the privileges that you have to enable for the user running your service or web site in that case.

Last Updated on Tuesday, 10 May 2005 20:36

Kopfbereich

Navigation

Inhalt