Closed Bug 1567219 Opened 4 months ago Closed 3 months ago

Add "is Admin with UAC disabled" telemetry scalar

Categories

(Toolkit :: Telemetry, task, P1)

Unspecified
Windows
task

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox70 --- fixed

People

(Reporter: aklotz, Assigned: toshi, Mentored)

References

(Blocks 1 open bug)

Details

Attachments

(2 files, 1 obsolete file)

It would be useful to know whether Firefox is running as Administrator with UAC disabled.

Because the launcher process affects the state of our own process's privileges, this check would need two steps:

  1. Is our process token a member of the Administrators group? AND
  2. Is UAC disabled in the registry? (NB: Checking our own token for high integrity won't work because the launcher process by default automagically drops our integrity level to medium)

Is this necessary to be included in the Environment? The Environment is submitted in almost every ping and is already quite large

Well, the question that we would want to ask is, "What percentage of Windows users are running as Administrator with UAC disabled?"

If there is a better location for this that still allows us to answer that question, I'm all ears.

Assuming that "clients" is a useful substitute for "users" in this case, a bool Scalar would do the trick. Since it's a Scalar it'll automatically appear in main_summary so you'll be able to write

SELECT
  COUNT(DISTINCT client_id) AS client_count
FROM main_summary
WHERE
  scalar_parent_is_admin_with_uac_disabled -- or however it ends up named
  AND os = 'Windows_NT'
  AND os_version >= '10' -- I don't know if the APIs and capabilities are Win10+ or not
  AND app_version >= '70' -- or whenever it lands
  AND submission_date_s3 > DATE_FORMAT(CURRENT_DATE - INTERVAL '28' DAY, '%Y%m%d')

There's a bit of an implied time range to things when you do it this way, as a client will only report the Scalar in a single ping per Firefox session (efficient!) so if that single ping lies outside of your sample window (submission_date_s3 > DATE_FORMAT(CURRENT_DATE - INTERVAL '28' DAY, '%Y%m%d')) you'll undercount slightly.

Does that seem like it'd work?

Summary: Add "is Admin with UAC disabled" to telemetry environment → Add "is Admin with UAC disabled" telemetry scalar

SGTM.

Assignee: nobody → tkikuchi
Attached file data-review-request-for-bug1567605.txt (obsolete) —

Attaching a request form according to https://wiki.mozilla.org/Firefox/Data_Collection

Attachment #9084399 - Flags: feedback?(aklotz)
Blocks: 1572788

This patch adds a new Scalar metric sandbox.is_admin_without_uac that
indicates the process is lauched with Admin privileges when UAC is turned
off.

We use the elevation type of a process token to determine UAC is on or off
instead of reading the registry value EnableLUA. Basically a token is
either full or limited if UAC is on. If the account is built-in
Administrator, however, the token type is default though UAC is on. Thus
we check the account SID as well as the elevation type.

Blocks: 1574631
Comment on attachment 9084399 [details]
data-review-request-for-bug1567605.txt

This looks reasonable to me. Just update it with the revised probe name once you've updated your patch.
Attachment #9084399 - Flags: feedback?(aklotz) → feedback+
Attachment #9085614 - Attachment description: Bug 1567219 - Add a Scalar metric to collect how many users launch a process with Admin but UAC. r=aklotz → Bug 1567219 - Add a metric to collect how many users launch a process with Admin but without UAC. r=aklotz
Attachment #9084399 - Attachment is obsolete: true
Attachment #9086560 - Flags: data-review? → data-review?(chutten)
Comment on attachment 9086560 [details]
data-review-request-for-bug1567605-v2.txt

DATA COLLECTION REVIEW RESPONSE:

    Is there or will there be documentation that describes the schema for the ultimate data set available publicly, complete and accurate?

Yes. This collection is Telemetry so is documented in its definitions file [Scalars.yaml](https://hg.mozilla.org/mozilla-central/file/tip/toolkit/components/telemetry/Scalars.yaml) and the [Probe Dictionary](https://telemetry.mozilla.org/probe-dictionary/).

    Is there a control mechanism that allows the user to turn the data collection on and off?

Yes. This collection is Telemetry so can be controlled through Firefox's Preferences.

    If the request is for permanent data collection, is there someone who will monitor the data over time?

Yes, Toshihito Kikuchi is responsible.

    Using the category system of data types on the Mozilla wiki, what collection type of data do the requested measurements fall under?

Category 1, Technical.

    Is the data collection request for default-on or default-off?

Default on for all channels.

    Does the instrumentation include the addition of any new identifiers?

No.

    Is the data collection covered by the existing Firefox privacy notice?

Yes.

    Does there need to be a check-in in the future to determine whether to renew the data?

No. This collection is permanent.

---
Result: datareview+
Attachment #9086560 - Flags: data-review?(chutten) → data-review+
Pushed by aklotz@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7cb87169e4cf
Add a metric to collect how many users launch a process with Admin but without UAC. r=aklotz

That isn't actually caused by this bug. The failures are due to bug 1577061. I'll add it as a dependency.

Mentor: aklotz
Status: NEW → ASSIGNED
Depends on: 1577061
Flags: needinfo?(tkikuchi)
Priority: P3 → P1
Pushed by aklotz@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/465c39971338
Add a metric to collect how many users launch a process with Admin but without UAC. r=aklotz
Blocks: 1567605
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.