1567219 - Add "is Admin with UAC disabled" telemetry scalar

Status: RESOLVED FIXED

(Toolkit :: Telemetry, task, P1)

Description

[(No longer employed by Mozilla) Aaron Klotz]

It would be useful to know whether Firefox is running as Administrator with UAC disabled.

Because the launcher process affects the state of our own process's privileges, this check would need two steps:

1. Is our process token a member of the Administrators group? AND
2. Is UAC disabled in the registry? (NB: Checking our own token for high integrity won't work because the launcher process by default automagically drops our integrity level to medium)

Comment 1

[Chris H-C :chutten]

Is this necessary to be included in the Environment? The Environment is submitted in almost every ping and is already quite large

Comment 2

[(No longer employed by Mozilla) Aaron Klotz]

Well, the question that we would want to ask is, "What percentage of Windows users are running as Administrator with UAC disabled?"

If there is a better location for this that still allows us to answer that question, I'm all ears.

Comment 3

[Chris H-C :chutten]

Assuming that "clients" is a useful substitute for "users" in this case, a bool Scalar would do the trick. Since it's a Scalar it'll automatically appear in main_summary so you'll be able to write

SELECT
  COUNT(DISTINCT client_id) AS client_count
FROM main_summary
WHERE
  scalar_parent_is_admin_with_uac_disabled -- or however it ends up named
  AND os = 'Windows_NT'
  AND os_version >= '10' -- I don't know if the APIs and capabilities are Win10+ or not
  AND app_version >= '70' -- or whenever it lands
  AND submission_date_s3 > DATE_FORMAT(CURRENT_DATE - INTERVAL '28' DAY, '%Y%m%d')

There's a bit of an implied time range to things when you do it this way, as a client will only report the Scalar in a single ping per Firefox session (efficient!) so if that single ping lies outside of your sample window (submission_date_s3 > DATE_FORMAT(CURRENT_DATE - INTERVAL '28' DAY, '%Y%m%d')) you'll undercount slightly.

Does that seem like it'd work?

Comment 4

[(No longer employed by Mozilla) Aaron Klotz]

SGTM.

Comment 5

[Toshihito Kikuchi [:toshi]]

Attachment: data-review-request-for-bug1567605.txt

Attaching a request form according to https://wiki.mozilla.org/Firefox/Data_Collection

Comment 6

[Toshihito Kikuchi [:toshi]]

Attachment: Bug 1567219 - Add a metric to collect how many users launch a process with Admin but without UAC. r=aklotz

This patch adds a new Scalar metric sandbox.is_admin_without_uac that
indicates the process is lauched with Admin privileges when UAC is turned
off.

We use the elevation type of a process token to determine UAC is on or off
instead of reading the registry value EnableLUA. Basically a token is
either full or limited if UAC is on. If the account is built-in
Administrator, however, the token type is default though UAC is on. Thus
we check the account SID as well as the elevation type.

Comment 7

[(No longer employed by Mozilla) Aaron Klotz]

Comment on attachment 9084399 [details]
data-review-request-for-bug1567605.txt

This looks reasonable to me. Just update it with the revised probe name once you've updated your patch.

Comment 8

[Toshihito Kikuchi [:toshi]]

Attachment: data-review-request-for-bug1567605-v2.txt

Comment 9

[Chris H-C :chutten]

Comment on attachment 9086560 [details]
data-review-request-for-bug1567605-v2.txt

DATA COLLECTION REVIEW RESPONSE:

    Is there or will there be documentation that describes the schema for the ultimate data set available publicly, complete and accurate?

Yes. This collection is Telemetry so is documented in its definitions file [Scalars.yaml](https://hg.mozilla.org/mozilla-central/file/tip/toolkit/components/telemetry/Scalars.yaml) and the [Probe Dictionary](https://telemetry.mozilla.org/probe-dictionary/).

    Is there a control mechanism that allows the user to turn the data collection on and off?

Yes. This collection is Telemetry so can be controlled through Firefox's Preferences.

    If the request is for permanent data collection, is there someone who will monitor the data over time?

Yes, Toshihito Kikuchi is responsible.

    Using the category system of data types on the Mozilla wiki, what collection type of data do the requested measurements fall under?

Category 1, Technical.

    Is the data collection request for default-on or default-off?

Default on for all channels.

    Does the instrumentation include the addition of any new identifiers?

No.

    Is the data collection covered by the existing Firefox privacy notice?

Yes.

    Does there need to be a check-in in the future to determine whether to renew the data?

No. This collection is permanent.

---
Result: datareview+

Comment 10

[Pulsebot]

Pushed by aklotz@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7cb87169e4cf
Add a metric to collect how many users launch a process with Admin but without UAC. r=aklotz

Comment 11

[Cristian Brindusan [:cbrindusan]]

Backed out changeset 7cb87169e4cf (bug 1567219) for xpcshell failures in marAppApplyUpdateAppBinInUseStageSuccessSvc_win.js.

Backout: https://hg.mozilla.org/integration/autoland/rev/2354e2d4dcda834a4b6131565f32262f7463a503

Push that started the failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=pending%2Crunning%2Csuccess%2Ctestfailed%2Cbusted%2Cexception&revision=7cb87169e4cf83b1485f26e10f1b883fca3460da&selectedJob=263785751

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=263785751&repo=autoland&lineNumber=5579

Comment 12

[(No longer employed by Mozilla) Aaron Klotz]

That isn't actually caused by this bug. The failures are due to bug 1577061. I'll add it as a dependency.

Comment 13

[Pulsebot]

Pushed by aklotz@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/465c39971338
Add a metric to collect how many users launch a process with Admin but without UAC. r=aklotz

Comment 14

[Cristina Coroiu [:ccoroiu]]

https://hg.mozilla.org/mozilla-central/rev/465c39971338