It is currently April 21st, 2019, 1:17 pm

Rainmeter and Windows security

Our most popular Tips and Tricks from the Rainmeter Team and others
User avatar
jsmorley
Developer
Posts: 19183
Joined: April 19th, 2009, 11:02 pm
Location: Fort Hunt, Virginia, USA

Rainmeter and Windows security

jsmorley » January 5th, 2019, 4:54 am

I just wanted to run through how Rainmeter lives and works with the security built into Windows, and why it stores the various files it creates and modifies where it does.

First off, let me get this out of the way...

DO NOT TURN OFF USER ACCOUNT CONTROL (UAC) IN WINDOWS. THIS IS A BAD IDEA. You are welcome to disagree with me on this, and be wrong, that's your karma. UAC is not the annoying and virtually useless mess it was in Windows Vista, it is an important part of safely running your computer in Windows 10. So this entire guide is predicated on having UAC set to the default level. I really don't even want to discuss otherwise.

So kicking this off, here are the high-level folders that have some meaning in the context of Rainmeter in Windows, and what each is intended for by Windows.

1) C:\Program Files and C:\Program Files (x86)
This is the folder where 64bit and 32bit desktop applications are installed and run from for all user accounts. It is a protected folder, in that only an administrator, after answering "yes" to a UAC prompt, can make any changes to this folder. After the initial installation, program are not allowed to write to this folder.

2) C:\Users\YourName\AppData\Roaming
This folder is used to store "settings" for programs. It is personal to a particular user account, and is only protected in that only that user account can make changes to it or even see it. Programs run by the account can add / delete / edit any files and folders under this, without any administrator privileges or UAC prompts.

Note that by default this folder is "hidden", as the idea is that "programs" should be making changes to their own settings, and in general the user doesn't want to be hacking around in this stuff. Having said that, one of the first things I do in Windows is "show hidden files and folders".

Note that there is a folder C:\ProgramData that is analogous to C:\Users\YourName\AppData, which is where "settings" for programs are stored when the program is installed for "All users", and no distinct settings for each user account is desired. Rainmeter does not support this, as there is just never any good reason to share Rainmeter settings between users. You really want your brother moving all your skins around on the screen for you?

3) C:\Users\YourName\Documents
The intent of this is to be a place to store the "data" that is created by applications. It is personal to a particular user account, and is only protected in that only that user account can make changes to it, or even see it. Programs run by the account can add / delete / edit any files and folders under this, without any administrator privileges or UAC prompts.

So what does Rainmeter put where?

1) C:\Program Files\Rainmeter
After a UAC prompt, the installer for Rainmeter will (on a "normal" installation) extract all the program files and built-in plugins here. It has a folder to temporarily hold the default illustro skins. Once the installation is done, Rainmeter will never write to this folder again.

This is where Rainmeter.exe, all built-in plugin .dll files, and SkinInstaller.exe are kept and are executed from.

2) C:\Users\YourName\AppData\Roaming\Rainmeter
When this account runs Rainmeter the first time after installation, it will create a default Rainmeter.ini (the main "settings" file) in this folder. It is also the place that Rainmeter stores other settings files that it may need to write to later, and where it stores things like 3rd-party plugins and saved Layouts.

3) C:\Users\YourName\Documents\Rainmeter\Skins
This is where the skins are stored. When this account runs Rainmeter the first time after installation, it will copy over the default illustro skins to this folder, and after that, any skins you create or download and install will be in this folder.

Note that while there is no analogous C:\ProgramData "All users" form of "Documents", so by default no way to have two users share a common documents folder, the SkinPath setting in Rainmeter.ini, which specifies where skins are to be stored, can be changed to anything you want. That will allow different accounts on the same machine to share a single "Skins" folder. Make sure this is not a personal or protected folder.


That is how it all works on a "normal" install of Rainmeter. If you want to run it in "portable" mode, that can be done with the installer, and then everything, the program, the settings and the skins, will all be in that single folder structure. Do be SURE that whatever folder you select for a "portable" install is not a folder that is in any way protected by Windows.
User avatar
jsmorley
Developer
Posts: 19183
Joined: April 19th, 2009, 11:02 pm
Location: Fort Hunt, Virginia, USA

Re: Rainmeter and Windows security

jsmorley » January 6th, 2019, 3:08 pm

There is one other Windows security feature to keep in mind, not so much today, but possibly going forward.

In order to react to the recent bout of "ransomware" attacks, where some malware encrypts some of your personal files, and offers to unencrypt them for a payment in bitcoin, Windows has added a new optional feature:

Controlled Folder Access
https://www.howtogeek.com/329532/how-to-protect-your-files-from-ransomware-with-windows-defenders-controlled-folder-access/

What this does is "protect" certain personal folders that have been the target of these "ransomware" attacks. These are:

Documents
Music
Videos
Pictures
Favorites
Desktop

If this feature is turned on, no applications will be allowed to write to these folders, unless they are "whitelisted" in the security settings for the feature. There are some well trusted applications (almost all of them those owned by Microsoft itself) that are automatically whitelisted, but all others will need to be added if you want them to be able to write to these folders.

In order to use Rainmeter with this feature turned on, the following program files will need to be whitelisted:

C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\Rainmeter\SkinInstaller.exe

Otherwise, Rainmeter.exe will not be able to write to the ..Documents\Rainmeter\Skins folder, and will be unusable. In addition, you must whitelist SkinInstaller.exe or it will not be able to install .rmskins to your skins folder, and you will not be able to save .rmskin files you create to the default Desktop location.

I have no strong opinion about this new security feature in Windows. It is turned OFF by default as of the latest October 2018 Update of Windows, and given that it can seriously complicate users ability to do simple things like save an image created in Photoshop to the Documents folder, or save an image to the Pictures folder, a video to the Videos folder, or a .mp3 file to the Music folder, I'm doubtful that this will ever be turned on by default. But you never know with Microsoft. I don't use it, but then I have a good nightly backup of my entire system, so I'm not at huge risk of being effected by ransomware. Your mileage may vary, and I'm not suggesting it isn't a potentially useful feature.

If it DOES become something that is turned ON by default in Windows, it is possible that we wold explore moving the locations where skins are stored to an unprotected location. This would likely be C:\Users\YourName\Rainmeter\Skins, so moving it up one level and out of Documents. While this would be easy to do for us, you can easily do it yourself today by changing SkinPath in Rainmeter.ini, the issue is how we safely migrate existing skins when an upgrade of Rainmeter is done. We would also look at moving where new .rmskin files are saved when you create one, so we can avoid the protected Desktop folder.