Installation ------------ We highly recommended installing the system using the IE11 on Win8.1 (x86) VM image available from http://dev.modern.ie/tools/vms. The installation package has been configured specifically for the corresponding VM. To use the precompiled package on the VM, install Microsoft Visual C++ 2010 Redistributable Package (x86). Otherwise, a full Microsoft Visual Studio (2010 or later) is required to compile the package. Step 0. You may need to disable Windows defender before running the following steps. (You can reenable it after every thing is installed; however, defender may continue to block other software that you may want to download and run with the protection of PIP.) Extract pip-windows to C:\. Step 1. Create a shadow user by running 1_runWithAdmin.bat with administrative privilege. This can be done by right clicking on the script and selecting “Run as administrator”. The script will then output sid of the shadow user, and sid of the current user. These information will be needed for Step 2. Step 2. Only necessary for using machines differ from the VM image specified above. Follow the instruction in 2_edit_file.txt: Edit the common/ppi_config.h to provide system specific information based on the output from Step 1. Step 3. Only necessary for using machines differ from the VM image specified above. Run 3_run_in_MSBUILD_Command_Prompt.bat inside a Visual Studio Command Prompt. This will compile and build the dll and the helper program. The VS project was created on VS 2010, and has been tested on VS 2015. The script will first upgrade the project before building. Step 4. Only necessary for using the IE11 on Win8.1 (x86) VM image Install Microsoft Visual C++ 2010 Redistributable Package (x86). Step 5. Run 4_runWithAdmin_install_service.bat to install the dll and the helper program as system service. You will be prompted to enter credential for shadow user. Enter “untrusted”. Then reboot the system to enjoy the full protection. Step 6. Check to see C:\log to see if new files are created after rebooting. If no file exists, it is likely that something went wrong during the installation process, and the protection has not been enabled. Things to try ------------- 1. Double click on the Desktop icon runAsShadow.bat to obtain a shell for the shadow user. Anything started from the shell would be considered as untrusted. Try running notepad or dragging a word document to run programs as shadow user. Note the user experience: you can save files on the desktop. 2. Use Internet Explorer to download a file (e.g., doc, ppt, or rtf). Since the file comes from the Internet, the system automatically considers it as untrusted. Opening the document using double clicking will automatically start the helper program as untrusted. Known Issues ------------ 1. Occasionally, the system may not boot up properly, i.e., the login screen does not show. Resetting the VM can usually resolve the problem. 2. Microsoft Word running in untrusted mode may prompt for reinstallation for every launch, thought cancelling the reinstallation does not affect normal usage. Troubleshooting --------------- 0. Missing MSVCP100.dll? Make sure Microsoft Visual C++ 2010 Redistributable Package (x86) is installed. (Only applies when using the precompiled package.) 1. Look at C:\log to check if files are created. By default, the system creates logs in C:\log. Make sure at least something is there to make sure that the protection has been enabled. 2. For updating Windows or installing new software, please disable the protection first. To disable the protection, run the disablePIP.bat with administrator privilege. The protection can be reenabled by running the enablePIP.bat. 3. Contact wsze@cs.stonybrook.edu for further support. Visit http://www.seclab.cs.sunysb.edu/seclab/pip/ for more updated information.