SECURITY WHITEPAPER

Security Architecture & Data Handling

Technical documentation for CISOs, Security Operations, and IT Compliance teams.

For: CISO / SecOpsLast Updated: March 5, 2026

Executive Summary

RescuePC Repairs is a Windows system repair toolkit designed with enterprise security requirements in mind. Key security properties include:

  • Privilege Separation: UI runs as standard user; repairs execute in isolated elevated process
  • Signed Policy Execution: Only manifest-defined scripts can execute; arbitrary code rejected
  • No Persistent Agent: No background services, no kernel drivers, no system modifications at rest
  • Data Minimization: Collects only the minimal personal data required for licensing; telemetry is opt-in and contains only technical diagnostics

1. Privilege Separation Architecture

┌─────────────────────────────────────────────────────────────────────────┐
│                         USER SESSION                                     │
│                                                                          │
│  ┌──────────────────────────┐         ┌──────────────────────────────┐  │
│  │   RescuePC Repairs.exe   │         │     RescuePC.Runner.exe      │  │
│  │   ─────────────────────  │         │     ────────────────────     │  │
│  │   Manifest: asInvoker    │  IPC    │   Manifest: requireAdmin     │  │
│  │   Runs as: Standard User │ ──────▶ │   Runs as: Elevated (UAC)    │  │
│  │   Network: Yes (license) │         │   Network: No                │  │
│  │   Disk Write: Logs only  │         │   Disk Write: System files   │  │
│  └──────────────────────────┘         └──────────────────────────────┘  │
│            │                                       │                     │
│            │ User clicks                           │ Validates against   │
│            │ "Run Repair"                          │ repairs.manifest    │
│            │                                       │                     │
│            ▼                                       ▼                     │
│  ┌──────────────────────────┐         ┌──────────────────────────────┐  │
│  │   Passes repair ID       │         │   Executes PowerShell via    │  │
│  │   (e.g., "fix_network")  │         │   RunRepair.ps1 wrapper      │  │
│  │   NOT a file path        │         │   with strict parameters     │  │
│  └──────────────────────────┘         └──────────────────────────────┘  │
└─────────────────────────────────────────────────────────────────────────┘

Why Two Processes?

The UI process (RescuePC Repairs.exe) runs with standard user privileges. It cannot modify system files, registry, or services. When a repair is requested, it spawns a separate elevated process (RescuePC.Runner.exe) via UAC. This ensures:

  • • The UI cannot be exploited to gain admin rights directly
  • • Each repair requires explicit UAC consent
  • • The elevated process has no network access (air-gapped execution)

Inter-Process Communication

The UI passes only a repair ID string (e.g., fix_network) to the Runner — never a file path. The Runner validates this ID against its embedded manifest before execution. Path traversal attacks (e.g., ../../malicious.ps1) are rejected.

2. Signed Policy Execution

RescuePC uses a manifest-driven execution model. The Runner maintains an allowlist of valid repair operations in repairs.manifest.json.

// repairs.manifest.json (simplified)

{
  "repairs": [
    {
      "id": "fix_network",
      "scriptName": "fix_network.ps1",
      "displayName": "Fix Network Issues",
      "requiresAdmin": true,
      "risk": "medium",
      "safeForFixAll": true
    },
    // ... 108 defined repairs
  ]
}

Security Guarantees

  • Allowlist-only execution: Only scripts defined in the manifest can run
  • Path validation: Scripts must reside in the designated repair scripts directory
  • No dynamic code: PowerShell scripts are static files, not generated at runtime
  • Manifest integrity: Manifest is signed and verified before use

Attack Vectors Mitigated

  • Path Traversal: Only manifest-defined identifiers are accepted; arbitrary paths are rejected
  • Command Injection: Input is validated against a strict allowlist format
  • DLL Hijacking: Self-contained application bundles all dependencies
  • Script Tampering: Cryptographic hash verification detects any modifications

3. Supply Chain Security

Code Signing

All executables are signed with a code signing certificate (Authenticode):

Subject: CN=RescuePC Software, O=RescuePC Software, C=US

Issuer: CN=RescuePC Software (self-signed code signing certificate)

Algorithm: SHA-256 (Authenticode)

Timestamp: RFC 3161 (DigiCert TSA)

Valid Until: 2031

Build Pipeline Security

  • 1.Source Control: GitHub with branch protection and code review
  • 2.Build Environment: Isolated CI/CD pipeline with audited build steps
  • 3.Signing: Code signing certificate with RFC 3161 timestamping
  • 4.Distribution: Cloudflare R2 with integrity checksums, HTTPS-only delivery

Verification Commands

# Verify code signature (PowerShell)

Get-AuthenticodeSignature "RescuePC Repairs.exe" | Format-List

# Expected: Status = Valid, SignerCertificate contains "RescuePC Software"

# Verify file hash against published checksum

Get-FileHash "RescuePC Repairs.exe" -Algorithm SHA256

4. Data Handling & Privacy

GDPR / CCPA: Data MinimizationNo PHI AccessNo Student Data
Data CategoryCollectedTransmittedStoredRetention
User files, documents, photosNoNoNo
Browsing history, passwordsNoNoNo
Email address (licensing)YesYes (HTTPS)Yes (server-side)Until deletion request
License keyYesYes (HTTPS)Hashed onlyLicense duration
Machine fingerprintYesYes (HTTPS)Hashed onlyLicense duration
Error telemetry (opt-in)OptionalIf enabledIf enabled90 days

Machine Fingerprint Details

The machine fingerprint is a one-way hash derived from hardware identifiers (CPU ID, disk serial). It cannot be reversed to identify the machine. It is used solely to prevent license sharing across multiple devices.

5. Network Security

Outbound Connections

EndpointPortPurposeWhen
www.rescuepcrepairs.com443License validationApp launch only
pub-*.r2.dev443Update checkOptional, can disable

Air-Gap Compatible

After initial license activation, the application can operate offline for up to 7 days. Repairs execute entirely locally with no network dependency. For fully air-gapped environments, contact support for offline activation options.