Security Architecture & Data Handling
Technical documentation for CISOs, Security Operations, and IT Compliance teams.
Executive Summary
RescuePC Repairs is a Windows system repair toolkit designed with enterprise security requirements in mind. Key security properties include:
- ✓Privilege Separation: UI runs as standard user; repairs execute in isolated elevated process
- ✓Signed Policy Execution: Only manifest-defined scripts can execute; arbitrary code rejected
- ✓No Persistent Agent: No background services, no kernel drivers, no system modifications at rest
- ✓Data Minimization: Collects only the minimal personal data required for licensing; telemetry is opt-in and contains only technical diagnostics
1. Privilege Separation Architecture
┌─────────────────────────────────────────────────────────────────────────┐ │ USER SESSION │ │ │ │ ┌──────────────────────────┐ ┌──────────────────────────────┐ │ │ │ RescuePC Repairs.exe │ │ RescuePC.Runner.exe │ │ │ │ ───────────────────── │ │ ──────────────────── │ │ │ │ Manifest: asInvoker │ IPC │ Manifest: requireAdmin │ │ │ │ Runs as: Standard User │ ──────▶ │ Runs as: Elevated (UAC) │ │ │ │ Network: Yes (license) │ │ Network: No │ │ │ │ Disk Write: Logs only │ │ Disk Write: System files │ │ │ └──────────────────────────┘ └──────────────────────────────┘ │ │ │ │ │ │ │ User clicks │ Validates against │ │ │ "Run Repair" │ repairs.manifest │ │ │ │ │ │ ▼ ▼ │ │ ┌──────────────────────────┐ ┌──────────────────────────────┐ │ │ │ Passes repair ID │ │ Executes PowerShell via │ │ │ │ (e.g., "fix_network") │ │ RunRepair.ps1 wrapper │ │ │ │ NOT a file path │ │ with strict parameters │ │ │ └──────────────────────────┘ └──────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────────┘
Why Two Processes?
The UI process (RescuePC Repairs.exe) runs with standard user privileges. It cannot modify system files, registry, or services. When a repair is requested, it spawns a separate elevated process (RescuePC.Runner.exe) via UAC. This ensures:
- • The UI cannot be exploited to gain admin rights directly
- • Each repair requires explicit UAC consent
- • The elevated process has no network access (air-gapped execution)
Inter-Process Communication
The UI passes only a repair ID string (e.g., fix_network) to the Runner — never a file path. The Runner validates this ID against its embedded manifest before execution. Path traversal attacks (e.g., ../../malicious.ps1) are rejected.
2. Signed Policy Execution
RescuePC uses a manifest-driven execution model. The Runner maintains an allowlist of valid repair operations in repairs.manifest.json.
// repairs.manifest.json (simplified)
{
"repairs": [
{
"id": "fix_network",
"scriptName": "fix_network.ps1",
"displayName": "Fix Network Issues",
"requiresAdmin": true,
"risk": "medium",
"safeForFixAll": true
},
// ... 108 defined repairs
]
}Security Guarantees
- • Allowlist-only execution: Only scripts defined in the manifest can run
- • Path validation: Scripts must reside in the designated repair scripts directory
- • No dynamic code: PowerShell scripts are static files, not generated at runtime
- • Manifest integrity: Manifest is signed and verified before use
Attack Vectors Mitigated
- • Path Traversal: Only manifest-defined identifiers are accepted; arbitrary paths are rejected
- • Command Injection: Input is validated against a strict allowlist format
- • DLL Hijacking: Self-contained application bundles all dependencies
- • Script Tampering: Cryptographic hash verification detects any modifications
3. Supply Chain Security
Code Signing
All executables are signed with a code signing certificate (Authenticode):
Subject: CN=RescuePC Software, O=RescuePC Software, C=US
Issuer: CN=RescuePC Software (self-signed code signing certificate)
Algorithm: SHA-256 (Authenticode)
Timestamp: RFC 3161 (DigiCert TSA)
Valid Until: 2031
Build Pipeline Security
- 1.Source Control: GitHub with branch protection and code review
- 2.Build Environment: Isolated CI/CD pipeline with audited build steps
- 3.Signing: Code signing certificate with RFC 3161 timestamping
- 4.Distribution: Cloudflare R2 with integrity checksums, HTTPS-only delivery
Verification Commands
# Verify code signature (PowerShell)
Get-AuthenticodeSignature "RescuePC Repairs.exe" | Format-List
# Expected: Status = Valid, SignerCertificate contains "RescuePC Software"
# Verify file hash against published checksum
Get-FileHash "RescuePC Repairs.exe" -Algorithm SHA256
4. Data Handling & Privacy
| Data Category | Collected | Transmitted | Stored | Retention |
|---|---|---|---|---|
| User files, documents, photos | No | No | No | — |
| Browsing history, passwords | No | No | No | — |
| Email address (licensing) | Yes | Yes (HTTPS) | Yes (server-side) | Until deletion request |
| License key | Yes | Yes (HTTPS) | Hashed only | License duration |
| Machine fingerprint | Yes | Yes (HTTPS) | Hashed only | License duration |
| Error telemetry (opt-in) | Optional | If enabled | If enabled | 90 days |
Machine Fingerprint Details
The machine fingerprint is a one-way hash derived from hardware identifiers (CPU ID, disk serial). It cannot be reversed to identify the machine. It is used solely to prevent license sharing across multiple devices.
5. Network Security
Outbound Connections
| Endpoint | Port | Purpose | When |
|---|---|---|---|
| www.rescuepcrepairs.com | 443 | License validation | App launch only |
| pub-*.r2.dev | 443 | Update check | Optional, can disable |
Air-Gap Compatible
After initial license activation, the application can operate offline for up to 7 days. Repairs execute entirely locally with no network dependency. For fully air-gapped environments, contact support for offline activation options.
Security questions? Contact [email protected]