Mark Russinovich’s technical blog covering topics such as Windows troubleshooting, technologies and security.
PingBack from http://jaeweb.cantr.net/?p=20
At my previous job we ran 95% users as non-privileged accounts. Because of this we did not see any problems with spyware, it just did not happen because the users did not have rights to install spyware.
The idea was that we front-ended all of the work by finding out what registry keys and file permissions had to be changed in order for certain applications to run correctly. Then we would not have to deal with spyware infections and users destroying their workstations.
I introduced the -l switch to PsExec about a year and a half ago as an easy way to execute processes
Ciao a tutti. Dopo qualche giorno passato a Seattle ad imparare cose nuove ritorno per segnalarvi alcuni
# re: Running as Limited User - the Easy Way
A little utility that allows you to easily configure your apps to run as a limited user might be a useful thing for someone to write based on this code, I feel.
3/2/2006 11:06:00 AM by Stuart Langridge
"many applications fail when run in a limited-user account because they’re poorly written"
Including Firefox apparently.
3/2/2006 11:31:00 AM by Anonymous
How is this better than RunAs?
3/2/2006 12:10:00 PM by G. Eek!
I can run firefox as guest with no problems
3/2/2006 12:21:00 PM by G. Eek!
With a bit of effort you can run most applications as limited user - the effort varies between installing the application into a writable area (I keep one for the purpose) to shouting at the developers.
I have had no problems with Firefox, indeed most extensions even install in Limited User. Thunderbird required Admin to insall the spell check dictionary but otherwise is ok.
3/2/2006 12:26:00 PM by Rick
Great article Mark.
I run my Internet facing apps (i.e. IE, Outlook) and those apps that interface with them (i.e. OneNote) under SAFER (local policies that set LUA).
With SAFER, when clicking a link in Outlook to open an IE window, that IE window runs as LUA.
The question I have is whether the method you describe would be as safe as using SAFER policies. I'm not sure if IE exec'ed from a link in Outlook (or perhaps Word, Excel), would run as LUA even if the initiating app, like Outlook, is running as LUA.
3/2/2006 12:49:00 PM by ImSAFER
Good article but I disagree with the assumption that one should limit privileges when running certain apps.
The better approach is to run everything as a limited user and elevate privileges only when necessary (to install an app, change power config, etc).
3/2/2006 1:08:00 PM by sean
It'd be nice to specify that IExplorer always runs as limited user, even if launched by another app since so many apps embedd IE.
3/2/2006 1:18:00 PM by Haacked
Mark, I hope one day you do a review of the "Microsoft Shared Computer Toolkit" it has a easy user interface, is basically Bulletproof from Malware and accidental changes or deletions and has many user restrictions that can be implemented if needed.
To date it is the only thing that really offers instant recovery and total windows partition/drive protection and is more of a "Set It And Forget It" concept once installed and setup. Would like to get your thoughts on it?
More Info On This Here:
3/2/2006 1:30:00 PM by ZOverLord
Sean: I totally agree - I was hoping that Mark would go down this line, rather than continue in the microsoftcentric train of thought that you should be able to run your pc as an admin by default.
3/2/2006 2:28:00 PM by Bart
Actually, I provided support for that a while back with PsExec's runas-like functionality. With PsExec you can create shortcuts (with a cached account name and password) that launch a process in a different, elevated account. Process Explorer v10 also introduces a RunAs menu item.
The drawback of that approach is that the launched process runs in a different account altogether and so doesn't have access to the same profile you're running in.
Aaron Margosis' MakeMeAdmin tool temporarily adds your account to the admin group, launches the process, and then removes the account, which grants access to the same profile.
An even more secure approach is to have two different accounts, one admin and one limited, and use Fast User Switching to invoke the admin account only when necessary.
Different users have different preferences.
3/2/2006 2:37:00 PM by Mark Russinovich
This works great when I an launching IE.
What about the situations where IE is launched from clicking a link in an e-mail?
3/2/2006 2:52:00 PM by John Dyer
With Windows XP or later, you can use Software Restriction Policies to force an application to run as a limited user. You simply need to change a registry setting on the machine used to edit the policy, so that the additional levels are visible.
1. Add a new DWORD value called Levels to the following registry key, and give it a value of 0x31000:
2. Open the Group Policy object you want to edit, and navigate to:
Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules;
NB: If the Software Restriction Policies node has no entries, right-click and choose Create New Policies;
3. Right-click and choose New Path Rule...;
4. Select the path of the executable to restrict, and set the Security Level to Basic User;
You will need to refresh the group policy settings, and restart any affected applications for the changes to take effect.
3/2/2006 3:23:00 PM by Anonymous
You may be intereted to note that McAfee's Spyware scanner identifies psexec.exe and pskill.exe as spyware :) Its a viscious cycle, want to use psexec.exe to stop from getting spyware, psexec IS (according to McAfee) Spyware ... argh! :)
3/2/2006 3:32:00 PM by Paul
I get so completely sick of hearing people admonish me to run strictly as a Limited User. I've tried it, at length. I bent more ACLs than I care to remember. I changed permissions in the registry. I set up a slew of shortcuts. I used RunAs. And still, I had to hassle around with applications that didn't behave.
Yell at the developers? Oh, yeah, that'll work. What if I have a problem with several different products? What happens is that I have a new, full-time hobby.
I realize it depends on what software you use, but for some of us, running as a Limited User is like considering walking rather than driving. It's safer, but it's agonizingly inconvenient.
3/2/2006 3:54:00 PM by Anonymous
I agree with the last Anonymous.
What Mark is advocating is an EASY way to get some of the benefits of limited user privilages without all the drawbacks. Running exclusively as a limited user under Windows is excrutiating for those of us who could be classified as power users, but don't have time to spend on it. I mean, Mark has to be Windows-centric as long as he's talking about Windows. This ain't Linux.
3/2/2006 5:29:00 PM by Anonymous
I think you can also setup the image file execution options key to automatically launch IE with lowered priviledges by specifying the command line Mark gives in the key...
(This may avoid the concern a previous poster had about clicking on links in Outlook launching IE with full privileges.)
3/2/2006 6:13:00 PM by Anonymous
Of course the easier way to do all this is not to use MS web products at all.
Using Opera as a web browser and The Bat! as a mail client results in 0% spyware/malware. Oh, and they're much more versatile programs than Microsoft's
3/3/2006 2:04:00 AM by Anonymous
Not completely related, but a tip would be to use Virtual PC (or VMWare) and put all your internet traffic inside it. This is as closest to a sandbox model of isolating programs I could find. If you enable undo disks, and always "turn off and delete changes" the virtual PC when you stop the sessions, all malware is deleted and your next start is as clean as your previous one. Also great tool for testing shareware.
3/3/2006 2:16:00 AM by Anonymous
I'm running my main account as a limited user for over a year now.
I use the Run As... right-click option each time i want to install or use a software that requires admin rights. But all the internet apps and explorer runs as limited user all the time.
I once met a spyware : it couldn't install and just died without being able to write /Program Files/ directory. I deleted Firefox cache (who runs perfectly as Limited User) and rebooted and all was clear.
I need to use Run As (admin) each time I want to change a setting, install or upgrade software, burn CD or do maintenance tasks. Some time I change session and use a admin session to perform those maintenance tasks.
It's a bit annoying but worth it. I hope MS will do better job on account with Vista.
But this way a malware could still try privilege escalation and I recommand this reading : http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf
Thanks Mark for your blog.
3/3/2006 2:18:00 AM by Souplounite
I've written a little "hack" that allows limited users to run a program as themselves - but with the administrator token. I called it "WinSUDO".
Check it out..
3/3/2006 3:48:00 AM by Paul
There is a small program written by Microsoft that accomplishes the same thing. Source code is also available.
Hopefully people won't need to use these methods in the upcoming months as vista is supposed to allow users to run as users :)
3/3/2006 6:29:00 AM by wng_z3r0
Has anyone tried the Application Security package from DesktopStandard?
The download is "free" to run in local group policy, but needs a purchased license to work in AD Group Policies
3/3/2006 6:39:00 AM by Anonymous
Elevating priviliges on occasions using Runas is the preferable way to go, but it's still strange to me that the most used program in the OS, explorer.exe, does not function this way...
3/3/2006 6:43:00 AM by Anonymous
Its incomprehensible why Windows doesn't use the Mac/Linux method whereby you have to enter your admin password whenever software wants admin-type access. That way you immediately have a red-flag that some installer process wants critical access.
The benefit of this system is that, say, an email attachment which prompts you for your admin password, wouldn't as easily be executed with total control over your machine, as it would without this system.
There is no excuse for designing an OS which grants its admin users total admin priveleges all the time without distinction. It basically means anything you do with your system has the potential to totally wreck everything.
I suspect the reason Windows has this issue is to do with poor separation of priveleges within the actual OS itself. In fact Mark says as much, though he blames third party software:
Further, many applications fail when run in a limited-user account because they’re poorly written and expect to have write access to directories such as \Program Files and \Windows or registry keys under HKLM\Software.
The last time I looked, Microsoft, along with other OS proprietors, have tons of literature available for developers that offer guidlines on practices for integrating software into their platforms. Unless the software is a system utility, there's absolutely no need for them to have access to anything that would require admin priveleges. And why have \Program Files protected? If there is any reason it must be protected, then why have other software install into that directory also? Why call the directory "Program Files" if its only meant for Protected Program Files?.
3/3/2006 7:17:00 AM by ruy_lopez
Actually, Vista is good about helping Administrators run as users. But users actually running as Users will (at least in current builds) find that not much has changed - you still must elevate processes using an alternate set of credentials (same as RunAs has been since Windows 2000).
3/3/2006 7:30:00 AM by Wes
Although this is better than running everything as admin, I generally do not like this approach. It's backwards – it is far better to run everything unprivileged (especially the desktop) and elevate selectively rather than run everything as admin and drop privileges on selected apps. Some specific objections:
* At a minimum, Explorer must run as admin
* Any autorun items ("Start" folder, "Run" key, etc.) – including those added by malware – will run as admin. (Note that a lot of malware writes stuff into HKCU\...\Run.)
* It remains really easy for malware to elevate – running stuff through the shell is just one way
* Apps that communicate across processes will often break (e.g., if Outlook runs as "Basic User" and Windows/MSN Desktop Search runs as admin, the latter doesn’t work.)
I've written extensively on how to do the non-admin thing (including how to get Explorer to cooperate), and am in the middle of a series on how to fix LUA bugs so that bad apps don't need elevated privileges.
I also need to point out that this DropMyRights-like approach is not at all what UAC does, and "low-rights IE" does far more than just run as normal user.
3/3/2006 10:06:00 AM by Aaron Margosis
I could be missing a point here, but the previous blog that Mark wrote about LUA's was "Circumventing Group Policy as a Limited User" and showed us how to do this with GPDisable.
I use SRP/SAFER/Basic User on all internet-facing programs and any of the other "Updaters" and "Quick-Launch" apps usually just get the Disallowed flag.
I now barely use my Admin account and run as LUA because of the possiblity of "Nasty's" injecting themselves into Admin dll's but still just have the SRP rule's in place anyway.
So like the previous post said about explorer.exe, and Mark mentioned about Whitelisting, what can we lock down and run as Basic User rule, $Program Files$*.* ??, explorer.exe??
If I do this on a process such as.. "C:\WINDOWS\System32\svchost.exe" or *svchost.exe which runs under NT AUTHORITY\SYSTEM and has the Admin priv, I feel it ain't going to work anymore. Are these processes hi-jackable? One confused bunny.
Anyway, I'm gonna make a working backup today, SRP/Basic rule what I can and post back here(after the backup's been restored :-))
3/3/2006 10:33:00 AM by Coopster
posted by sean at 1:08 PM, March 02, 2006: The better approach is to run everything as a limited user and elevate privileges only when necessary (to install an app, change power config, etc).
Technically yes. But sometimes corporate politics doesn't let us do that. When some high-ranking executive wants to be an admin -- and everyone in his group to be an admin -- what do you do?
3/3/2006 12:00:00 PM by Robert Racansky
AV software like KAV and AVG will update/scan properly under a limited account without the need for Run As.... However, everyone better watch out for AVG:
I tried making a fuss yet little seem to care.
3/3/2006 12:15:00 PM by Josh
Josh - re AntiVirus: AV software is a big ugly offender in this space. My personal opinion on the matter is that AS THINGS ARE TODAY, you are better off running as normal User WITHOUT anti-virus software than as Admin with anti-virus. (That's TODAY. The threat landscape will change over time.) My mother-in-law's computer came with an AV product that didn't work well as Limited User, so I uninstalled it. (Yes, she runs as User.)
3/3/2006 1:18:00 PM by Aaron Margosis
Robert Racansky: Good question. Ask your execs if they also want to work on their HVAC and plumbing themselves. "Administrator" should be renamed to "Janitorial Maintenance Account". That might clear things up for them.
3/3/2006 1:20:00 PM by Aaron Margosis
Ann, I just did an audit of my system drive and the registry. I was a *very* privileged limited user.
There was AVG granting Everyone Full Control (the whole shebang) to files that were updated pertaining to AVG. This is purely Grisoft's foul play and easily reproduceable (just update it!).
I also had access to all the nVidia drivers (nForce, nForce audio, video) both in WINDOWS\system32 and system32\drivers. My limited account was the owner in fact. I also had ownership to the registry entries, even the ones in HKEY_LOCAL_MACHINE\SYSTEM. I think what may have caused it is because I extracted the files in the nVidia setups as my user, and Run As the actual install file. I do this so *I* can delete the extracted setup files after the installation is done. In the future, I won't do that again.
Thanks to Mark's AccessEnum, I could easily identify all the culprits.
3/3/2006 2:40:00 PM by Josh
Its *my* machine - I want to run will full ability not some limited sandbox set.
3/3/2006 3:58:00 PM by Hello
First, the name is "Aaron", not "Ann"!
Second: if your limited account shows up as owner on these objects, what is usually the cause is that your limited account USED TO BE admin, or you used MakeMeAdmin without heeding the warning here:
It may also be that the installation program moved files owned by you rather than copying them to their destinations. MOVE retains the existing security descriptor; COPY lets the new objects inherit from the parent container.
I've gotten very careful about how I install tools that my admin account uses. For example, when I update any of the many SysInternals tools (that I use all the time and thank you again Mark), I browse to sysinternals.com as admin (don't ever let your web server get pwnt, Mark!:-), download and open the zip file and extract the files straight to %ProgramFiles%\SysInternals, then close the WinZip and IE running as admin.
And "Hello" sounds like someone who likes to play in traffic. :-)
3/3/2006 4:17:00 PM by Aaron Margosis
To "Hello": I think you missed the point of the article. The reality is that when you run as a local administrator, you AND any applications that run as you (including drive-by's and exploits that love to find their way through IE's layers of - ahem - extensibility) get to have full reign of your system, as well. If you don't mind sharing your system with them, then by all means continue running as an administrator all the time. :-)
3/3/2006 5:57:00 PM by Wes
Oops, sorry, no clue where I got "Ann" from.
3/3/2006 8:27:00 PM by Josh
The problem isn't that Admin has full access to everything. The problem is that when you first install Windows you boot into an admin account. Most people have no idea how or why to change this. It's like running as root in Linux.
Problem is, since everyone is Admin by default, software developers write programs that require admin access, and never test it under a limited account.
3/4/2006 3:57:00 AM by Anonymous
To the previous anonymous: Most developers work as admin due to habit because the tools of the past (Visual Studio 5/6) required such privileges to run (before knowledge of how to deal with LUA bugs became more widespread as in the last couple of years - thanks Aaron).
The releases of VS2002/2003/2005 don't seem to have done much to break the ingrained habits even though they don't require admin privileges.
3/4/2006 11:37:00 AM by sean
"Most people have no idea how or why to change this. It's like running as root in Linux."
Obviously they don't read that booklet that comes with Windows. (Hey, doesn't this sound like "RTFM" in the Linux world?) It tells the user how, and why. Microsoft takes the blame because they are expecting the user to decide what is best.
But it still isn't for the meek, because some legwork is still needed to fix broken applications because of HKEY_LOCAL_MACHINE permissions and write permissions to system folders (more notably Program Files and there may be a few rare that write to \WINDOWS or \WINDOWS\system32 for nVidia users to write to nvapps.xml).
3/4/2006 2:58:00 PM by Josh
I love you Mark
3/5/2006 5:11:00 AM by Anonymous
I tried to launch IE as limitied user using both psexec v1.70 and ProcessExplorer v10.05 but without success, IE process closes almost instantly (before showing the UI). I'm running Win2k3 SP1, the computer is member of a domain and the "non-limited" user running psexec, processExplorer is a member of Administrators group. Any ideas?
3/6/2006 6:13:00 AM by Anonymous
I run my computer in user mode now, I got burned to many times in admin mode if I want to install specific software I will execute with runas.
With a minority of programs that need admin privileges I us a app supplied by ROBOTRONIC.DE http://robotronic.de/runasspc/ it is a small app the will elevate a applications privileges automatically and hide the user name and password in 256bit encryption file, so marks concept is quite sound if applied correctly ps. It also stops members of your family from destroying your installation ha ha.
3/6/2006 9:13:00 AM by techman
Why is it that I can run my computer running WINXP with full Admin priv's and not ever have any issues with Spyware/Malware/Virus, etc..
Usually I reformat my system every 6 months, however with my home PC, runnin WINXP SP2 with Full Admin privs, I have NEVER had a problem.
How about people start educating themselves and rely LESS on software to think for them. The problem is not the software or the developers. The problem is ALWAYS the end user. Make informed and intelligent decisions and you wont have problems.
3/6/2006 9:48:00 AM by Anonymous
To the anonymous poster who is having issues running IE in a separate context:
Ensure you have followed the steps Aaron outlines here if you want to use RunAs or Run as Limited User with IE. Specifically checking the Run as a separate process (not enabled in Windows by default).
3/6/2006 9:56:00 AM by Wes
I'm suprised no one has mentioned programs like sandboxie / etc. that basically say "take your best shot" and then allow everything to be rolled back. That might be the best bet for people who don't want to be troubled with separate accounts, etc.
3/6/2006 6:22:00 PM by Anonymous
Vista is a little disconcerting as the latest beta installs the initial user as Administrator.
I still would prefer the base user installed as limited privs, regardless of how safe IE7 has become.
I look forward to your review of Vista, Mark.
3/7/2006 2:09:00 PM by Chris Dickerson
Frankly, Vista is 100% about running as admin and having your rights artificially constrained and elevated only when you make a decision to do so (like the average user can make that call).
Try running as a limited user in Vista for any length of time. It's no different than running as a user today - except the RunAs dialog is more automated, and prettier.
Frankly UAC does little to encourage the movement away from the use of the Administrators group, which should be Microsoft's primary focus. In fact, it does quite the opposite.
3/7/2006 4:18:00 PM by Wes
A dialogue box would do the trick:
This application requires administrative rights to execute. Only software which comes from a reputable source should be allowed to execute under these conditions.
Cancel or Continue
The main problem seems to be more about the way admin accounts work - no way of knowing which processes are going to use the elevated rights until too late - than the fact the boxes run admin by default.
3/8/2006 8:34:00 AM by Anonymous
To the anonymous poster above:
Dialogs conceptually do the trick. But as Microsoft should have learned with their " STOP Installation | Continue" dialog for unsigned drivers in Windows XP, users will innately become conditioned to click what they know will get them less annoyed faster - and can be easily socially engineered into clicking the more dangerous option.
Technical users can make a decision about when an app should or should not be requiring administrative privileges - especially in a day and age where malignant software attempts to present itself as being from Microsoft or another reputable source by misrepresenting the application (textually or visually). The prototypical "Abby" (Microsoft's non-technical consumer persona) cannot make a safe decision in that situation. Simple usability testing of UAC with non-technical consumers would show that.
3/8/2006 10:58:00 AM by Wes
wes: I agree. I remember reading something I think was attributed to Jesper Johansson that applies to this situation. To paraphrase: "When choosing between dancing pigs and a more secure option, expect the user to choose the dancing pigs every time."
3/8/2006 7:01:00 PM by John
I am just learning about security and how to restrict access/privledges for user accts. I have been running default as admin for several years and have not had an issue that I can tell with spyware etc. but how would I know? I don't have any popups that plague me, I run trendmicro every now and then, have a firewall up, run mcafee, ms antispywear, etc. and I don't get any flags. I don't run activeX content unless I allow, same with java apps. How would I know if I have acquired anything on my system if there is no visible means? How does one determine that they are 'infected'? I am a pretty much a noob so please go easy on the techy ackronyms (sic?) and such. oh, I use IE and obviously I don't go downloading every this or that or open email crap that is 'questionable'. Although it has occurred to me that opening pics or such from friends is a great way to 'socially engineer' a virus for spreading around. Thanks Group. Also, big thanks the Mark and Aaron for great info, I'm learning quiet a bit and to all those who have posted. Your posts are appreciated by noobs like me. --Amy
3/9/2006 11:13:00 AM by Anonymous
I am in no way computer savvy, so I am going to pose this question here.
I currently run my computer with Admin privileges. I have all the programs I need installed, such as trillian, firefox, winamp, photoshop cs2, f-secure, etc. I don't have any "old" program installed
If I change my account type to Limited, would I still be able to run everything normally? I don't think I will be needing to install anything anytime in the near future, so I want to know if I can simply run and use all the programs normally. I would rather not use a guess-and-check approach but wait for someone to answer. Thanks!
3/9/2006 10:45:00 PM by Frank
You've inadvertantly touched upon the real issue surrounding computer security: you can never be 100% certain your machine hasn't already been compromised.
Fortunately most real-world security breaches take the form of well documented exploits that capitalise on outmoded OS versions. And to boot, most security incidents leave noticable footprints: pop-ups, unsolicited downloads, and sluggish performance.
Of course its not beyond the ken of some malfactors to break through your security measures without leaving any tell-tale signatures. But anyone with the requisite technical expertise to do so is unlikely to be interested in breaking into your machine in the first instance (unless you are harbouring state secrets on your hard drive).
You should take a look at Mark's free downloads (process explorer, rootkitrevealer), and familiarise yourself with the feedback these tools give you of your system in its natural state. Only through doing so will you recognise when something is amiss.
Also keep your eyes peeled on CERT (www.cert.org) for vulnerabilties relevant to your software and operating system, and keep them fully patched.
Where security is at stake you can never be too paranoid. But by the same token, if you aren't seeing any suspicious activity, chances are there is nothing going on you should be overly concerned about.
3/10/2006 2:47:00 AM by ruy_lopez
Amy, one more thing,
a packet sniffer like Ethereal will give you a read-out of network activity.
If you capture packets while you're idle - not browsing or doing anything like that - there should be minimal traffic on your network.
If, on the other hand, you see a lot of traffic - then something fishy is going on that needs investigating.
You can download Ethereal here www.ethereal.com/download.html
3/10/2006 6:25:00 AM by ruy_lopez
After reading your post it took me all of 3 minutes to alter my link in my quicklaunch to "fix" my IE.
I'll be adding this to my security apps folder on my flash drive. Process Explorer has already helped me more than any other tool I use when cheaning people's machines.
3/11/2006 12:47:00 PM by Shaun
I tried using your approach, but I am having problems with some Internet Explorer shortcuts.
IE in restricted mode cannot access several shortcuts and it just pops up the following message:
Problem with shortcut: The target "" of this Internet Shortcut is not valid. Go to the Internet Shortcut property sheet and make sure the target is correct.
If I run Internet Explorer without psexec, all the shortcuts work fine.
Do you think there are problems with file permissions on the shortcuts?
3/14/2006 12:59:00 PM by PaoloM
I was able to run IE via Mark's tool without difficulty. My favorites do show up, which is nice.
However, my home page (about:blank) is not honored - it went to msn.com. And all attempts to change my home page to anything other than msn.com fail - the "Apply" / "OK" buttons give the appearance of working. But clicking the home button still takes me back to msn.com; and going back into Tools->Options shows that the home page has not in fact changed.
Any ideas? Thanks,
3/15/2006 3:16:00 PM by Donnie Hale
Although Mark's way is really easy but we can offer to you an easier way ;) Please check out the tool RunAsAdminExplorer Shim at https://sourceforge.net/projects/runasadmin/
Believe me it is worth of a try, it is completely free and useful. The basics of the program is also the CreateRestrictedToken API, but goes further by a step, you can choose to start your shell (and all of the programs started by the shell) with the restricted token. Also possible to configure the tool to let everything untouched as you did it earlier, but you can start just some programs on the restricted level via a shell extension, a D&D icon on the task bar or a command dialog. The program has a very flexible and strong policy system via you can let users always to start certain programs on a specific restriction level. Also you can restrict to start only specific programs. The policy flexible enough to control the startable programs as your needs go.
3/16/2006 9:43:00 AM by Hofi
Mark said "Simple usability testing of UAC with non-technical consumers would show that." I totally agree BUT good luck getting the actual non-technical customer to practice on.
I teach Computer Basics (this is a mouse, this is how you hold it, this is a menu, this is what "click" means) to displaced workers and seniors --- and NONE of my students would subject themselves to something called Usability Testing. The only ones who will come to Redmond for a free t-shirt are the ones who want to be "first kid on the block" to see/use new software. Try going to a Senior Center or unemployment office instead.
I'm very disappointed to hear that Vista is defaulting to Admin rather than Limited. It ought to be on the heads of the folks who know what they're doing to elevate themselves instead of expecting your mother-in-law to know when to limit privileges.
3/16/2006 2:21:00 PM by Anonymous
My personal pet hates re: permissions:
*** Microsoft Office 2K (I mean duuh, it's YOUR OS, Microsoft, make it work perfectly with Win2K, you know, the corporate OS with different user permissions?)
*** Anything by the *execrable* Ulead systems. Requiring write access to ~4 different directories just to (slowly) re-encode mpeg2 to DVD? Then they use undocumented system drive directories as well, and only give the error that you can't write to them *at the end of the hours-long encoding process*... Madness!
Also, I think not having write access to the %program files% directory is a GOOD thing in principle, how else do you protect your programs from unauthorised interferance - this is a good start, no? Applications should know to keep config files and such in the User Profile, it's how Windows is supposed to work, no?
If I ever meet the guys responsible for Ulead's annoyances, I will probably be off to jail very soon afterwards...
3/19/2006 7:21:00 PM by Anonymous
I found this discussion interesting, but I think that focusing so much on "system security" is a little bit besides the point. The real valuable things in your computer are your personal data. OSs and Applications can be reinstalled quite easily. So if you run as a limited user, a virus still has the necessary privileges to erase your data. What's the point then?
In my opinion, the whole admin vs user access is really important on a multi-user desktop computer or a server. (So one user or virus cannot erase everybody else's stuff or take a critical server offline.) Otherwise it makes sense that the owner of a computer has admin access to it, especially if he's constantly tweaking stuff, installing new programs, and the like, as I do.
Windows XP has been installed on this computer for two years, by the way, and being careful, I never had to reinstall, nor did I have any virus, trojan or other malware problems.
3/21/2006 11:13:00 PM by Anonymous
The real valuable things in your computer are your personal data. [. . .] So if you run as a limited user, a virus still has the necessary privileges to erase your data. What's the point then?
If you back-up your personal data - which everyone should do, periodically - then the damage is limited. On the other hand, if you are running admin, and your security is compromised, you have no way relying on the system to do anything reliably - including backing-up your personal data.
Which is worse, losing data that is backed-up, or losing the ability to back-up data that isn't?
3/22/2006 10:01:00 PM by ruy_lopez
Regarding the question on DesktopStandard’s PolicyMaker Application Security, it supports granular permission and privilege escalation and lowering, doesn’t change the user’s identity, and is free in Local GPO.
You can run as LUA and set rules to elevate various applications to run with whatever privileges are required. There is no need to execute with special command lines or shortcuts. The approach of lowering privileges is available, but running as LUA and elevating as required creates a much more secure environment – as several people have pointed out.
The product provides protection of targeted applications against code injection and other techniques that might be otherwise used to gain privilege escalation from a LUA process, and even protects applications against GPDisable type attacks that might allow an end-user to circumvent ADM template (registry) policy.
3/24/2006 12:54:00 PM by Anonymous
Regarding the Anonymous comment above, Winternals Protection Manager can also deliver the same functionality - elevation and reduction of a user's privilege, without running in a separate context.
It does so also while blocking all untrusted applications and any applications specifically denied by the Protection Manager administrator. It also doesn't require the use or manipulation of Group Policy, something which customers told us relatively clearly they wanted us to avoid.
3/24/2006 3:03:00 PM by Wes
Firefox runs, my favorite sites all work.
Theres one VERY BIG PROBLEM though.
I cannot copy and paste ANYTHING.
No copying links to email, no copying text to quote it in a message...really kills a lot of the usefulness. I can't even copy a link from the URL bar from limited user firefox to admin user firefox.
3/25/2006 11:54:00 PM by Anonymous
Thanks for bringing this subject to the forefront.
No doubt many would have got the same message from all those reputable anti-spyware researchers' blogs that LUA is a very effective technique to minimise the attack surface.
It is very sad to see many applications are still being rolled out developed by developers who are ignorant of the Windows File System security model published prior to the release of Windows 2000 and that they are developing in admin account.
I am a developer and have been using LUA for more than a year now and loving it. I learn this technique, which is different from Marks', from Keith Brown on
Nothing personal Mark, I respect your great work, I love to use tools that are already part and parcel of the OS so that as I move around, I can still work. Consequently I have found Keith's technique is more suited to developers.
As a side note: one also has to redesign the development projects or solution slightly to run in LUA without having to run your dev tools in admin account, which defeats the purpose of LUA.
To get developers to run in LUA mode is like getting drivers to wear seat belts when it was first introduced.
Many drivers initially view wearing seat belt is a sign of being sissy. Many developers feels running in non-admin is restrictive and an insult to their technical prowess. Actually running in admin account is a side of lack of technical prowess.
Whenever I can, I try to get my developers to run in LUA. The clever and smart ones know how to navigate the minefields caused by badly written applications. But many lazy ones use them as an excuse not to run in LUA.
Keith Brown also maintains a Hall of Shames of misbehave programs and they should be more prominent, including Visual Basic 6.
Good work Mark. I am very happy with the way Vista deals with this. No more free elevated priviledge in Vista. Running Admin account only saves authentication and nothing more. Your consent is still sought.
Even RegEdit requires consent from Admin.
Get use to running in LUA now.
3/27/2006 8:35:00 AM by Anonymous
I'm confirming the Firefox Copy & Paste problem as described above
3/29/2006 3:30:00 AM by Anonymous
Unfortunately, there's a big gaping hole in this technique. If the "limited" IE instance connects to \\127.0.0.1\c$ (doesn't matter if you prefix with file:), it can access the file system with the user's original rights. This is described at http://blogs.securiteam.com/index.php/archives/188 and I have tested with ProcessExplorer 10.06 to confirm that PE is just as vulnerable as the various other utilities which use the same basic technique to "reduce" rights.
4/8/2006 5:34:00 AM by Ronny Ong
4/10/2006 2:06:00 AM by Patrick Ogenstad
Why not just get a Mac?!?! By default, you don't run as Root. You can still be Admin of the box and have all rights over it. But when a virus or malware hits, you don't have to worry about it corrupting your OS. Oh wait, there are no viruses that affect the Mac, EVEN BETTER! Outlook, IE, Windows.. why not convert to an OS and applications that actually WORK!
Windows Vista... HAH! Bill's just copying stuff that is already running on other Operating Systems. Stress on the ALREADY RUNNING... so will we ever actually see VISTA be released to the general public? Just go get OS X.. it's already out and works beautifully!
4/12/2006 2:32:00 PM by Anonymous
There are a lot of apps that do not run properly (if at all) under a limited account. However, I commonly use these applications as a limited user:
* Firefox (even updates will install as limited user)
* AVG Anti-Virus (even updates will install as a limited user)
* Spybot Search & Destroy (will not update, so I do a weekly "runas")
* Ad-Aware (even updates will install as a limited user)
* changing network settings, running a VPN, or setting up a printer
4/22/2006 7:14:00 PM by Anonymous
Tip: I use this method now to load "Firefox Preloader" at startup.
Very little work and Firefox always runs as limited user, als from links in emails.
4/26/2006 6:20:00 AM by Anonymous
OK, I've got the opposite problem. I set up my five year old a LUA but she wants to run a Disney game "Monsters Inc Scream Team Training" which requires her to Run As administrator and me to punch in that pw every single time. We have other games like that as well.
Can I tweak registry entries to change these programs' shortcuts so that they automatically run as Admin the way IE does?
5/4/2006 3:42:00 PM by Andrew
On my wife's computer I have her running as a limited user on WinXP Home. I've just installed McAfee A/V and it will not install the updates for a limited user. She is not patient enough to use Run As. Any way around this?
5/24/2006 10:51:00 AM by Anonymous
My Etrust EZ antivirus would not update as limited user even though tech support said it would. I solved the problem by giving write permission to the EZ antivirus folder in Program Files.
Log in as administrator, right click and select properties>sharing and check the boxes "share this folder on the network" and "allow network users to change my files"
Not sure it would work with McAfee but worth a try.
6/1/2006 10:00:00 AM by Anonymous
As discussed above, if you are logged in with a limited user account, and wish to make an administrative change without logging out or switching users, the free "MakeMeAdmin" tool is excellent. It can be downloaded from
Users may also be interested in a free tool written by me to be used in conjunction with MakeMeAdmin. It is called "Launch Admin" and it can be downloaded from
6/24/2006 9:34:00 PM by Patrick Rynhart
Running a secure system is a very possible. ALL Users of our systems are "normal" user accounts. No one is an admin. We apply security to the file system so that users have read/exec access for the ENTIRE disk and then we open up access to the appropriate folders and files. The same goes for the registry. Once the OS was properly secured to so that a normal user can run successfully, then we moved onto applications, you have to install as and admin and run as a user and learn what the programs are doing and what access they want. Now, before you open access, you need to see what the programs are doing and see why they want access. You may not have to give the user access to the locations the programs want to write to. You may be able to configure the program to write to another open location such as a temp directory or the user's data locations. There are tools available to help diagnose an Resolve security issues such as these.
6/30/2006 3:25:00 PM by Mark J Hogan
Michael Howard of ms wrote a similar app named DropMyRights which does the same thing as the app noted here.
My contribution to the whole process is I wrote a vbs script that automatically creates the shortcuts-prefiexed with “Safe”, assigns a default icon, & gets the safe version to start in MyDocuments. Ifyou have a lot of apps you want to run with the reduced token, this scripts saves a lot of time. The script should be modified to suite your needs. For instance, I renamed the main DropMyRights.exe to c:\dmr\d.exe. This enables easier ad hoc typing @ command promt. Also, the aryApps=Array line should be modified to suite the apps installed. Basically, any ms or inet facing app on my box gets ran with the limited token. After the script runs, simply copy all of the shortcuts from c:\dmr\CreatedShortcuts\ to an favorite launch location. The only 2 apps that cause problems on my box are WinMP11Beta & winamp. If anyone knows how to halt ms apps from accessing the inet (word, excel, etc…) I would appreciate that code indeed!.
Items you should change:
1. FROM: Set oFileCopy=oFso.GetFile("Q:\common\DropMyRights\d.exe")
and: dropMyRightsExePath=rootPath & "d.exe"
1. TO: Your local path to DropMyRights.exe
2. FROM: All path vars (note, myDocumentsPath is a great place: “safe “ allows saves to myDocuments but not c:\ etc…)
2. TO: Your local paths
3. FROM: aryApps=Array(officeDir & "OUTLOOK.EXE", et al…
3. TO: Your apps (although this is a good start [ps. I still run vs6/vs2005 as admin ?])
'Create Safe Shortcuts.vbs
'written by Steve Smith - ICR Media Pa 7/25/06
'Download DropMyRights @ http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp
Dim aryApps, officeDir, i
shortcutsPath=rootPath & "CreatedShortcuts\"
dropMyRightsExePath=rootPath & "d.exe"
officeDir="C:\Program Files\Microsoft Office\OFFICE11\"
'you can add more apps in here, follow the
' "C:\Program Files\Mozilla Firefox\firefox.exe", _
'line as a prototype of what it should look like... Just change the full path & exe.
'Then insert into the middle of the lines below
'editable region begins:
aryApps=Array(officeDir & "OUTLOOK.EXE", _
officeDir & "WINWORD.EXE", _
officeDir & "MSACCESS.EXE", _
officeDir & "EXCEL.EXE", _
officeDir & "INFOPATH.EXE", _
officeDir & "MSPUB.EXE", _
officeDir & "POWERPNT.EXE", _
officeDir & "MSE7.EXE", _
officeDir & "WINPROJ.EXE", _
"C:\Program Files\Microsoft Office\Visio11\VISIO.EXE", _
"C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe", _
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe", _
"C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe", _
"C:\Program Files\TextPad 4\TextPad.exe", _
"C:\Program Files\Windows Media Player\wmplayer.exe", _
"C:\Program Files\Winamp\winamp.exe", _
"c:\Program Files\Mozilla Firefox\firefox.exe", _
"c:\program files\internet explorer\iexplore.exe" )
'editable region ends:
For i=0 To UBound(aryApps)
lnkName=Right(aryApps(i), Len(aryApps(i)) - InStrRev(aryApps(i), "\"))
lnkName=Replace(lnkName, ".exe", ".lnk")
CreateShortcuts lnkName, CStr(aryApps(i))
msgbox "explorer will now appear, simply copy & paste the shortcuts to the place you would normally launch the apps"
oShell.Run "explorer.exe /e," & shortcutsPath
Sub CreateShortcuts(lnkName, appImage)
Set oShellLink=oShell.CreateShortcut(shortcutsPath & "safe " & lnkName)
.IconLocation=appImage & ", 0"
.WindowStyle=7 '(1=normal, 3=maximized, 7=minimized)
.Arguments=Chr(34) & appImage & Chr(34)
'.Hotkey "sequence" =Hot key sequence. Must start with CTRL+ALT. Ex. CTRL+ALT+SHIFT+X
on error resume next
Set oFso = CreateObject("Scripting.FileSystemObject")
Set oFolder = oFso.CreateFolder(rootPath)
Set oFolder = oFso.CreateFolder(shortcutsPath)
8/23/2006 8:49:00 AM by Anonymous
Re "It'd be nice to specify that IExplorer always runs as limited user, even if launched by another app since so many apps embedd IE."
Another way to do that, more flexible than using the policy tool, is to use the debug exe hook like Proc Explorer uses to replace the task manager.
9/12/2006 2:59:00 PM by John Dlugosz
I finally am loggin in as a "limited" user. I wrote my own version of runas called wrunas that is a windows application and not a console application (because I dislike the console windows poping up). I then added a shortcut to exe files that is a JScript that uses wrunas to elevate my limited user account to administrator, launches the program under those new credentials, then immediately removes the account as an administrator. In this way, I can decide which program I want to run as me but with elevated permissions. I only need an another admin account to elevate the permissions... Fun
9/12/2006 9:14:00 PM by Anonymous
"With a bit of effort you can run most applications as limited user - the effort varies between installing the application into a writable area (I keep one for the purpose) to shouting at the developers."
Just wanted to write a quick note and thank these two posters. I manage the computers for my local volunter fire dept. I have my signon as Computer Admin and the members signon as a Limited account. I had the same problem as post # one where a program would not run on the Members signon because it was set to Limited. I did not want to set up the members account as a Computer Admin, no telling what might happen. The 2nd post gave me just the piece of info I needed to get it working. SO this might me a little off from the original topic, but I juat wanted to say thanks.
10/22/2006 2:08:00 PM by Anonymous