Mark's Sysinternals Blog

Thursday, March 02, 2006

Running as Limited User - the Easy Way

Malware has grown to epidemic proportions in the last few years. Despite applying layered security principles, including running antivirus, antispyware, and a firewall, even a careful user can fall victim to malware. Malware-infected downloads, drive-by exploits of Internet Explorer (IE) vulnerabilities, and a careless click on an Outlook attachment sent by a friend can render a system unusable and lead to several hours with the Windows setup CD and application installers.

As this eWeek study shows, one of the most effective ways to keep a system free from malware and to avoid reinstalls even if malware happens to sneak by, is to run as a limited user (a member of the Windows Users group). The vast majority of Windows users run as members of the Administrators group simply because so many operations, such as installing software and printers, changing power settings, and changing the time zone require administrator rights. Further, many applications fail when run in a limited-user account because they’re poorly written and expect to have write access to directories such as \Program Files and \Windows or registry keys under HKLM\Software.

An alternative to running as limited user is to instead run only specific Internet-facing applications as a limited user that are at greater risk of compromise, such as IE and Outlook. Microsoft promises this capability in Windows Vista with Protected-Mode IE and User Account Control (UAC), but you can achieve a form of this today on Windows 2000 and higher with the new limited user execution features of Process Explorer and PsExec.

Process Explorer’s Run as Limited User menu item in the File menu opens a dialog that looks like and acts like the standard Windows Run dialog, but that runs the target process without administrative privileges:

PsExec with the –l switch accomplishes the same thing from the command line:

An advantage to using PsExec to launch limited-user processes is that you can create PsExec desktop shortcuts for ones you commonly launch. To make a shortcut for Outlook, for example, right-click on the desktop, choose New->Shortcut, enter the path to PsExec in the location field and click Next. Enter Outlook as the name of the shortcut and press Finish. Then right click on the shortcut to open its properties, add “-l –d“ and the path to Outlook (e.g. C:\Program Files\Microsoft Office\Office11\Outlook.exe) to the text in the Target field. Finally, select Change Icon, navigate to the Outlook executable and choose the first icon. Activating the shortcut will result in a Command Prompt window briefly appearing as PsExec launches the target with limited rights.

Both Process Explorer and PsExec use the CreateRestrictedToken API to create a security context, called a token, that’s a stripped-down version of its own, removing administrative privileges and group membership. After generating a token that looks like one that Windows assigns to standard users Process Explorer calls CreateProcessAsUser to launch the target process with the new token.

You can use Process Explorer itself to compare the token of a process running with full administrative rights and one that’s limited by viewing the Security tab in the Process Properties dialog. The properties on the left are for an instance of IE running in an account with administrative group membership and the one on the right for IE launched using Run as Limited User:

The privilege lists immediately stand out as different because the limited-user token has so few privileges. Process Explorer queries the privileges assigned to the Users group and strips out all other privileges, including powerful ones like SeDebugPrivilege, SeLoadDriverPrivilege and SeRestorePrivilege.

The difference between the group lists is more subtle: both tokens contain the Builtin\Administrators group, but the group has a Deny flag in the limited-user version. Fully understanding the effect of that flag requires a quick background on the Windows security model.

Windows stores an object’s permissions in a Discretionary Access Control Lists (DACL) that consists of zero or more Access Control Entries (ACEs). Each ACE specifies the user or group to which it applies, a type of Allow or Deny and the accesses (e.g. read, delete) it allows or denies. When a process tries to open an object Windows normally considers each ACE in the object’s DACL that matches the user or any of the groups in the process’ token. However, when the Deny flag is present on a group that group is only used by during a security access check to deny access to objects, never to grant access.

CreateRestrictedToken marks groups you don’t want present in the resulting token with the Deny flag rather than removing them altogether to prevent the security hole doing so would create: a process using the new token could potentially access objects for which the removed groups have been explicitly denied access. Users would therefore be able to essentially bypass permissions by using the API. Consider a directory that has permissions denying the Builtin\Administrators account access, but allows Mark access. That directory wouldn’t be accessible by the original instance of IE above, but would be accessible by the limited user version.

The result of running applications as limited user is that malware invoked by those applications won’t be able to modify system settings, disable antivirus or antispyware, install device drivers, or configure themselves in system-wide autostart locations.

There are some limitations, however: because the limited-user processes are running in the same account and on the same desktop as other processes running with administrative privileges, sophisticated malware could potentially inject themselves into more privileged processes or remotely control them using Windows messages. When it comes to security, there’s no single cure all and every layer of protection you add could be the one that eventually saves you or your computer.

Next post I’ll take a look inside Vista’s UAC to see how it uses the same approach as Process Explorer and PsExec, but leverages changes to the Windowing system and process object security model to better isolate limited-user processes from those running with higher privilege.

posted by Mark Russinovich @ 10:29 AM

Comments:

A little utility that allows you to easily configure your apps to run as a limited user might be a useful thing for someone to write based on this code, I feel.

# posted by Stuart Langridge : 11:06 AM, March 02, 2006

"many applications fail when run in a limited-user account because they’re poorly written"

Including Firefox apparently.

# posted by Anonymous : 11:31 AM, March 02, 2006

How is this better than RunAs?

# posted by G. Eek! : 12:10 PM, March 02, 2006

I can run firefox as guest with no problems

# posted by G. Eek! : 12:21 PM, March 02, 2006

With a bit of effort you can run most applications as limited user - the effort varies between installing the application into a writable area (I keep one for the purpose) to shouting at the developers.

I have had no problems with Firefox, indeed most extensions even install in Limited User. Thunderbird required Admin to insall the spell check dictionary but otherwise is ok.

# posted by Rick : 12:26 PM, March 02, 2006

Great article Mark.

I run my Internet facing apps (i.e. IE, Outlook) and those apps that interface with them (i.e. OneNote) under SAFER (local policies that set LUA).

With SAFER, when clicking a link in Outlook to open an IE window, that IE window runs as LUA.

The question I have is whether the method you describe would be as safe as using SAFER policies. I'm not sure if IE exec'ed from a link in Outlook (or perhaps Word, Excel), would run as LUA even if the initiating app, like Outlook, is running as LUA.

# posted by ImSAFER : 12:49 PM, March 02, 2006

Good article but I disagree with the assumption that one should limit privileges when running certain apps.

The better approach is to run everything as a limited user and elevate privileges only when necessary (to install an app, change power config, etc).

# posted by sean : 1:08 PM, March 02, 2006

It'd be nice to specify that IExplorer always runs as limited user, even if launched by another app since so many apps embedd IE.

# posted by Haacked : 1:18 PM, March 02, 2006

Mark, I hope one day you do a review of the "Microsoft Shared Computer Toolkit" it has a easy user interface, is basically Bulletproof from Malware and accidental changes or deletions and has many user restrictions that can be implemented if needed.

To date it is the only thing that really offers instant recovery and total windows partition/drive protection and is more of a "Set It And Forget It" concept once installed and setup. Would like to get your thoughts on it?

More Info On This Here:

Click Here

# posted by ZOverLord : 1:30 PM, March 02, 2006

Sean: I totally agree - I was hoping that Mark would go down this line, rather than continue in the microsoftcentric train of thought that you should be able to run your pc as an admin by default.

# posted by Bart : 2:28 PM, March 02, 2006

Actually, I provided support for that a while back with PsExec's runas-like functionality. With PsExec you can create shortcuts (with a cached account name and password) that launch a process in a different, elevated account. Process Explorer v10 also introduces a RunAs menu item.

The drawback of that approach is that the launched process runs in a different account altogether and so doesn't have access to the same profile you're running in.

Aaron Margosis' MakeMeAdmin tool temporarily adds your account to the admin group, launches the process, and then removes the account, which grants access to the same profile.

An even more secure approach is to have two different accounts, one admin and one limited, and use Fast User Switching to invoke the admin account only when necessary.

Different users have different preferences.

# posted by Mark Russinovich : 2:37 PM, March 02, 2006

This works great when I an launching IE.
What about the situations where IE is launched from clicking a link in an e-mail?

# posted by John Dyer : 2:52 PM, March 02, 2006

With Windows XP or later, you can use Software Restriction Policies to force an application to run as a limited user. You simply need to change a registry setting on the machine used to edit the policy, so that the additional levels are visible.

1. Add a new DWORD value called Levels to the following registry key, and give it a value of 0x31000:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers

2. Open the Group Policy object you want to edit, and navigate to:
Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules;

NB: If the Software Restriction Policies node has no entries, right-click and choose Create New Policies;

3. Right-click and choose New Path Rule...;

4. Select the path of the executable to restrict, and set the Security Level to Basic User;

You will need to refresh the group policy settings, and restart any affected applications for the changes to take effect.

http://msdn.microsoft.com/library/en-us/dncode/html/secure01182005.asp

http://www.trinet.co.uk/support/kb/Q000039

# posted by Anonymous : 3:23 PM, March 02, 2006

Hi Mark,

You may be intereted to note that McAfee's Spyware scanner identifies psexec.exe and pskill.exe as spyware :) Its a viscious cycle, want to use psexec.exe to stop from getting spyware, psexec IS (according to McAfee) Spyware ... argh! :)

# posted by Paul : 3:32 PM, March 02, 2006

I get so completely sick of hearing people admonish me to run strictly as a Limited User. I've tried it, at length. I bent more ACLs than I care to remember. I changed permissions in the registry. I set up a slew of shortcuts. I used RunAs. And still, I had to hassle around with applications that didn't behave.

Yell at the developers? Oh, yeah, that'll work. What if I have a problem with several different products? What happens is that I have a new, full-time hobby.

I realize it depends on what software you use, but for some of us, running as a Limited User is like considering walking rather than driving. It's safer, but it's agonizingly inconvenient.

# posted by Anonymous : 3:54 PM, March 02, 2006

I agree with the last Anonymous.

What Mark is advocating is an EASY way to get some of the benefits of limited user privilages without all the drawbacks. Running exclusively as a limited user under Windows is excrutiating for those of us who could be classified as power users, but don't have time to spend on it. I mean, Mark has to be Windows-centric as long as he's talking about Windows. This ain't Linux.

# posted by Anonymous : 5:29 PM, March 02, 2006

I think you can also setup the image file execution options key to automatically launch IE with lowered priviledges by specifying the command line Mark gives in the key...

[http://blogs.msdn.com/oldnewthing/archive/2005/12/19/505449.aspx]

(This may avoid the concern a previous poster had about clicking on links in Outlook launching IE with full privileges.)

# posted by Anonymous : 6:13 PM, March 02, 2006

Of course the easier way to do all this is not to use MS web products at all.

Using Opera as a web browser and The Bat! as a mail client results in 0% spyware/malware. Oh, and they're much more versatile programs than Microsoft's

# posted by Anonymous : 2:04 AM, March 03, 2006

Not completely related, but a tip would be to use Virtual PC (or VMWare) and put all your internet traffic inside it. This is as closest to a sandbox model of isolating programs I could find. If you enable undo disks, and always "turn off and delete changes" the virtual PC when you stop the sessions, all malware is deleted and your next start is as clean as your previous one. Also great tool for testing shareware.

# posted by Anonymous : 2:16 AM, March 03, 2006

Hi.

I'm running my main account as a limited user for over a year now.

I use the Run As... right-click option each time i want to install or use a software that requires admin rights. But all the internet apps and explorer runs as limited user all the time.

I once met a spyware : it couldn't install and just died without being able to write /Program Files/ directory. I deleted Firefox cache (who runs perfectly as Limited User) and rebooted and all was clear.

I need to use Run As (admin) each time I want to change a setting, install or upgrade software, burn CD or do maintenance tasks. Some time I change session and use a admin session to perform those maintenance tasks.

It's a bit annoying but worth it. I hope MS will do better job on account with Vista.

But this way a malware could still try privilege escalation and I recommand this reading : http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf

Thanks Mark for your blog.

# posted by Souplounite : 2:18 AM, March 03, 2006

I've written a little "hack" that allows limited users to run a program as themselves - but with the administrator token. I called it "WinSUDO".

Check it out..

http://home.toadlife.net

# posted by Paul : 3:48 AM, March 03, 2006

There is a small program written by Microsoft that accomplishes the same thing. Source code is also available.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp

Hopefully people won't need to use these methods in the upcoming months as vista is supposed to allow users to run as users :)

wng (http://spyware-free.us)

# posted by wng_z3r0 : 6:29 AM, March 03, 2006

Has anyone tried the Application Security package from DesktopStandard?

http://desktopstandard.com/PolicyMakerApplicationSecurityFAQ.aspx

The download is "free" to run in local group policy, but needs a purchased license to work in AD Group Policies

# posted by Anonymous : 6:39 AM, March 03, 2006

Elevating priviliges on occasions using Runas is the preferable way to go, but it's still strange to me that the most used program in the OS, explorer.exe, does not function this way...

# posted by Anonymous : 6:43 AM, March 03, 2006

Its incomprehensible why Windows doesn't use the Mac/Linux method whereby you have to enter your admin password whenever software wants admin-type access. That way you immediately have a red-flag that some installer process wants critical access.

The benefit of this system is that, say, an email attachment which prompts you for your admin password, wouldn't as easily be executed with total control over your machine, as it would without this system.

There is no excuse for designing an OS which grants its admin users total admin priveleges all the time without distinction. It basically means anything you do with your system has the potential to totally wreck everything.

I suspect the reason Windows has this issue is to do with poor separation of priveleges within the actual OS itself. In fact Mark says as much, though he blames third party software:

Further, many applications fail when run in a limited-user account because they’re poorly written and expect to have write access to directories such as \Program Files and \Windows or registry keys under HKLM\Software.

The last time I looked, Microsoft, along with other OS proprietors, have tons of literature available for developers that offer guidlines on practices for integrating software into their platforms. Unless the software is a system utility, there's absolutely no need for them to have access to anything that would require admin priveleges. And why have \Program Files protected? If there is any reason it must be protected, then why have other software install into that directory also? Why call the directory "Program Files" if its only meant for Protected Program Files?.

# posted by ruy_lopez : 7:17 AM, March 03, 2006

wng_z3r0:

Actually, Vista is good about helping Administrators run as users. But users actually running as Users will (at least in current builds) find that not much has changed - you still must elevate processes using an alternate set of credentials (same as RunAs has been since Windows 2000).

# posted by Wes : 7:30 AM, March 03, 2006

Although this is better than running everything as admin, I generally do not like this approach. It's backwards – it is far better to run everything unprivileged (especially the desktop) and elevate selectively rather than run everything as admin and drop privileges on selected apps. Some specific objections:

* At a minimum, Explorer must run as admin

* Any autorun items ("Start" folder, "Run" key, etc.) – including those added by malware – will run as admin. (Note that a lot of malware writes stuff into HKCU\...\Run.)

* It remains really easy for malware to elevate – running stuff through the shell is just one way

* Apps that communicate across processes will often break (e.g., if Outlook runs as "Basic User" and Windows/MSN Desktop Search runs as admin, the latter doesn’t work.)

I've written extensively on how to do the non-admin thing (including how to get Explorer to cooperate), and am in the middle of a series on how to fix LUA bugs so that bad apps don't need elevated privileges.

http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

I also need to point out that this DropMyRights-like approach is not at all what UAC does, and "low-rights IE" does far more than just run as normal user.

# posted by Aaron Margosis : 10:06 AM, March 03, 2006

I could be missing a point here, but the previous blog that Mark wrote about LUA's was "Circumventing Group Policy as a Limited User" and showed us how to do this with GPDisable.
I use SRP/SAFER/Basic User on all internet-facing programs and any of the other "Updaters" and "Quick-Launch" apps usually just get the Disallowed flag.
I now barely use my Admin account and run as LUA because of the possiblity of "Nasty's" injecting themselves into Admin dll's but still just have the SRP rule's in place anyway.
So like the previous post said about explorer.exe, and Mark mentioned about Whitelisting, what can we lock down and run as Basic User rule, $Program Files$*.* ??, explorer.exe??
If I do this on a process such as.. "C:\WINDOWS\System32\svchost.exe" or *svchost.exe which runs under NT AUTHORITY\SYSTEM and has the Admin priv, I feel it ain't going to work anymore. Are these processes hi-jackable? One confused bunny.

Anyway, I'm gonna make a working backup today, SRP/Basic rule what I can and post back here(after the backup's been restored :-))

# posted by Coopster : 10:33 AM, March 03, 2006

posted by sean at 1:08 PM, March 02, 2006: The better approach is to run everything as a limited user and elevate privileges only when necessary (to install an app, change power config, etc).

Technically yes. But sometimes corporate politics doesn't let us do that. When some high-ranking executive wants to be an admin -- and everyone in his group to be an admin -- what do you do?

# posted by Robert Racansky : 12:00 PM, March 03, 2006

AV software like KAV and AVG will update/scan properly under a limited account without the need for Run As.... However, everyone better watch out for AVG:

http://www.dslreports.com/forum/remark,15601404

I tried making a fuss yet little seem to care.

# posted by Josh : 12:15 PM, March 03, 2006

Josh - re AntiVirus: AV software is a big ugly offender in this space. My personal opinion on the matter is that AS THINGS ARE TODAY, you are better off running as normal User WITHOUT anti-virus software than as Admin with anti-virus. (That's TODAY. The threat landscape will change over time.) My mother-in-law's computer came with an AV product that didn't work well as Limited User, so I uninstalled it. (Yes, she runs as User.)

# posted by Aaron Margosis : 1:18 PM, March 03, 2006

Robert Racansky: Good question. Ask your execs if they also want to work on their HVAC and plumbing themselves. "Administrator" should be renamed to "Janitorial Maintenance Account". That might clear things up for them.

# posted by Aaron Margosis : 1:20 PM, March 03, 2006

Ann, I just did an audit of my system drive and the registry. I was a *very* privileged limited user.

There was AVG granting Everyone Full Control (the whole shebang) to files that were updated pertaining to AVG. This is purely Grisoft's foul play and easily reproduceable (just update it!).

I also had access to all the nVidia drivers (nForce, nForce audio, video) both in WINDOWS\system32 and system32\drivers. My limited account was the owner in fact. I also had ownership to the registry entries, even the ones in HKEY_LOCAL_MACHINE\SYSTEM. I think what may have caused it is because I extracted the files in the nVidia setups as my user, and Run As the actual install file. I do this so *I* can delete the extracted setup files after the installation is done. In the future, I won't do that again.

Thanks to Mark's AccessEnum, I could easily identify all the culprits.

# posted by Josh : 2:40 PM, March 03, 2006

Its *my* machine - I want to run will full ability not some limited sandbox set.

# posted by Hello : 3:58 PM, March 03, 2006

Josh -
First, the name is "Aaron", not "Ann"!
Second: if your limited account shows up as owner on these objects, what is usually the cause is that your limited account USED TO BE admin, or you used MakeMeAdmin without heeding the warning here:

http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx

It may also be that the installation program moved files owned by you rather than copying them to their destinations. MOVE retains the existing security descriptor; COPY lets the new objects inherit from the parent container.

I've gotten very careful about how I install tools that my admin account uses. For example, when I update any of the many SysInternals tools (that I use all the time and thank you again Mark), I browse to sysinternals.com as admin (don't ever let your web server get pwnt, Mark!:-), download and open the zip file and extract the files straight to %ProgramFiles%\SysInternals, then close the WinZip and IE running as admin.

And "Hello" sounds like someone who likes to play in traffic. :-)

# posted by Aaron Margosis : 4:17 PM, March 03, 2006

To "Hello": I think you missed the point of the article. The reality is that when you run as a local administrator, you AND any applications that run as you (including drive-by's and exploits that love to find their way through IE's layers of - ahem - extensibility) get to have full reign of your system, as well. If you don't mind sharing your system with them, then by all means continue running as an administrator all the time. :-)

# posted by Wes : 5:57 PM, March 03, 2006

Oops, sorry, no clue where I got "Ann" from.

# posted by Josh : 8:27 PM, March 03, 2006

The problem isn't that Admin has full access to everything. The problem is that when you first install Windows you boot into an admin account. Most people have no idea how or why to change this. It's like running as root in Linux.
Problem is, since everyone is Admin by default, software developers write programs that require admin access, and never test it under a limited account.

# posted by Anonymous : 3:57 AM, March 04, 2006

To the previous anonymous: Most developers work as admin due to habit because the tools of the past (Visual Studio 5/6) required such privileges to run (before knowledge of how to deal with LUA bugs became more widespread as in the last couple of years - thanks Aaron).

The releases of VS2002/2003/2005 don't seem to have done much to break the ingrained habits even though they don't require admin privileges.

# posted by sean : 11:37 AM, March 04, 2006

"Most people have no idea how or why to change this. It's like running as root in Linux."

Obviously they don't read that booklet that comes with Windows. (Hey, doesn't this sound like "RTFM" in the Linux world?) It tells the user how, and why. Microsoft takes the blame because they are expecting the user to decide what is best.

But it still isn't for the meek, because some legwork is still needed to fix broken applications because of HKEY_LOCAL_MACHINE permissions and write permissions to system folders (more notably Program Files and there may be a few rare that write to \WINDOWS or \WINDOWS\system32 for nVidia users to write to nvapps.xml).

# posted by Josh : 2:58 PM, March 04, 2006

I love you Mark

# posted by Anonymous : 5:11 AM, March 05, 2006

I tried to launch IE as limitied user using both psexec v1.70 and ProcessExplorer v10.05 but without success, IE process closes almost instantly (before showing the UI). I'm running Win2k3 SP1, the computer is member of a domain and the "non-limited" user running psexec, processExplorer is a member of Administrators group. Any ideas?

# posted by Anonymous : 6:13 AM, March 06, 2006

I run my computer in user mode now, I got burned to many times in admin mode if I want to install specific software I will execute with runas.
With a minority of programs that need admin privileges I us a app supplied by ROBOTRONIC.DE http://robotronic.de/runasspc/ it is a small app the will elevate a applications privileges automatically and hide the user name and password in 256bit encryption file, so marks concept is quite sound if applied correctly ps. It also stops members of your family from destroying your installation ha ha.

# posted by techman : 9:13 AM, March 06, 2006

Why is it that I can run my computer running WINXP with full Admin priv's and not ever have any issues with Spyware/Malware/Virus, etc..

Usually I reformat my system every 6 months, however with my home PC, runnin WINXP SP2 with Full Admin privs, I have NEVER had a problem.

How about people start educating themselves and rely LESS on software to think for them. The problem is not the software or the developers. The problem is ALWAYS the end user. Make informed and intelligent decisions and you wont have problems.

# posted by Anonymous : 9:48 AM, March 06, 2006

To the anonymous poster who is having issues running IE in a separate context:

Ensure you have followed the steps Aaron outlines here if you want to use RunAs or Run as Limited User with IE. Specifically checking the Run as a separate process (not enabled in Windows by default).

# posted by Wes : 9:56 AM, March 06, 2006

I'm suprised no one has mentioned programs like sandboxie / etc. that basically say "take your best shot" and then allow everything to be rolled back. That might be the best bet for people who don't want to be troubled with separate accounts, etc.

# posted by Anonymous : 6:22 PM, March 06, 2006

Vista is a little disconcerting as the latest beta installs the initial user as Administrator.

I still would prefer the base user installed as limited privs, regardless of how safe IE7 has become.

I look forward to your review of Vista, Mark.

# posted by Chris Dickerson : 2:09 PM, March 07, 2006

To Chris:

Frankly, Vista is 100% about running as admin and having your rights artificially constrained and elevated only when you make a decision to do so (like the average user can make that call).

Try running as a limited user in Vista for any length of time. It's no different than running as a user today - except the RunAs dialog is more automated, and prettier.

Frankly UAC does little to encourage the movement away from the use of the Administrators group, which should be Microsoft's primary focus. In fact, it does quite the opposite.

# posted by Wes : 4:18 PM, March 07, 2006

A dialogue box would do the trick:

This application requires administrative rights to execute. Only software which comes from a reputable source should be allowed to execute under these conditions.

Cancel or Continue

The main problem seems to be more about the way admin accounts work - no way of knowing which processes are going to use the elevated rights until too late - than the fact the boxes run admin by default.

# posted by Anonymous : 8:34 AM, March 08, 2006

To the anonymous poster above:

Dialogs conceptually do the trick. But as Microsoft should have learned with their " STOP Installation | Continue" dialog for unsigned drivers in Windows XP, users will innately become conditioned to click what they know will get them less annoyed faster - and can be easily socially engineered into clicking the more dangerous option.

Technical users can make a decision about when an app should or should not be requiring administrative privileges - especially in a day and age where malignant software attempts to present itself as being from Microsoft or another reputable source by misrepresenting the application (textually or visually). The prototypical "Abby" (Microsoft's non-technical consumer persona) cannot make a safe decision in that situation. Simple usability testing of UAC with non-technical consumers would show that.

# posted by Wes : 10:58 AM, March 08, 2006

wes: I agree. I remember reading something I think was attributed to Jesper Johansson that applies to this situation. To paraphrase: "When choosing between dancing pigs and a more secure option, expect the user to choose the dancing pigs every time."

# posted by John : 7:01 PM, March 08, 2006

I am just learning about security and how to restrict access/privledges for user accts. I have been running default as admin for several years and have not had an issue that I can tell with spyware etc. but how would I know? I don't have any popups that plague me, I run trendmicro every now and then, have a firewall up, run mcafee, ms antispywear, etc. and I don't get any flags. I don't run activeX content unless I allow, same with java apps. How would I know if I have acquired anything on my system if there is no visible means? How does one determine that they are 'infected'? I am a pretty much a noob so please go easy on the techy ackronyms (sic?) and such. oh, I use IE and obviously I don't go downloading every this or that or open email crap that is 'questionable'. Although it has occurred to me that opening pics or such from friends is a great way to 'socially engineer' a virus for spreading around. Thanks Group. Also, big thanks the Mark and Aaron for great info, I'm learning quiet a bit and to all those who have posted. Your posts are appreciated by noobs like me. --Amy

# posted by Anonymous : 11:13 AM, March 09, 2006

I am in no way computer savvy, so I am going to pose this question here.

I currently run my computer with Admin privileges. I have all the programs I need installed, such as trillian, firefox, winamp, photoshop cs2, f-secure, etc. I don't have any "old" program installed

If I change my account type to Limited, would I still be able to run everything normally? I don't think I will be needing to install anything anytime in the near future, so I want to know if I can simply run and use all the programs normally. I would rather not use a guess-and-check approach but wait for someone to answer. Thanks!

# posted by Frank : 10:45 PM, March 09, 2006

Amy

You've inadvertantly touched upon the real issue surrounding computer security: you can never be 100% certain your machine hasn't already been compromised.

Fortunately most real-world security breaches take the form of well documented exploits that capitalise on outmoded OS versions. And to boot, most security incidents leave noticable footprints: pop-ups, unsolicited downloads, and sluggish performance.

Of course its not beyond the ken of some malfactors to break through your security measures without leaving any tell-tale signatures. But anyone with the requisite technical expertise to do so is unlikely to be interested in breaking into your machine in the first instance (unless you are harbouring state secrets on your hard drive).

You should take a look at Mark's free downloads (process explorer, rootkitrevealer), and familiarise yourself with the feedback these tools give you of your system in its natural state. Only through doing so will you recognise when something is amiss.

Also keep your eyes peeled on CERT (www.cert.org) for vulnerabilties relevant to your software and operating system, and keep them fully patched.

Where security is at stake you can never be too paranoid. But by the same token, if you aren't seeing any suspicious activity, chances are there is nothing going on you should be overly concerned about.

# posted by ruy_lopez : 2:47 AM, March 10, 2006

Amy, one more thing,

a packet sniffer like Ethereal will give you a read-out of network activity.

If you capture packets while you're idle - not browsing or doing anything like that - there should be minimal traffic on your network.

If, on the other hand, you see a lot of traffic - then something fishy is going on that needs investigating.

You can download Ethereal here www.ethereal.com/download.html

# posted by ruy_lopez : 6:25 AM, March 10, 2006

After reading your post it took me all of 3 minutes to alter my link in my quicklaunch to "fix" my IE.

I'll be adding this to my security apps folder on my flash drive. Process Explorer has already helped me more than any other tool I use when cheaning people's machines.

# posted by Shaun : 12:47 PM, March 11, 2006

Hi Mark,
I tried using your approach, but I am having problems with some Internet Explorer shortcuts.

IE in restricted mode cannot access several shortcuts and it just pops up the following message:

Problem with shortcut: The target "" of this Internet Shortcut is not valid. Go to the Internet Shortcut property sheet and make sure the target is correct.

If I run Internet Explorer without psexec, all the shortcuts work fine.
Do you think there are problems with file permissions on the shortcuts?

Thanks,
PaoloM

# posted by PaoloM : 12:59 PM, March 14, 2006

I was able to run IE via Mark's tool without difficulty. My favorites do show up, which is nice.

However, my home page (about:blank) is not honored - it went to msn.com. And all attempts to change my home page to anything other than msn.com fail - the "Apply" / "OK" buttons give the appearance of working. But clicking the home button still takes me back to msn.com; and going back into Tools->Options shows that the home page has not in fact changed.

Any ideas? Thanks,

Donnie

# posted by Donnie Hale : 3:16 PM, March 15, 2006

Although Mark's way is really easy but we can offer to you an easier way ;) Please check out the tool RunAsAdminExplorer Shim at https://sourceforge.net/projects/runasadmin/
Believe me it is worth of a try, it is completely free and useful. The basics of the program is also the CreateRestrictedToken API, but goes further by a step, you can choose to start your shell (and all of the programs started by the shell) with the restricted token. Also possible to configure the tool to let everything untouched as you did it earlier, but you can start just some programs on the restricted level via a shell extension, a D&D icon on the task bar or a command dialog. The program has a very flexible and strong policy system via you can let users always to start certain programs on a specific restriction level. Also you can restrict to start only specific programs. The policy flexible enough to control the startable programs as your needs go.
Enjoy.

# posted by Hofi : 9:43 AM, March 16, 2006

Mark said "Simple usability testing of UAC with non-technical consumers would show that." I totally agree BUT good luck getting the actual non-technical customer to practice on.

I teach Computer Basics (this is a mouse, this is how you hold it, this is a menu, this is what "click" means) to displaced workers and seniors --- and NONE of my students would subject themselves to something called Usability Testing. The only ones who will come to Redmond for a free t-shirt are the ones who want to be "first kid on the block" to see/use new software. Try going to a Senior Center or unemployment office instead.

I'm very disappointed to hear that Vista is defaulting to Admin rather than Limited. It ought to be on the heads of the folks who know what they're doing to elevate themselves instead of expecting your mother-in-law to know when to limit privileges.

# posted by Anonymous : 2:21 PM, March 16, 2006

My personal pet hates re: permissions:

*** Microsoft Office 2K (I mean duuh, it's YOUR OS, Microsoft, make it work perfectly with Win2K, you know, the corporate OS with different user permissions?)

*** Anything by the *execrable* Ulead systems. Requiring write access to ~4 different directories just to (slowly) re-encode mpeg2 to DVD? Then they use undocumented system drive directories as well, and only give the error that you can't write to them *at the end of the hours-long encoding process*... Madness!

Also, I think not having write access to the %program files% directory is a GOOD thing in principle, how else do you protect your programs from unauthorised interferance - this is a good start, no? Applications should know to keep config files and such in the User Profile, it's how Windows is supposed to work, no?

DEVELOPERS: please!

If I ever meet the guys responsible for Ulead's annoyances, I will probably be off to jail very soon afterwards...

# posted by Anonymous : 7:21 PM, March 19, 2006

I found this discussion interesting, but I think that focusing so much on "system security" is a little bit besides the point. The real valuable things in your computer are your personal data. OSs and Applications can be reinstalled quite easily. So if you run as a limited user, a virus still has the necessary privileges to erase your data. What's the point then?

In my opinion, the whole admin vs user access is really important on a multi-user desktop computer or a server. (So one user or virus cannot erase everybody else's stuff or take a critical server offline.) Otherwise it makes sense that the owner of a computer has admin access to it, especially if he's constantly tweaking stuff, installing new programs, and the like, as I do.

Windows XP has been installed on this computer for two years, by the way, and being careful, I never had to reinstall, nor did I have any virus, trojan or other malware problems.

# posted by Anonymous : 11:13 PM, March 21, 2006

The real valuable things in your computer are your personal data. [. . .] So if you run as a limited user, a virus still has the necessary privileges to erase your data. What's the point then?

If you back-up your personal data - which everyone should do, periodically - then the damage is limited. On the other hand, if you are running admin, and your security is compromised, you have no way relying on the system to do anything reliably - including backing-up your personal data.

Which is worse, losing data that is backed-up, or losing the ability to back-up data that isn't?

# posted by ruy_lopez : 10:01 PM, March 22, 2006

Regarding the question on DesktopStandard’s PolicyMaker Application Security, it supports granular permission and privilege escalation and lowering, doesn’t change the user’s identity, and is free in Local GPO.

You can run as LUA and set rules to elevate various applications to run with whatever privileges are required. There is no need to execute with special command lines or shortcuts. The approach of lowering privileges is available, but running as LUA and elevating as required creates a much more secure environment – as several people have pointed out.

The product provides protection of targeted applications against code injection and other techniques that might be otherwise used to gain privilege escalation from a LUA process, and even protects applications against GPDisable type attacks that might allow an end-user to circumvent ADM template (registry) policy.

# posted by Anonymous : 12:54 PM, March 24, 2006

Regarding the Anonymous comment above, Winternals Protection Manager can also deliver the same functionality - elevation and reduction of a user's privilege, without running in a separate context.

It does so also while blocking all untrusted applications and any applications specifically denied by the Protection Manager administrator. It also doesn't require the use or manipulation of Group Policy, something which customers told us relatively clearly they wanted us to avoid.

# posted by Wes : 3:03 PM, March 24, 2006

Firefox runs, my favorite sites all work.

Theres one VERY BIG PROBLEM though.

I cannot copy and paste ANYTHING.

No copying links to email, no copying text to quote it in a message...really kills a lot of the usefulness. I can't even copy a link from the URL bar from limited user firefox to admin user firefox.

UGH

# posted by Anonymous : 11:54 PM, March 25, 2006

Hi Mark,

Thanks for bringing this subject to the forefront.

No doubt many would have got the same message from all those reputable anti-spyware researchers' blogs that LUA is a very effective technique to minimise the attack surface.

It is very sad to see many applications are still being rolled out developed by developers who are ignorant of the Windows File System security model published prior to the release of Windows 2000 and that they are developing in admin account.

I am a developer and have been using LUA for more than a year now and loving it. I learn this technique, which is different from Marks', from Keith Brown on
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToDevelopCodeAsANonAdmin.html

Nothing personal Mark, I respect your great work, I love to use tools that are already part and parcel of the OS so that as I move around, I can still work. Consequently I have found Keith's technique is more suited to developers.

As a side note: one also has to redesign the development projects or solution slightly to run in LUA without having to run your dev tools in admin account, which defeats the purpose of LUA.

To get developers to run in LUA mode is like getting drivers to wear seat belts when it was first introduced.

Many drivers initially view wearing seat belt is a sign of being sissy. Many developers feels running in non-admin is restrictive and an insult to their technical prowess. Actually running in admin account is a side of lack of technical prowess.

Whenever I can, I try to get my developers to run in LUA. The clever and smart ones know how to navigate the minefields caused by badly written applications. But many lazy ones use them as an excuse not to run in LUA.

Keith Brown also maintains a Hall of Shames of misbehave programs and they should be more prominent, including Visual Basic 6.

Good work Mark. I am very happy with the way Vista deals with this. No more free elevated priviledge in Vista. Running Admin account only saves authentication and nothing more. Your consent is still sought.

Even RegEdit requires consent from Admin.

Get use to running in LUA now.

# posted by Anonymous : 8:35 AM, March 27, 2006

I'm confirming the Firefox Copy & Paste problem as described above

# posted by Anonymous : 3:30 AM, March 29, 2006

Unfortunately, there's a big gaping hole in this technique. If the "limited" IE instance connects to \\127.0.0.1\c$ (doesn't matter if you prefix with file:), it can access the file system with the user's original rights. This is described at http://blogs.securiteam.com/index.php/archives/188 and I have tested with ProcessExplorer 10.06 to confirm that PE is just as vulnerable as the various other utilities which use the same basic technique to "reduce" rights.

# posted by Ronny Ong : 5:34 AM, April 08, 2006

Great stuff!

# posted by Patrick Ogenstad : 2:06 AM, April 10, 2006

Why not just get a Mac?!?! By default, you don't run as Root. You can still be Admin of the box and have all rights over it. But when a virus or malware hits, you don't have to worry about it corrupting your OS. Oh wait, there are no viruses that affect the Mac, EVEN BETTER! Outlook, IE, Windows.. why not convert to an OS and applications that actually WORK!

Windows Vista... HAH! Bill's just copying stuff that is already running on other Operating Systems. Stress on the ALREADY RUNNING... so will we ever actually see VISTA be released to the general public? Just go get OS X.. it's already out and works beautifully!

# posted by Anonymous : 2:32 PM, April 12, 2006

There are a lot of apps that do not run properly (if at all) under a limited account. However, I commonly use these applications as a limited user:
* OpenOffice.org
* Mozilla
* Firefox (even updates will install as limited user)
* SeaMonkey
* K-Meleon
* Opera
* AVG Anti-Virus (even updates will install as a limited user)
* Spybot Search & Destroy (will not update, so I do a weekly "runas")
* Ad-Aware (even updates will install as a limited user)
* Thunderbird
* AbiWord

Won't work:
* Dev-C++
* Dev-Pascal
* changing network settings, running a VPN, or setting up a printer

# posted by Anonymous : 7:14 PM, April 22, 2006

Tip: I use this method now to load "Firefox Preloader" at startup.
Very little work and Firefox always runs as limited user, als from links in emails.

# posted by Anonymous : 6:20 AM, April 26, 2006

OK, I've got the opposite problem. I set up my five year old a LUA but she wants to run a Disney game "Monsters Inc Scream Team Training" which requires her to Run As administrator and me to punch in that pw every single time. We have other games like that as well.

Can I tweak registry entries to change these programs' shortcuts so that they automatically run as Admin the way IE does?

# posted by Andrew : 3:42 PM, May 04, 2006

On my wife's computer I have her running as a limited user on WinXP Home. I've just installed McAfee A/V and it will not install the updates for a limited user. She is not patient enough to use Run As. Any way around this?

Thanks

# posted by Anonymous : 10:51 AM, May 24, 2006

My Etrust EZ antivirus would not update as limited user even though tech support said it would. I solved the problem by giving write permission to the EZ antivirus folder in Program Files.

Log in as administrator, right click and select properties>sharing and check the boxes "share this folder on the network" and "allow network users to change my files"

Not sure it would work with McAfee but worth a try.

# posted by Anonymous : 10:00 AM, June 01, 2006

As discussed above, if you are logged in with a limited user account, and wish to make an administrative change without logging out or switching users, the free "MakeMeAdmin" tool is excellent. It can be downloaded from

http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx

Users may also be interested in a free tool written by me to be used in conjunction with MakeMeAdmin. It is called "Launch Admin" and it can be downloaded from

http://launch-admin.sourceforge.net

# posted by Patrick Rynhart : 9:34 PM, June 24, 2006

Running a secure system is a very possible. ALL Users of our systems are "normal" user accounts. No one is an admin. We apply security to the file system so that users have read/exec access for the ENTIRE disk and then we open up access to the appropriate folders and files. The same goes for the registry. Once the OS was properly secured to so that a normal user can run successfully, then we moved onto applications, you have to install as and admin and run as a user and learn what the programs are doing and what access they want. Now, before you open access, you need to see what the programs are doing and see why they want access. You may not have to give the user access to the locations the programs want to write to. You may be able to configure the program to write to another open location such as a temp directory or the user's data locations. There are tools available to help diagnose an Resolve security issues such as these.

# posted by Mark J Hogan : 3:25 PM, June 30, 2006

Mark's Sysinternals Blog

Running as Limited User - the Easy Way

RSS Feed

Index

Recent Posts

Archives

Other Blogs