Tutorial Thursday
Many of us are aware that Windows Vista has a feature called User Account Control (UAC). This prevents programs from making changes to the registry or doing anything malicious to your computer without you granting the software administrative rights. Windows XP has a similar feature but it kinda works backwards. Most people who are using XP are an administrator and full access to the PC is granted to nearly all programs that you run, but you can always force certain programs to run underprivileged.
What effects does so have on the program that you are running as “underprivileged?” Here is what a MSDN blog says:
- Group membership: If you were logged in as a member of Administrators, Power Users, or certain powerful domain groups, the app runs without the benefit of those group memberships.
- Registry: The app has read-only access to the registry, including HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. The app has no access to HKCU\Software\Policies.
- File system (assuming NTFS): The app cannot access the user’s profile directory at all. That includes “My Documentsâ€, “Temporary Internet Filesâ€, “Cookiesâ€, etc.
- Privileges: The app has no system-wide privileges other than “Bypass traverse checkingâ€.
So for most programs this could cause some issues because they will need access to the profile in order to retrieve things, but this might be particularly useful when you are browsing the Internet on some sites that you might be suspicious about. That way there will be no way for the browser to write to the hard drive.
So how do you run a program with such constraints? It is actually quite simple:
- First off, you need to right-click on the shortcut for the desired program and select the ”Run as…” option.
- In the window that pops up make sure the “Protect my computer and data from unauthorized program activity” option is checked and hit the OK button to continue launching the program.
In the future if you want to always have the “Run as…” window displayed when click the shortcut you should do the following:
- Right-click on the shortcut and select “Properties”.
- Click on the Shortcut tab and then Advanced. Check the box that reads “Run with different credentials” and then click OK twice.
That’s all there is to it. Whether a program will work or not while using this is dependent on whether it requires access to your profile, and most applications store settings there so it could be quite a problem. However, I use it while running some Web browsers anytime that there is a site that I don’t trust. To make doing that easy I create one shortcut for the browser that just starts normal and another shortcut that runs in the “lock down” mode…that way I don’t always have to receive the pop-up box. I’m sure most of you will shrug it off and say “it’s not worth the hassle” but sometimes I like to have the peace of mind.
Good article.
There is also an alternative method to doing this. If you want your browser to ALWAYS run with the lowered privileges, you can use Local Security Settings in XP Pro. With this method, the process will run with lowered privileges even if it was launched by another process whereas the above method won’t do.
This is really helpful with family or friends who are prone to spyware and are dead set against switching browsers.