The easiest way to run as non-admin


Upcoming posts in my LUA/non-admin track:



  • Using secondary logon (RunAs)
  • Running control panel applets as admin
  • Using RunAs with Explorer
  • Temporarily elevating your current account to admin without logging out
  • Running with a restricted token (what does “protect my computer and data from unauthorized program activity” actually mean)
  • “etc.”


But first, the low-hanging fruit:  how to help your non-techie friends and relatives run with least privilege.  Interestingly, the problem of running as admin only when needed is best solved today in Windows XP Home Edition (and XP Pro, when not joined to a domain).  From KB article 279765, HOW TO: Use the Fast User Switching Feature in Windows XP:


 “In Microsoft Windows XP, if you enable the Fast User Switching feature, multiple user accounts can log on to a computer simultaneously….  [U]sers can switch sessions without closing Windows, programs, and so forth. For example, User A is logged on and is browsing the Internet, User B wants to log on to their user account and check their e-mail account. User A can leave their programs running while User B logs on and checks their e-mail account. User A can then return to their session where their programs would still be running.”


 


With FUS, you can be logged on as a Limited User, switch to a Computer Administrator session without having to close your apps, do your admin stuff, and switch back to your LUA session.  FUS is easier to use than RunAs, and lets you run any app (unlike RunAs).  It’s also more secure, since logon sessions are isolated from each other and do not share a common desktop.  To switch from one session to another, click the Start button, Log Off, Switch User.  Or more quickly, just press Win+L (Windows key + L).


 


Here’s how I set up home computers for friends and relatives:



  • Create a Computer Administrator account called “Admin”.  No password.  (Read on before you flame.)
  • Create a Limited User account for each person who will be using the computer.  No passwords.
  • Enable the Guest account if it is anticipated that visitors may need to go online.

I instruct all concerned that the Admin account is to be used only for installing software, and to use their individual accounts for all day-to-day use, including web, email, IM, etc.  This has worked quite well for everyone I’ve done this for, and don’t get calls anymore about home pages being hijacked, etc.  Users generally don’t even have to log out.  My 7-year old walks away, the screen saver kicks in, my 3-year old moves the mouse and clicks on his picture (or the frog or whatever it is now) and has his own settings.


 


[added 2004.06.22]:  I also like to make the admin desktop noticeably different from normal user desktops, to help prevent accidental use.  For example, use the Windows Classic theme instead of the XP default, set a red background, or a wallpaper that says “For admin use only.  Are you sure you need to be here?” 


 


OK, I know you’re bursting already:  “No password?!?!  Are you insane?!?!”  Cool down, now.  Starting with Windows XP, a blank password is actually more secure for certain scenarios than a weak password.  By default, an account with a blank password can be used only for logging on at the console.  It cannot be used for network access, and it cannot be used with RunAs.  The user experience of just clicking on your name to log on can’t be beat for simplicity.  If you can trust everyone who has physical access to the computer not to log on as someone else or abuse the admin account, this is a great way to go.  If not, you can always enable passwords.


 


What about applications – perhaps games originally designed for Win9x (“Wintendo”, as David Solomon calls it) – that unnecessarily require admin privileges?  To be honest, I haven’t had to support gamers, so hopefully someone with more direct experience can chime in here.  I’d start with KB 285909, How to Troubleshoot Program Compatibility Issues in Windows XP.  I do admit to punting on TurboTax and just running it as admin.  I weigh the risk of running TurboTax as admin vs. screwing up my taxes, and I’m just more afraid of the IRS.  (I saw a discussion somewhere on the Internet about TurboTax requiring admin – I’m not the only one who was forced to punt.)


 


A valid question that often comes up (and came up in a reply to one of my earlier posts) is, “why isn’t LUA part of the out-of-the-box-experience for Home Edition?”  I’m not on the Windows team and wasn’t party to those decisions.  But as I understand it, there simply wasn’t time in the XP timeframe to address all the issues to make Limited-User-by-default satisfy user expectations and provide a good user experience out of the box.  There is always a balance between security and usability, and at that time, usability would have suffered too much for too many people.  Remember that the vast majority of home users were using Windows 98 and Windows ME (“the last version of MS-DOS,” I call it), and apps designed for that platform.  I think we can expect that it will be a lot better in Longhorn.


 


One last caveat:  Fast User Switching and RunAs do not play well together.  Use one or the other, but not both at the same time.  You could end up having to hit the reset button.  [Added 20 June 2005:]  This caveat applies only to XP RTM and XP SP1.  The underlying bug was fixed in SP2, so now you can use FUS and RunAs together with no problem.

Comments (61)

  1. This is going to be GREAT! As a developer I run as Admin all the time. And I don’t like it. I’ve been looking around for best practises on running LUA without going nuts after 30 minutes. I will follow your post with the utmost interest!

    /Lars.

  2. Eric Newton says:

    intuit’s software products are becoming infamous for requiring admin priviledges for normal use… imagine MY dilemma setting up a terminal server where everybody who needs Quickbooks has to have local admin priviledges!

  3. Eric Newton says:

    btw: how do we get intuit to change their act? casual users who want Quicken and Quickbooks dont understand "least priviledge" and their support guys [in India] have a blanket answer for all unknown questions: Administrator priviledges…

    I’m not sure it’ll get fixed in Longhorn either, they’ll just say "run as Longhorn Admin" or whatever its called

  4. Stephane Rodriguez says:

    RunAs doesn’t work well in all scenarios. The ability to install MSI packages using a RunAs command typically fails. There is a bug in the windows installer run-time, it keeps thinking the original profile is logged in when querying some special shell folders.

  5. Stephane – do you find this is true for *all* MSIs, or just certain ones? If so, which ones?

    Eric – how do we get Intuit to change their act? I don’t think anything short of economic persuasion is likely to work. Until the cost of keeping it as it is exceeds the cost of fixing it, they don’t have a lot of incentive to fix it, do they? I don’t imagine they’re getting much pressure along these lines – yet. A new Windows logo requirement might help. (What *are* the logo requirements for Limited User compatibility, anyway? Are there any?)

  6. Aaron — Yes, there are requirements within the Windows Logo program that applications support Limited User compatability.

    http://www.microsoft.com/winlogo/software/swoverview.mspx

    Notice:

    3.4 Support running as a Limited User

    I have pointed to this product from Intuit specifically with Microsoft Research regarding these issues: "Principle of Least Privilege" (http://weblogs.asp.net/rhurlbut/archive/2004/05/27/142875.aspx)

  7. Peter Torr says:

    Great to see this info getting out to the public! 🙂

    Using RegMon and FileMon from sysinternals.com can help you figure out what ACLs you need to tweak to get a particular piece of software to run. (Or you could just temporarily turn on object auditing).

  8. Stephane Rodriguez says:

    It’s true of all MSI packages downloaded from MSDN. I haven’t tested MSI packages from anywhere else but unless all MSDN MSI packages are all created with a bugged tool, it might well apply to any MSI package. Try runas xxx, then msiexec -i yyy, and see for yourself how it fails (both when showing a default profile-based installation path by showing a wrong path, and also in the actual installation phase where a blocking error ends it abruptedly).

  9. Stephane, I failed to repro. I installed WMI Tools, as listed here:

    http://msdn.microsoft.com/library/default.asp?url=/downloads/list/wmi.asp

    I chose install for all users. Installed fine. Can you point me to a specific MSI that fails?

    The way I installed it was to get a local admin cmd.exe shell, cd to the folder containing the msi, and just ran the msi directly on the command line:

    WMITools.msi

  10. Stephane, thanks. Yes, I see what you’re talking about. I’ll report it. But based on my own testing, I don’t think it’s as serious as you think.

    1) you don’t need runas to install this for a single user – it doesn’t require admin privs to install, if you’re installing it in your own profile (i.e., for "just me"). The default folder is correct for the default "just me" setting, regardless of whether you’re using runas or not. However, you do have to pick another folder for "everyone" if you really want other users of the computer to access it.

    2) I don’t think the error message you saw is a "blocking" error. The content did get installed to the specified folder. The only problem was that at the end of the install, the install program tells the shell to open an Explorer window in that folder. The shell, running as a normal user, doesn’t have access to the specified folder and displays the error message.

  11. Unix users have always understood the Least-Privilege principal, which basically states that programs should be given under the least possible security permissions required for them to run. By doing so, the chances of a buggy or malicious program being able…

  12. mike lorengo says:

    I’m Not Running As Administrator

  13. Microsoft gets blamed for a lot of security problems, and for the most part, they deserve it. There’s no excuse for the irresponsible "on by default" policy that resulted in so many vulnerable Windows 2000 IIS installations. That’s why…

  14. En Windows tenemos el síndrome de ejecutar las aplicaciones como Administrator. ¿Podremos quitarnos ese vicio?

  15. Complete list of Aaron Margosis’ non-admin / least privilege posts, for easy lookup.

  16. James Hebben says:

    I tried RunAsAdmin for a while but I found that the setup of machines at my current client mean that many operations fail when using this tool. Can’t remember exectly – I gave up quite a while ago.

    Instead, I have been running RunAsAdmin (http://www.harper.no/valery/PermaLink,guid,99b85fa3-104f-4a41-a28f-4786c68e77e4.aspx). This downgrades an admin user to a standard user and adds a task-tray icon to allow selective programs to be run as admin using the same standard user account.

    Rudimentary interface. Opensource. I generally run cmd.exe as admin and launch the actual exe/msi/mmc from the command shell.

    Works like a dream for me.

  17. James Hebben — Thanks for posting that. I don’t recall seeing RunAsAdmin before. It looks very interesting – certainly an interesting way to use the SAFER APIs. That said, though, there are some pretty serious risks with that approach:

    1) I don’t know how supportable it is to replace the Winlogon Shell value. There could be some interesting/subtle things going on in there…

    2) But more importantly: although exploitation of the shell, browser, etc. is mitigated, you have one or more programs running that are subject to luring and/or shatter-style attacks. If an attacker knows to look for more privileged apps on the desktop, particularly GUI apps that have a window message pump, they could be used by the attack to (re)gain admin privileges. It’s the same essential issue as having LocalSystem services displaying UI on the desktop. If the app is running all the time, it is always targetable.

    Nonetheless, certainly an interesting program, and thanks again for posting.

  18. Hofi says:

    1) I think there is no problem with substituting the shell itself (the first step in RunAsAdmin is starting the original explorer.exe) The main problem could be that some auto starting program require more privileg to run than the newly (on a reduced run level) started explorer has. But see point 2.

    2) Valery already planing to add a policy system to RunAsAdmin which will reduce the risk of attacks you’we mentioned and will add a well configurable rights management for the program. (But you are right, there is now easy way to protect an already running GUI program from that tricks).

  19. Scott says:

    If an MSI fails to install using msiexec /i file.msi and RunAs but will run normally with just msiexec, you can try using a command more like:

    runas /profile /env /user:administrator "msiexec /i file.msi"

    The /profile and /env switches will setup the necessary environment for the Windows Installer.

  20. tonyso says:

    Get your friends and family, all those folks that come to you for computer help once their machines have…

  21. Alex Mondale says:

    "FUS and RunAs don’t play well together": Could this be why I get "access denied (5)" every time I try to run e.g. IE as an admin from a restricted account?

  22. Alex Mondale —

    No. See the comment just added (FUS/RunAs work fine together on XPSP2). The problem you were running into is that you can’t use RunAs with a local account with a blank password.

  23. Karnov says:

    <i>"Microsoft gets blamed for a lot of security problems, and for the most part, they deserve it. There’s no excuse for the irresponsible "on by default" policy that resulted in so many vulnerable Windows 2000 IIS installations. That’s why…"</i>

    Ah… the old philosophy of "blame everyone but themselves". Hey, if the user is too stupid to take precautions to safeguard their own system then they deserve it.

  24. Windows Backup is very poorly designed and implemented for automated use. I had to jump through hoops backwards to accomplish automated backups. In the interest of preserving your sanity,…

  25. white_H_A_T says:

    The easiest way to install a .msi (that I’ve figured out anyway), is a two step process. First I runas /user:domainuser "cmd /k", then I run the .msi from the command prompt. Yes I am part of a domain, and yes I think it will work the same way remotely (I just never needed to try it yet). If you can’t connect to / launch a remote command prompt google for PSTools and use psexec.exe

  26. Mister-T says:

    I have try to make my computer runing with LUA, but but most of my software (nero, and games) are whimsical.

    With BF2 when runing as LUA and launched with run as, the game launch then crash to desktop.

    If I run the game without admin right, it work but i’m unable to play on punkbuster servers (99 % of servers are runing with it).

    If a play with administrator account, it work, after playing few minutes. I can logoff from administrator then run game in LUA+ run-as and this time the game may launch.

    That’s BS, but it’s my fault that was written on the box "Win xp + administrator"

  27. Rizwan says:

    Hi Aaron,

    I have uploaded XP Pro yesterday and up until this morning everything worked okay. This afternoon, I lost my profile and together with it I lost files and contacts relating to my Outlook, MS Word, Excel, Access & Powerpoint. I have been informed that my profile is somewhere in my desktop but I am not sure where.

    Can you guide please? I have important information in the other profile. Currently, I have created another profile as well to get me going.

    Thanking you.

  28. Jeremy says:

    I am able to run Battlefield 2, Halo, Half Life 2, World of Warcraft easily in a limited user account on XP Pro. Make sure you give the limited user full control of the folders that contain the games.

  29. Steve F says:

    Hi, Aaron et al.

    In setting up a LUA, how does one import things like access to your main email account, favorites, access to data folders if you’ve built them all as an admin?

    Thanks for your help.

  30. Steve F — That should generally not be a problem on Windows XP because of the default setting of the "Default Owner" security option, which I discussed here:  http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx .  If you’ve run as admin with the default setting, then switch the account to Limited User, everything you’ve created should still be owned by your account and grant your account Full Control.

  31. dhakna says:

    I have windows XP home with 3 users( guest permissions) and an admin user. If I am running IE in a user session and FUS to another user, I get an iexplorer.exe error everytime I want to bring up IE or just windows explorer.

    I have uninstall all tool bars (goggle, yahoo) from my machine, but the result is same.

    Any help is appreciated.

  32. vegemiteMan says:

    I don’t get it at all.

    When I created a Limited User in WindowsXP Professional, that user couldn’t even access the internet. Is this due to some other configuration? The whole idea of less-than-admin seems pointless if users can’t even access the internet on current privileges. I might as well tie them up, put them in a straight jacket and chain their chair to the wall.

  33. vegemiteMan – there must be something else going on there.  Is this a domain or a workgroup?  Are there any internet-related GPOs applying to this system?  What kind of proxy and anti-virus software do you have?  (LOTS of AV stuff doesn’t work correctly as non-admin.)

  34. dhakna – (sorry for the delay in replying) – that really sounds like a 3rd party tool/product that doesn’t handle FUS/disconnection correctly, or perhaps believes that there will only be one instance of itself running on a computer at a time.

  35. << Starting with Windows XP, a blank password is actually more secure for certain scenarios than a weak password.  By default, an account with a blank password can be used only for logging on at the console.  It cannot be used for network access, and it cannot be used with RunAs. >>

    It’s good to warn XP Home users (and XP Prof workgroup users with Simple File Sharing enabled) that the only way to secure their shares is to give the guest account a password. With SFS anybody can have network access – with or without valid password.

    But when I log on as Administrator without password I only can access the SFS (Anybody permitted) shares.

  36. Tim Sneath says:

    If you’re a reader of this blog, I’m going to take a low-risk gamble and assert that you probably consider…

  37. Tim Sneath says:

    If you’re a reader of this blog, I’m going to take a low-risk gamble and assert that you probably consider

  38. Raymond Brunet (P.C. Fix) Tech. says:

    Since 2001 i’m not running system as Administrator, never forget when u RunAS Administrator Setup File, WinXP put all security for Administrator only. ( making tons of probleme doing that )

    if you wan install something, go to Computer Management and put back Administrator groups on your account name, and then logout/login to make change take effect, and then install the Software you wan on your account.

    on that way Windows put your Account as Program Owner ( Special Access ).

    many time i did RunAS Administrator to install software, not fun find all REGKEY program ADD and set manualy your account to get access.

    Raymond, these sound like problems specific to particular programs with bad installers, not all programs.  That said, see the following posts for ways to mitigate this pain:

    MakeMeAdmin — temporary admin for your Limited User account

    How to quickly and temporarily give your non-admin account administrator privileges, without having to log out.
    http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx

    MakeMeAdmin follow-up

    MakeMeAdmin script updates, and a security setting you should change
    http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx

    Hope this helps.

    — Aaron

  39. Alex says:

    I have fast user switching on, but it does not work. I can’t login with another user unless I log out before. The same for admin and for user accounts.

    When I click on a user’s icon, Windows makes a sound and returns to the login screen with account icons. The only account I can get into is the one which I already signed into before. So, I cannot run more than one account at the same time.

    Any suggestions?

    Alex:

    Does this happen regardless of which account is logged in?

    Do you have Offline Files enabled?  (see this KB article)

    It may be that something that is auto-starting when you log on is doing something bad.  The best tool to view auto-start stuff is AutoRuns.  If you run it as admin, you can inspect the auto-start entries of other accounts.

    HTH

     — Aaron

  40. joan says:

    Have you used “Microsoft_Shared_Computer” it’s free. Create a limited account, lock it, use runas, and shared documents open to save files and info. IF a nasty loads in, reboot and nasty is gone. I use program without creating 1024 MB partition.

    Joan, yes, that’s the Microsoft Shared Computer Toolkit for Windows XP, and it is really cool.  Thanks for pointing it out!

    — Aaron

  41. Alex says:

    Aaron:

    Yes, it happens regardless of what account I use initially.

    I checked offline files tab and it is disabled. In fact, it says because fast user switching is on, offline file access is disabled or something like that.

    Anyway, I do not get any error message when I try to switch user – I just return back to logon screen.

    AutoRuns is a bit above my technical expertise, but I will try to play with it.

    Thank you for your suggestions.

    [Jan. 24 2007] Alex, a colleague just informed me that he triggered the same scenario you described when he disabled the “Shell Hardware Detection” service.  Apparently Fast User Switching has some kind of dependency on this service running.  Is that service enabled and running on your system?

    Hope this helps!

    — Aaron

  42. Ok, I’ll admit it. I’ve been living dangerously for the last several years.

    Simply put, I refuse to install any kind of antivirus or personal firewall software on any of my systems. This includes a Windows XP Home system that was used by my children as

  43. John says:

    I want to change to using Limited, but when I do the ability to connect/disconnect to my dsl is lost (in Network Connections > LAN, the Disable/Enable option is grayed out). This effectively means I have to leave the connection enabled all the time, and I feel it should be disabled when I am away from the desk for a long time, for security. Is there any way around this with XP Home (sp2)?   Thanks, John

    John:  On XP Pro I would suggest adding your non-admin account to the “Network Configuration Operators” group, but I do not know whether that group is functional in XP Home.  From an admin cmd prompt, do this:

    NET LOCALGROUP “Network Configuration Operators” nonadmin /ADD

    … replacing nonadmin with the non-admin account name you’re using.

    HTH

    — Aaron

  44. Nate says:

    Ok, this kinda helped me. I am a limited accont on my computer(my mom wont change me to admin) and i like to play games. but everytime i load the game in her world or accont, i cant get it to run in mine. plz help me in this ive been looking for months. no matter what we do we cant find a game that will ether work period, or will work on a limited user accont.

  45. Zeyn says:

    Thanks to the information on this blog, I’ve now been happily running as a limited user for a few weeks. However, I have some concerns about the way automatic updates work with LUAs. It seems an unnecessary hassle to have to log on as admin and run updates manually, and more importantly I’d forget to do it often enough. It’s an especially bad option when setting up a PC for non-IT-literate friends and relations.

    I know the automatic updates service runs with enough privileges to install updates even when  logged on as an LUA, as it did on my XP Home machine last week. However, I had automatic updates set to install at 03:00, and this was the first time my PC had been switched on at 03:00 since I’ve been logging on as LUA. So, if your machine is off at the scheduled time, does automatic updates just install the updates next time you log on? Or does it wait until the PC is next on at the scheduled time before doing the install? If the latter, it’s a bit inconvenient, as I don’t use my home PC at the same times every day, and even if I did, I wouldn’t really want it rebooting on me while I was using it.

    Ideally, what I’d like is: automatic updates downloads the updates, and notifies me (even though I’m logged in as an LUA) that they are ready. Then when I next shutdown the computer, it installs the updates. All the technical components for this are there, but I have a feeling it isn’t actually possible – does anyone know any way of setting this up?

  46. Nate says:

    Im sorry I do not belive this is possible. You are right about the next time you logg on, it doesnt matter about the time. If there’s new software it needs to download, the next time you logg on it will alert you and ask if you want to start downloading <b>IF</b> you are on a admin acount, or non-LUA. This is how it had been for my computers atleast, Ive also been trying to figure out a way it will let you do these things as a LUA account, but it just doesnt seem possilble for the mounths ive been looking.

  47. qquake says:

    make batch file

    put this command your batch file

    cd

    runas /user:computernameadministrator “explorer.exe /separate”

    save it your desktop

    click batch file. It will ask your administrators password. type it.

    This start explorer.exe with administrator priviliges and you can access also control panel

    Voila!!!

    [Aaron Margosis] Or see this post and this post.  Oh, and note that any use of RunAs requires that the account have a non-blank password.

  48. I did it… I took the plunge…,&#160; installed Vista on my development laptop… (I feel almost like

  49. Koca Kelle says:

    I will assume what seems to be evident : there is yet to be an integral and relatively well defined computer language. So what is an administrator? How many are there?

    As a user in the most simple sense, that is home user with no interest in anything but minimising the risks of navigating Internet, I was interested to know how to setup "The easiest way to run as non-admin", only to find out, once again, it creates as many problems as viruses, trojans, keyloggers, malwares, spywares, maliciouswares, ad infinatum.

    Example: in this page somebody had the problem of not being able to navigate after setting up   "The easiest way to run as non-admin" The response was a string of acronyms, that is "keep navigating"

    I am sorry to be harsh.

    Cordially

  50. Singh says:

    i dont know the password of administrator. so in the runas wat should i do?log in my user id and password ?or admin and no password..sorry i dont get you…

  51. hoortbri says:

    Quickbooks runs as non-admin if you change permissions on the HKLM:…softwareintuit registry key so the user (or Users group) has read/write permission.  Then it works fine, and is much safer than logging in as admin.  It is unacceptable that Intuit doesn’t fix their software…

  52. betty cadotte says:

    how can anyone learn how to get an email address if you don’t know how to do it.you need an email address to answer but they refuse you when you don’t have an email address. how how how can i get one. what is a url