Why you shouldn’t run as admin…


First, let’s define terms.  This may be oversimplifying, but for the purpose of this discussion there are only two types of users:  Administrators, and Users.  They are essentially distinguished by membership in the “Administrators” and “Users” local groups.  “Administrators” have complete and unrestricted access to the computer/domain.  “Users” are prevented from making accidental or intentional system-wide changes.


 


Narrowing down to two user types is not entirely arbitrary.  In fact, this is exactly how Windows XP Home Edition distinguishes users.  Under the hood, its Computer Administrators and Limited Users are members of Administrators and Users, respectively.  And besides, membership in groups such as “Power Users” or “Backup Operators” is tantamount to being an Administrator.  When I talk about running as non-admin, I am not suggesting running as Power User instead.


 


OK, so if you are one of those people who is allowed (or required) to administer your own computer, why wouldn’t you just want to log on as an admin all the time?  Well, if you were a surgeon, would you always want to hold an unsheathed scalpel in your hand?  Or would you prefer to keep it in a safe place until you actually need it?  Does that metaphor work?  How about “running with sharp scissors”?  Well, let’s skip the metaphors, then.


 


The #1 reason for running as non-admin is to limit your exposure.  When you are an admin, every program you run has unlimited access to your computer.  If malicious or other “undesirable” code finds its way to one of those programs, it also gains unlimited access.  A corporate firewall is only partial protection against the hostility of the Internet:  you still browse web sites, receive email, or run one or more instant messaging clients [added 2004.06.25] or internet-connected games.  Even if you keep up to date on patches and virus signatures, enable strong security settings, and are extremely careful with attachments, things happen.  Let’s say you’re using your favorite search engine and click on a link that looks promising, but which turns out to be a malicious site hosting a zero-day exploit of a vulnerability in the browser you happen to be using, resulting in execution of arbitrary code.  When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privs.  If the exploit happens to be written so that it requires admin privileges (as many do), just running as User stops it dead.  But if you’re running as admin, an exploit can:



  • install kernel-mode rootkits and/or keyloggers (which can be close to impossible to detect)
  • install and start services
  • install ActiveX controls, including IE and shell add-ins (common with spyware and adware)
  • access data belonging to other users
  • cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
  • replace OS and other program files with trojan horses
  • access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts
  • disable/uninstall anti-virus
  • cover its tracks in the event log
  • render your machine unbootable
  • if your account is an administrator on other computers on the network, the malware gains admin control over those computers as well
  • and lots more


My #2 reason for running as non-admin applies to developers.  Developing software as User instead of Admin helps ensure that your software will run correctly on end-users’ systems.  Please, never again give me anything like Windows Messenger 4.x!  An admin had to install it, of course, but no user could use it until that user ran it at least one time with admin privileges.  That’s not even “an admin has to run it once before anyone else can”.  That would have been bad enough, but Messenger actually required that each user run it with admin privileges.  Completely inexcusable, and certainly attributable, at least in part, to devs running as admin.  Keith Brown’s upcoming book also drives this point home really well.  Some will argue that you should develop as admin and test as User.  I don’t believe this works as well.  Maybe I’ll drill down into that point in a future post.


 


My #3 reason applies just to Microsoft personnel, particularly those of us in customer-facing roles.  Hey, y’all!  We need to lead by example.  People look to us for best practices, for the right way to do things.  We are trying to convince the world that we are thought leaders in software and in software security.  In the Unix world, they never run as root except when necessary.  They “su”, do what they need to do, and revert back.  We are not leaders when we run as root all the time.  Comrades:  you need to run as “User”, and your customers need to see you doing it.  If you run into issues, don’t add yourself back to the admins group – file a bug against the offending product.  Customers:  if you see any MS sales, MCS, Premier, PSS, etc., doing web or email as admin, please tell them, “You’re not setting a very good example.  I am disappointed.”


 


Next post we’ll start talking about how to run as non-admin without driving yourself crazy.


 

Comments (69)

  1. blog coward says:

    Let me see if I got this straight, there’s an account that can destroy everything by ousiders. Instead of a multi billion dollar a year company making their OS secure and not like Swiss cheese, the average Joe has to jump thro hoops to pretend to be safe. Not running as Admin will not make you safe, not running low security software does. So what if Unix user’s don’t run as root, two wrongs don’t make a right. Spend a couple bucks of that $50billion cash reserve building Windows that can’t be hijack by outsiders simply because you run as the boss on your server.

  2. Uh, blog coward… what do you think root is? It’s an account that can "destroy everything by outsiders."

    The problem isn’t Microsoft making their OS secure. The problem is Microsoft reconciling the operating system’s ease of use with the ease of destruction. Linux has the same problem; Lindows is fairly infamous for initially running everything as root. (Linspire, Lindows, whatever they call it.)

    As for low security software most Linux distributions didn’t come with ipchains/iptables installed by default until a few years ago. (Well, circa 2000.) Prior to that they left their hosts wide open to the Internet, much like Windows 98 and 2000 does. The built in firewall in Windows XP gets deactivated due to "consumer suggestion sites" that insinuate it "won’t help you protect yourself and will only aggravate you." Similar advice comes from every direction.

    Why am I prompted to give the root password any time I do something even remotely related to the system on Red Hat? How is my giving the root password eight hundred times in one session to get one application working more secure than Windows asking for the administrator account? (And yes, you can Run As… rather than logging out. Thank God.)

    The final straw is the fact that many of the operating system deficiencies people like to pounce on are expounded on by the millions of developers who throw together a program that "just works" and don’t consider the security implications. Linux independent developers cause these same issues.

    Now add in the fact that Windows is, ultimately, based on code from … what, 1980? Windows NT was supposed to be a clean rewrite but with the Win16 and Win32 API compatibility requirements I’m not sure how clean that rewrite truly was. Linux was started in 1991. You have this oldtimer operating system carrying around eleven more years of compatibility baggage through an evolving definition. Linux has the advantage that it is POSIX based and that definition hasn’t changed significantly for years. 16 bit, 32 bit, 64 bit — no biggie. (Yes, that’s a definite and huge advantage that Linux and Mac OS X have. The signifigance of being able to run POSIX compliant software, or at least easily porting it, means that an operating system can share applications with others — OS X, SysV, OS/2, AT&T UNIX, *BSD.)

    I am no blind Windows fan, but neither am I a blind Linux fan. Posts like yours do nothing to encourage Microsoft to fix the bugs they have, nor do they anything to advance the cause of OSS software or Linux in general. Instead they show the contempt that individuals like you feel you can have because of a perceived advantage on your part in the operating system you run or develop. They’re pointless and inflammatory, not to mention based on biased and incomplete information.

    Ah, to hell with it. Why am I feeding you?

  3. Pat Rice says:

    From NT 3.5 (the first usable version – 3.1 was SLOW SLOW SLOW) through Windows 2000, I was very careful to limit Administrator privileges. Safety! Security! were my mantras.

    I suffered for it.

    Too many applications – including several from Microsoft – just plain wouldn’t work unless installed & run by an administrator.

    Now, with Windows XP, my account is an Administrator, and everything (more or less) works as it should. There is no Safety! Security! any more, but at least I can get my work done.

  4. blog coward says:

    For the record, I only use Windows for both work and home. I have only tinkered with unix/linux.

  5. josh says:

    There are very few applications that just don’t work without full admin access, but it takes forever to find the problems and poke holes through. (auditing is a big help, but still)

  6. old thoughts, old arbument says:

    How about Microsoft changing the XP OOBE such that a user logging into the system for the first time gets to set up non-Admin accounts and log in, from the first moment, as a user.

    Home users especially won’t recognize the value of the User account until they can get their system set up the first time while they are in a User-level account and it is much easier to get the whole family set up as Users.

    All testing should be done by default with the tester in "Limited User" account and then issues regressed against accts with admin priveledges. Always.

  7. Peter Torr says:

    Hey, not sure this makes sense:

    "…its ability to attack others on your network is greater than it would be with only User"

    Just because you’re local admin on your machine doens’t mean you’re admin on any other machines (unless they all share the same password). In fact, running as YOUR_BOXAdministrator is "better" than running as DOMAINUser in this specific instance because the local account can’t write to network shares, whereas the domain account probably can (and therefore infect other people who open infected files). Also, in some cases other people will add your domain account as Administrators to their boxes (eg, a shared Terminal Server) which means even if the malware can’t infect your box (you’re a normal user) they can infect the server.

    Obviously running as user is goodness… I just don’t think you can make an argument based on the damage to other machines on the network 😉

  8. Peter, you’re correct. The scenario I was thinking of was of other domain passwords stored in LSA secrets; e.g., to start services, COM+ components, etc. Probably a reach on my part, as that’s probably not very common on workstations.

  9. Dana Epp's ramblings at the Sanctuary says:

    I know I am going to get myself in trouble for this… and will probably be banned from the Microsoft campus, but I saw a post by a Microsoft employee and felt compelled to respond. I am taking Aaron Margosis to task and following his suggestion. In his post he says: Customers: if you see any MS sales, MCS, Premier, PSS, etc., doing web or email as admin, please tell them, Youre not setting a very good example. I am disappointed. How about PowerPoint? How about Word? How about demos of stuff not needing to be run as admin? How about running a remote desktop? I saw all of these when I was at Microsoft. When I was walking through the trustworthy computer fest last week at Microsoft I stopped at NINE machines that Microsoft employees were using, and all nine were logged on as administrator. 9 for 9 were NOT running with least privilege. But thats not the frustrating part. This was a SECURITY RELATED computer fest. You would think that this crowd would be much more aware and focused on such things. Combine that and the recent fact I found out that in the latest RC of XP SP2 you no longer can use "runas" on your Windows Update right out of the box… and I see serious problems on the Microsoft campus. It seems many don’t wish to eat their own dog food. Microsoft, Youre not setting a very good example. And I am disappointed….

  10. keith says:

    I wonder why everyone points their fingers at Microsoft saying "Your OS is like Swiss cheese". I think to myself…"and when was Microsoft ever a Security company?" They write software. It is what it is…and typically it’s all about functionally and is generally pretty robust, fairly user friendly and a hell of alot more plug and play friendly than any *NIX I’ve ever seen (although opinions may vary).

    Unix admins have had to jump thru lots of hoops for years to secure a *NIX distro out of the box. Thinning services, disabling things, patching vulnerable services (minimizing your attack surface) and more, have all been a part of a *NIX admins job for quite sometime……it’s sorta just what ya do when your a *NIX admin. Windows admins have been oblivious to those simple concepts since the beginning of time. Turn stuff off if ya don’t need it. Set ACL’s on stuff, apply group policies and secure templates….almost like…..applying wrappers, applying IPchains or tables and disabling unnecessary unix services….simple comcept.

  11. ch. says:

    well that’s a nice theory but in practice xp requires admin priviledges to run many applications. I either run them as admin or not run them at all.

  12. ch – It is true that some apps don’t work without admin privileges. In some cases it’s valid (e.g., secpol.msc), and in some cases it’s because of faulty design and/or implementation. Complain to the vendor in the latter case. BTW, in that case it’s not XP requiring admin privileges, it’s the faulty app! In any case, needing to run as admin sometimes is not an excuse to run as admin all the time, particularly with anything with internet exposure (email, IM, internet-connected games, media players, web browsers, etc.)

  13. ch. says:

    ok, i blame age of empires made by microsoft 🙂

    ok i know it’s too old to work the easy way, i wrote to techsupport and they provided a very complicated solution which works (after i tweaked it a little bit)

  14. Expect more attacks before patches become available – and how you can protect yourself.

  15. Niclas Lindgren says:

    Well,

    This is an old blog, but I will add one note. If you are knowledgeable enough to know that you shouldn’t run as Admin, then you are probably also knowledgable enough to avoid "damaging" your computer due to various reasons. So the theory is good, but to be able to actually benefit the common user it somehow has to be enforced to use a normal account for most things.

    I have run as an admin for as long as I know, I have never ever been troubled by viruses or worms. Maybe I have been lucky, but I doubt it. So the key audience for these kind of advices has to be those that are unlikely to ever read about it. My question is, how do you reach those people and change the normal pattern for windows usage (that is everyone is always admin)?

    Cheers

  16. Niclas, thanks for posting.

    I must disagree with your basic premise that simply being "knowledgable" offers the same security as running with limited privilege. See my posting about zero day attacks for more about this (http://blogs.msdn.com/aaron_margosis/archive/2004/06/25/166039.aspx). With download.ject, organized criminals exploited vulnerabilities in the web servers of well-known and generally "trusted" sites, in order to insert code that would run on the machines of those who browsed the site. That code exploited a previously unknown and (of course) unpatched vulnerability. If you were running as admin and happened to go to one of those sites, your machine was owned. I’m sure you generally visit only sites you "trust" to some degree. But have you ever clicked on something returned from Google, only to find that the site you connected to looks nothing like what Google said it would be? That’s happened to me, and I think I’m fairly knowledgeable.

    I also ran as administrator for years and to my knowledge never had malicious code execute on my computer. Maybe there wasn’t any – or maybe I just never knew. In any case, I’m older and wiser now 🙂 and the threats are much greater now than they were even five years ago.

    Regarding the vast, non-technical majority – getting them secure will depend on us and application vendors. We (Microsoft) need to make running with least privilege the default, without sacrificing user experience. (That’s not easy.) We also need application vendors to make sure their products work well without requiring admin privileges, as many of them now do. (Check this out – it makes me absolutely ill: http://support.microsoft.com/default.aspx?scid=kb;en-us;307091 )

    In the meantime, you can help those whom you come into contact with. Least privilege is actually easier for the home user than it is for the corporate user – for more info see http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx

  17. Bit Fuzzy says:

    There’s no reason *nix or Windows users need to run as admin.

    There are ways to allow "limited" users the use software without admin/root access

    Security depends on and perhaps starts with the Administration of the system/network.

    Would you take your front door off its hinges and sleep well?

  18. mike lorengo says:

    I’m Not Running As Administrator

  19. Pick A Bar says:

    I think most everyone would agree that doing day to day activity on your PC as an administrative user is a bad idea. At the same time, knowing why you shouldn’t run as admin hasn’t been enough to motivate me…

  20. Anonymous says:

    SpywareBlog – Why you shouldn’t run as admin…

  21. En Windows tenemos el síndrome de ejecutar las aplicaciones como Administrator. ¿Podremos quitarnos ese vicio?

  22. Complete list of Aaron Margosis’ non-admin / least privilege posts, for easy lookup.

  23. tonyso says:

    Get your friends and family, all those folks that come to you for computer help once their machines have…

  24. Glenn Charles says:

    My problem is to do with games. Admittedly, I’ve enough experience to easily change back and forth from admin to non-admin; I’m also both lazy and forgetful at least at times. I also share the network with someone who has no idea of vulnerabilities at all, and is now debating whether or not virus protection is really necessary. The point of this is; the importance varies somewhat because of the usage of the computer. …Particularly since IE can demand use of admin privileges, according to one of the lists I just visited.

    Glenn

  25. NobodyXYZ says:

    It is good to see MS users doing things that Linux/BSD does from years before. MSWindows have wrong approach to security: NONE. Making user accounts with less privilegies is a good step forward, BUT the lack of good security politics from MS is always here. If MS want to be more secure then THEY NEED TO REEVALUATE their goals and default politics. I use windows in the work, and use linux or BSD in my home, with some experience in both worlds, I can say that MS is hard to maintain without viruses or crashes, AND THIS IS NOT A MATTER OF MY ACCOUNT PRIVILEGIES, no, IT IS a matter of the Windows OS. In other OSes i can be secure without virueses or crashes ever. But in my work, with MSWindows, i need to run antiviruses, antispywares, anti-etcetera, to feel security.

    As an user of MSWindows i disapoint with they criterias of security, my Co. pay a lot for the OS but it thoes not reflect to us any advantage. MS need to be cerfull to security from now and beyond, because is a core problem and not an extravaganza.

  26. NobadyXYZ says:

    You cowards, post my comment, dont be sysy. Or is the true so hard to you?!

  27. Vermont reader says:

    Not sure what all these comments are going on about. The simple truth is stated quite nicely in the original blog. No matter how well or how poorly your OS is conceived and written, it is just plain safer to NOT run as the account that can do absolutely anything it thinks it wants to. The post was not about the quality of Windows XP. It just states the obvious. Consumer software should not have to run as a local Admin (or root on Unix systems). So why make it do so. If you can get away without running as a local admin, you should probably do so.

  28. richjj says:

    Speaking as a home user: If you run a lock-down program such as Deep Freeze or ShadowUser, and reboot after each surfing session, then none of these exploits in your #1 paragraph – should they happen – will hang around to do any damage.

  29. Robb says:

    My family survived from DOS 3.3 to Windows Me without so much as a single virus. So naturally, when XP came out, it never even entered my mind to make anyone a "Limited User."

    The kids had moved away and it was just us adults now. One day, one of the computers had a very minor highjack — the default search engine was changed. I tracked it down to a ‘free’ screensaver that was installed.

    We’ve been user-accounts ever since. I’ve had to learn a lot more than I should have to learn about permissions — but most of that is the culture I described above. Software publishers are still not used to their users actually being in the Users group!

    Microsoft needs to change the term "Limited Users" — it sounds negative and restrictive. Perhaps call them "Protected User" and "Unprotected Admin" in XP Home. 🙂

    Great Blog, Aaron, it’s helping me.

  30. Aceryt says:

    Ping Back来自:blog.csdn.net

  31. Richard says:

    Attacking another computer on the network is easier as an admin, Aaron was right and Peter Torr is missing something.

    Under an LUA, you can only open normal socketed connections and databgram listeners, but as an admin you can send christmas tree packets, half-open sockets and leave them (ie the famous SYN flood), etc.

    Basically, the difference is that the LUA can only go through WinSock, the admin can build his own IP packet.

  32. There’s anothe way in which it’s easier to attack other computers as an admin than as a regular user — and that’s quite simply that admin accounts have the ability to make persistent changes to the system. If you normally run as a regular user but pick up a trojan or rootkit that one time you’re browsing as an admin, you’ve just compromised that box regardless of who is using it.

    Having a reduced attack surface doesn’t matter nearly as much as an admin, because the admin account has the power to change the attack surface. It may not be a direct attack on other machines, but that doesn’t change the fact it still puts them at greater risk.

  33. John Best says:

    An issue that I consider a poor practice is companies that require a home user to go to Administrator for their software updates. I have a habit of getting in and out as fast as possible. I think my wireless router, anti virus, anti spyware and firewall software offer me a good measure of protection, but keep critical information on a PC that doesn’t require constant calls for updates. Are there any comments on hardware and software protection levels of security?

  34. R Cozakos says:

    2006-01-09_02:17

    I stumbled into this blog via an article at the PC Magazine website about four hours ago and haven’t even been able to stop to fix my dinner (that’s my tummy growling you hear) — great stuff! I knew I couldn’t be the only one frustrated by this stuff.

    The XP help has a very pointed message about not running as admin, which I took seriously. Then I can’t check the calendar, set power options, do MS updates … I’ll have to come back another time or two to really absorb it, but at least I know it’s here.

    BTW, some posts refer to "stupid" users being to blame for their problems for not following good practices. Just because a user is ignorant of all the arcane practices required to do it right does not mean they are stupid. Not everyone wants to be a computer/IT geek just to use the web. (someone stop me here…) Aaron has it right: the products have to be designed to require as little jumping through hoops of the users as possible.

  35. It is ironic that everyone blames MS, but if 100% of my software was MS I could easily run as LUA with little or no problem because at least most modern MS apps obey the rules.

    It is all the non-MS software on my system that requires me to go through hoops and spend days figuring out how to trick them into running as non-admin.

    Some are simple – such as letting them have write access to their installation folder (because the idiot who wrote them still uses INI files). Others are more complex – requiring RunAs, etc.

    It is obvious why MS has the default setup account as admin – if they didn’t most non-MS applications would not work and MS would be blamed for breaking them. Caught between a rock and a hard place, they are.

    Interesting we don’t see many complaints about say (to quote one random example recently on my list of annoying programs to install), Adobe Photoshop CS2 breaking the security rules and getting around them by sneakily and dangerously setting its installation folders to Everyone: Full Control?

    I’m amazed at how many programmers out there, especially in the graphics and music sector, have no idea about the basics of where to store configuration information or where to save data, let alone security.

    And don’t get me started on all those antivirus and antispyware solutions out there that require the user to be an admin – sort of like having a burgular alarm that only works when your house is unlocked and the doors are open.

  36. JSE says:

    contrary to Paul C.. I find it is MOSTLY MS applications – in particular, their games – that cause me administrator grief.  I worked around it by creating an account for the kids to run games in – an admin account, but took away all the internet access, and left their regular accounts as LUA.  Other game companies have been better…

  37. Status says:

    I guess I should have already known this, but it honestly hadn’t crossed my mind that a major corporation with an intimate knowledge of the risks involved hadn’t actually yet weaned users off local admin rights yet.

    My first clue should have been that

  38. Anonymous says:

    Well, if you have common sense, run a decent antivirus, and a firewall such as ZoneAlarm that prevents apps that do not have net access from tapping into the ones that do.  Also, run ProcessGuard from DiamondCS for heaven’s sake!  Then processes cannot install drivers or services without your permission or use global hooks to steal information you are entering into other programs… etc.  Besides, then any processes that you have not authorised to run, cannot!  I should also hope that the ONLY time you use IE as a web browser is to do windows updates!  Seriously, get Opera or Firefox or any of the other non-IE based browsers out there and enjoy instant protection from overActiveX.

  39. Anon says:

    We have login scripts that we use to install software that must install as admin.  How do we elevate the privileges of the script during login?

    Use a computer startup script instead of a login script.  Startup scripts run as LocalSystem.  If you also need to perform per-user actions, factor those out into the login script and leave the machine-wide stuff in the startup script.

    — Aaron

  40. Tim Sneath says:

    If you’re a reader of this blog, I’m going to take a low-risk gamble and assert that you probably consider…

  41. Tim Sneath says:

    If you’re a reader of this blog, I’m going to take a low-risk gamble and assert that you probably consider

  42. Marco says:

    For company networks theoretically it’s bad to give users admin rights on the local machines. However you don’t want to limit any user from doing it’s normal work since most people get paid per hour and would cause unproductive hours if they can’t due insufficient rights on the machines.

    In general there are 2 ways of securing a computer: 1. Lock-down everything and grant only the rights a user needs. 2. Allow everything and only take away the rights for things that are unwanted.

    Approach 1 sounds theoretically better, however often causes problems like not correct running (some) programs. Beside that such user doesn’t even have the rights to limit some more of it’s rights. (Users can not write a new limitation to their own Policies hive in the registry or devote write-access on folders to read-only for theirself)

    Approach 2 sounds scary to most people, however gives more flexibility. Users can limit their own rights theirself (or the login script does). If there would be some security flaw that would be overlooked by the administrators at worst the local machine is compromised and can be reinstalled automatically at next boot (with image or pre-install)

    Group policies with their GUI to configure look nice but don’t give a good overlook what they are actually doing in the registry. A rough estimate is that 8 out of 10 admins messed-up at least once with them. By creating the registry keys yourself you have way more flexibility and overlook what you’re doing. Beside that it’s narrowing down the chance to mess-up policies for a whole network.

    The use of approach 2 together with registry imported limitations gave me the possibility to administrate close to 2000 workstations alone together with the helpdesk for application support, and still having time for the nice things in life 😉

    Anyone some remarks?

  43. Ragu says:

    hi,,

    i am a user in the network, i want local admin rights.. with out tech support.

  44. Programming says:

    In How to Clean Up a Windows Spyware Infestation , I documented how spyware can do a drive-by infection

  45. Table of Contents – blog posts on Aaron Margosis’ Non-Admin WebLog

  46. I did it… I took the plunge…,  installed Vista on my development laptop… (I feel almost like

  47. The-Gizmo says:

    You can also just run-as a program like notepad with an admin account and use the open dialog prompt to get an explorer like window without having to log off and back on as an admin. You can then do just about everything a normal explorer window can do, and save time.

  48. techweb says:

    为何不应以管理员身份运行程序原英文版本:http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157962.aspx首先,让我们定义一些名词术语,为了简单起见,我们仅仅描述两种类型的用户:Administrator(系统管理员)和User(普通用户)。他们在本质上区别于分别属于

  49. csdnexpert says:

    为何不应以管理员身份运行程序原英文版本:http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157962.aspx首先,让我们定义一些名词术…

  50. BV says:

    In Unix world, you could do what you needed as a su, meaning you could open a xterm session or do a script etc. When you elevated, everything worked correctly.

    In MS, this does not work. Runas is not 100% functional. It has to do with hives, redirectors for mydocuments, stored credentials, etc.  I have learned, it is best to run as local admin on MS.  There are too many problems that you encounter with it otherwise.

  51. FOR SOME REASON IE 7 WILL NOT RUN ON MY COMPUTER UNLESS IT IS RUN AS AN ADMINISRATOR

  52. xdmv says:

    What do you (readers are welcome too…) think about "SuRun" application?

    Thanks in advance!

  53. doglover98 says:

    i like the info on this page a lot.