Table of Contents (Aaron Margosis’ Non-Admin WebLog)

The “why” posts: Not running as admin… http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157866.aspx Why you shouldn’t run as admin… http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157962.aspx  “Zero-day” attacks and using limited privilege Expect to see more malware predating the patches – and how you can protect yourself. (Or, “Why you shouldn’t run as admin, Part 2”)http://blogs.msdn.com/aaron_margosis/archive/2004/06/25/166039.aspx Anti-virus vs. Non-Admin Should you run as admin only because…

1

How to cleanly stop Explorer.exe on Windows Vista

This is the first time I have blogged here about something other than running with least privilege. It’s about a neat trick, though, that can be useful for some people. If you need to shut down the main Explorer process, you could just kill it from Task Manager or Process Explorer. But undesirable and unpredictable…

20

Scripting Elevation on Vista

[Added 2007-07-02, 16:41 Eastern Time:  I was thoroughly and inexcusably remiss in failing to include a reference to Michael Murgolo’s excellent TechNet Magazine article, Script Elevation PowerToys for Windows Vista.  I’m rectifying that now.] As I mentioned recently, although the RunAs.exe console utility still exists on Windows Vista and will let you run a program…

33

FAQ: Why can’t I bypass the UAC prompt?

The frequently asked question, “Why can’t I bypass the UAC prompt?” is often accompanied by statements like one or more of the following: “We want our application to run elevated automatically without prompting the user.” “I don’t get why I can’t authorize an application ONCE and be done with it.” “Unix has setuid root which…

20

And so this is Vista…

What becomes of all my earlier non-admin tips, tricks and recommendations vis-à-vis RunAs, MakeMeAdmin, PrivBar and their interactions with IE and Explorer? The short answer is that Vista changes just about everything with respect to running with least privilege. Windows Vista makes running as a standard user (non-admin) much more pleasant, feasible and secure than…

32

Follow-up on "Setting color for *all* CMD shells based on admin/elevation status"

[Updated, 2007-06-27]  This is the (overdue) follow-up to my earlier blog post about setting the color and title of all CMD windows based on the admin/elevation status of that window. First of all, as some commenters noted — and as I had discovered as well — having the COLOR command run in the CMD autorun…

11

LUA Buglight and drive mappings: Action Required

LUA Buglight creates an alternate security context representing the current non-admin user but with admin/elevated privileges.  Because that context is created in a separate logon session, none of the network connections, drive mappings or SUBST assignments of the original context are present.  LUA Buglight tries to copy as many of those to the alternate context as possible. …

1

Setting color for *all* CMD shells based on admin/elevation status

In my RunAs… and MakeMeAdmin posts, I recommend making your admin command shells visually different to set them apart from non-admin ones.  You can change the default console window color on a per-account basis, but that doesn’t help when the same account may be used in both admin and non-admin contexts (such as with Vista’s UAC…

18

LUA Buglight updated information

I’ve meant to provide more info and follow-up regarding LUA Buglight, the tool I wrote to help identify “LUA bugs”.  “LUA bugs” are the issues that cause a program to work only when run as admin (elevated).  Here are some quick notes…   1.  Internationalization:  there is an issue when LUA Buglight is used on…

10