geek microsoft security windows

running windows as a non-admin

a green door with a bigass lock on itWhen you read that even Macs can now expect to get infected with virii, and that 10 to 20 minutes of unprotected hexing on the internet is all it takes to get infected with all sorts of digital nasties, you know that you should take your personal computing security seriously.

So I came across an article in a dutch/german IT magazine C’T about how you shouldn’t run your Windows box with an administrator account for daily use. The reason is quite simple. Even when you’re a geek and protect your box with a decent firewall, anti-virus software and keep your OS software up to date, you can still get infected by something that uses an exploit that has not yet been discovered or patched.
Or maybe you’re simply having an off day and you realise that the Kellie that sent you that email with an attachment isn’t the Kellie you know after you double clicked it, and your harddrive going on like a rattlesnake now while absolutely nothing seems to be happening on screen…

So it’s a good idea in case shit does hit your fan, and the virus can’t properly infect your system as you’re not running as an administator, but a simple mere user, who does not have sufficient rights to alter certain parts of the registry and those so very precious system files. Naahnaah, eat that mister virus!

The idea has been living for a while, but Aaron Margosis from Microsoft has fleshed things out in his blog posts, and has some very usefull and interesting information posted about it if you’d feel like giving it a spin.

big sign with the text 'do not be alarmed - all is secure' Problem is it ain’t that easy. After creating a brand new admin account and stripping your daily user account from it’s admin super powers you might run into a few kinks here and there. You probaly realise that you’ll have to use the fresh admin account to install new software etc. and XP’s fast user switching makes that pretty easy, but that’s not all. Now and then you’ll have some software that requires more system privileges, or sometimes software is simply badly written, and requires more privileges than it should.

The RunAs command could be used in that case, but something more flexible and interesting is the MakeMeAdmin scripts (3 scripts) which found it’s entry on Margosis’ blog, and in this follow up post. The C’T mag also offered a version, which combines all scripts into a single one, which is nice. The latest version available online contains German comments unfortunately, but it’s not really necessary to understand what the comments are about to get it to work.
You can downloaded the zipfile on this page, using the link at the bottom.

To explain what it does in short, it adds your current user account to the administrator group, launches an application and de-admins your account again. You’re only a member of the admin group for a split second, but the application does have admin rights for as long as it runs, and uses your current users settings etc.

To have it run no your setup, there’s 2 lines of code you need change. First you need to change the _Admin_ variable value to the name of a useraccount with admnistrator access. That newly created admin account is what you put here.

set _Admin_="%COMPUTERNAME%\root"

Second you need to change the German name of the admin group to the ones that’s used on your system, since this is language dependant on Windows XP & 2000.

set _Group_=Administrators

Then just put a shortcut to it somewhere in your quicklaunch bar, your desktop, your Send To items, or all of the above, so you’re ready to flings stuff at it that doesn’t work under your limited user account.

Sweet as pie, and actually necessary if you want to run something that does low level OS operations like CD ripping or CD burning as I found out.

I’m planning to keep this up for a while until I either hit a brick wall, euhm… or not, and post about some of the software issues I might encounter.
We’ll see!

2 replies on “running windows as a non-admin”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.