Michael Horowitz

Three workarounds for running Windows XP as a limited user

July 11, 2010 12:24 AM EDT

 
The other day I spent time removing a virus from a Windows XP computer. I hate doing this, it's such a huge waste of time, both mine and the clients. Computer users have better things to do. Not to mention the fact that no one can ever be sure that a malware infection is completely removed.
 
To increase the odds that I would never have to re-visit the same computer, I created a new administrator level userid, logged on to it and converted the existing userid from an administrator to a limited (restricted) user. Then, for two minutes, I explained about administrative and limited accounts to the computer owner who seemed more than willing to trade some minor inconvenience for the safety of running as a limited user.

On my way home, I was bugged about one of the biggest obstacles to running as a limited user, poorly written software. Some applications just don't work when installed by an administrative user and then run by a limited user. Dropbox, the widely acclaimed backup software, is one such program.

But, then I had an idea, which I share here in the hope of encouraging more Windows XP users to give up their administrator addiction.

When an application won't run from a userid other than the one that installed it, uninstall it, change the limited user to an administrator, install the application and then change the userid back to being restricted. It's a hassle, but seeing as how this is a Defensive Computing blog, recommended nonetheless.

Another problem has to do with software that has to be run as administrator. While this should not be the case for normal applications, it's certainly true for a program I run daily, TrueCrypt. This problem has good news, bad news and good news.

The initial good news is that there is no need to logoff the limited user, you can simply right click on the EXE in question (or its shortcut) and opt to run it as an administrator.

The bad news is that the clickstream here is way too long (Windows 7 improved it).  Specifically:

1. Right click on EXE or shortcut
2. Click on "Run as..."
3. Click the radio button for "the following user"
4. Enter an administrator userid
5. Click into the box for the password
6. Enter the password and, finally,
7. Click the OK button

The final good news, is that this clickstream can be greatly reduced, thanks to the runas command.

To illustrate, let's assume a shortcut such as the following

c:\somefolder\something.exe

This can be changed, as shown below, to always run as another user (an administrator user in this case).

runas  /user:adminuser c:\somefolder\something.exe

In my experience, this gets changed by Windows XP to

c:\windows\system32\runas.exe /user:adminuser c:\somefolder\something.exe

Clicking this new shortcut takes you immediately to a password prompt for the administrator user. 

Because the shortcut now runs "runas.exe" instead of "something.exe", the desktop icon will change, and you'll probably want to reset it back to that for the original program.
 
Finally, another problem I've run across when logged on as an XP limited user is not being able to delete some icons on the desktop.  

In my case, this was because the icons were not part of the desktop for the limited user but instead resided in the "All Users" desktop. To remove them, logon as an administrator and find the shortcuts in

C:\Documents and Settings\All Users\Desktop

Simply move them from there to the desktop of another user or delete them altogether.

Yes, being a limited user can be a hassle. But the Defensive Computing choice is to volunteer for the hassle, because a malware infection is a huge sinkhole of time, effort and money. Hopefully these suggestions will help you reduce the hassle.