Windows XP, limited account, program wants administrative access. How can I set this up?

I’ve just bought a couple of netbooks for my kids and I have set them up with limited accounts (because I know they will end up inadvertently installing badware from somewhere or other).

Some legitimate programs that they do want to run, require administrative access - Microsoft’s suggested solution is to set them up as ‘run with different credentials’ and provide admin credentials when running the program, or ask the vendor for a new version that will run in a limited account, but:
[ul]
[li]The former option would mean divulging admin credentials to the kids, defeating the purpose of giving them limited accounts.[/li][li]The application is published by Microsoft.[/li][/ul]

So… is there a generic workaround that will enable me to set up these programs to run with admin access, from a limited account, without the user intervening each time the program is run, or knowing the admin credentials?

It seems strange that you have a program that won’t even run in a non-admin account.

Normally a program requires an admin account to install, but not to just run. And in that situation you either install from the admin account and say yes to those programs that say ‘is this program available to all users of this computer?’

Or, there is a feature i’ve found useful on limited account work PCs - On the installation file (setup.exe or a self extractor or whatever) right click and click ‘run as administrator’ and then you type your admin credentials in to that, and the program installs.

What are the programs in question that require an admin account to just run? (Or are you actually refering to the installation? In which case I have attempted to answer that)

As a Windows developer for the last 20 years, I refuse to run software that requires Administrative privs.

At best it is the sign of a lazy programmer, at worst - it is malware or potential malware. My advice is to find another program.

In almost all cases the programs don’t really want true administrative access; what they want is write acccess to some particular disk folders or registry keys which are normally read-only to all except admins.

So the trick becomes finding out which disk folder(s) and/or registry key(s) it needs to write to and then altering the access settings on those places, and only those places, so that your kids’ limited user accounts have write access there too. Once you do that, the app will run happily as a non-admin.

Yes, you are opening up the security door, but just a crack.

As to how you locate those places …

The typical technique is to log in as admin and temporarily change the kid’s user to also be an admin. Then log out & log in as the kid-admin. Then you install the app as the kid-admin.

Installing this way is more likely to succeed in the end than trying to use the “install for all users” option, which may or may not exist. A program that needs to run as admin already doesn’t play by the rules, so best to assume it’s totally clue-free on multi-user and user-not-an-admin operations. So install it as the user who’s going to run it.
Then you can make the kid a non-admin, log out, log in as the kid-non-admin & try running. In some cases that’ll work & you’ll be done. In other cases you’ll find the app still won’t run, or run right, as a non-admin. If so, we’ve got to do the long process. Which is …

Run the app as the kid-admin while also running Procmon. Procmon is a tool from MSFT (formerly from SysInternals) which can detect and log all file & registry writes (in addition to a thousand other things going on under the hood).

Within the subject app, you do things like change configuration settings and save them, stop & start the program, and do whatever other UI operations the program has which probably involve it saving state for next time. Then you analyse the procmon log to see where the program read from &, more importantly, wrote to.

Then you adjust the ACLs on those folders or registry keys to grant the kid’s account (by name) to have modify access (or full control). Then make the kid’s account a non-admin, log out, log in as the kid-non-admin, and try the program again.

If it all works normally, you’re done. If not, log in as the real admin, make the kid an admin again, log in as the kid-admin and try the failed actions while using procmon to log what’s going on inside. Use the log to see which settings need to be loosened, loosen them, un-admin the kid, log out, log in …

Lather, rinse, repeat. Per app the kids want to use.

I run as a low-priv user all the time myself and have done this for umpteen apps I use. In most cases it’s a simple matter of locating where the app stores its config info & opening up the access rights to that one folder or registry key.
Sadly, there is not a dirt simple tool (AFAIK) to automate this process of discovery & tweak. If you locate one, please post about it here.
ETA: or, as **jasg **said while I was typing, find another app which does play be the rules.

LSLGuy I haven’t read your whole post but I think I get the gist of it. So I am posting to agree with jasg with respect to your post. Namely that a program that requires that much farting about to get working in a non-admin environment probably isn’t that well written a program and probably best avoided. Most well written programs can be installed by the admin (either logged in as admin, or by being run as admin) and then work perfectly within limited user accounts.

Edit: A program that uses folders on your PC to run will/should create those folders in areas that allow read/write access to limited accounts by default. Namely the user account folder of the user(s) in question.

Which application is it? Have you set up the kids as Guests, Users, or Power Users?

With regard to file and registry permissions, set up a local group - App_Whatever - and add the kids’ accounts to that group, then give that group appropriate permissions, rather than assigning permissions to the Users group or the kids’ accounts directly.

If it is a MS app, name it, there is almost guarenteed to be a workaround unless we are talking SQL Server apps or something crazy like that.

Determining the “appropriate permissions” can be difficult, though, as LSLGuy describes. The issue is that Windows does not have a simple “elevate privileges” mechanism like Unix’s setuid, as used by the sudo utility. In part because Windows’ ACL model of permissions is more complex than Unix’s rather basic user/group/everyone model. There is, however, a sudo for Windows, called not too surprisingly Sudowin.

It’s a game - Midtown Madness 2.

I found a solution - a program called runasSpc (http://robotronic.de/runasspc/) - it allows the administrator to create an encrypted command file that a different Executable, accessible to the user, can open to launch the specific application with admin privileges. It works fine for this application - although as a home user, I get a nag screen, but it’s free to use.

They are ‘Limited’ (that and ‘Administrator’ are the only options I can see in the user configuration applet (this is XP home, in a home-use environment).

PM me an email address - after looking at runasspc to solve a similar problem for a sitewide rollout, I wrote my own version which I still have floating around. And no nag screen.

And XP Home restricts your ability to change security permissions on folders - there is a hack to give that access back, but it is a real pain.

Si

A RunAs-style solution might be all you need, but it doesn’t completely address the issue of needing to perform a privileged operation under a non-privileged profile. For example, if you install an app using RunAs or runasspc or whatever, all the user-specific settings, menus etc. will apply to the privileged account, not the user’s.

One way round this would be to use something like runasspc to launch a second Explorer session, from where you could perform the privileged operation. However, by default new Explorer sessions will run under your pre-existing explorer.exe process, so you won’t get raised privileges. There is a setting somewhere to allow multiple Explorer processes, or you can use an alternative Explorer-like shell rather than Explorer itself.

More at http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx

I want to correct that second paragraph, because it does not address the problem:

One solution is to temporarily raise the privileges of the user, launch the app that needs privileges, then revert the account back to normal while the privileged app is still running. You would use something like runasspc to perform this step, so the user doesn’t see the admin password that is necessary to do it.

It’s the same mechanism that Aaron Margolis (above) uses in his makemeadmin utility, although that launches a privileged command prompt, not an Explorer shell.

(sorry to keep wittering on about this)

Just looking at that runasSpc page, though, it looks like maybe it does have some mechanism for using different profiles. I had though from reading the blog I linked to above, and the notes for Sudowin, that it was not possible in Windows to use a different profile with RunAs, but maybe I’m wrong.

I’ll shut up now.

I’m not sure whether it does or does not, to be honest. I know that one of the other solutions I tried (runas.exe) had switches to bind things to the currently logged in user andhis/her desktop, but that app kept triggering my antivirus to report a trojan (which I guess is pretty much what it is)

The free version of runasSpc doesn’t have a lot of configuration options, and I’m not sure what it’s doing, other than acting as an equivalent of RunAs - fortunately, in this specific case I’m trying to deal with, it doesn’t really matter, because it’s a game and runs pretty much standalone from the user’s desktop and documents etc.

RunAs is designed to let you run a program as another user. It is not designed to elevate your priveledges so you can run a program that requires administrator access on a limited account. That’s why sudown and Vista’s User Account Control (UAC) exist.

(Technically you can pull it off with RunAs, but it requires having an admin account you know the password to, temporarily changing the orignal user to an Administrator, using RunAs again to start that program with the new credentials (as credentials only update when you log in), and then making the user back into a Limited account.

I think Mangetout has found the best solution, anyways. Still, he might want to make sure that you can’t use the Open or SaveAs dialog box in the game to run another program as administrator.

That’s good advice, thanks BigT - I will check the program for possible backdoors, however, most of what I’m trying to circumvent here is the inadvertent, fairly innocent installation of fake anti-malware or other such trash they might encounter on the web - both of my kids have fallen foul of this in the past, as have my nieces - the thing said ‘you must click here’, so they did.