Run Applications With limited User Rights - gHacks Tech News

Run Applications With limited User Rights

Many users do still use user accounts with administrative privileges in Windows XP and newer versions of Windows instead of limited accounts.

It is comfortable to work as an administrator all the time as you can perform operations that limited users cannot (easily). The downside is however that a successful attack gives the attacker the same rights that you have which can be devastating.

Instead of working with a limited account most of the time and an administrator account only when needed, users can also increase system security by starting select applications as a lesser privileged user.

The runas command can be used to run any program with lower privileges but it has the disadvantage that there is no password switch meaning the user has to enter the password of the "other" account whenever the program needs to be started. It does not work with blank passwords and requires the Secondary Logon service to be running as well.

A better alternative is the PsExec tool by Sysinternals. That little tool can be used to start any application as another user. Unlike runas, it does come with a password switch for ease of use.

PsExec is part of the PsTools suite of Sysinternals. You only need psexec.exe which you can move to a system folder for ease of access.

new user account

The next step is to create a new Windows user account if you have not already. To do that go to Control Panel > User Accounts and click on the Create A New Account link in there. Now type a name for the new account and set it to be limited in the next window.limited account

Specify a password for the account by clicking on the Create Password link in the user account control. Once the limited account has been created it is time to test if psexec is working properly.

Start the Windows command line by pressing [windows R], typing cmd and hitting enter. Now type the following command to test the functionality of psexec:

psexec -d -u "low privileges" -p test notepad

This will start notepad using the user account low privileges with the password test. If everything worked out well notepad should appear. It is now time to check if notepad has been executed with lower privileges.

lower privileges

The Task Manager can be started with Ctrl-Shift-Esc. Click on View > Select Columns in the top menu and check the User Name box so that the username that started an application is shown in the Task Manager.

You should now be able to locate the username with the lower privileges and see that notepad was started from that account.

It would be time consuming to run the processes from the command line all the time. You can create a simple batch file with the command to start the applications that you want to run with lower privileges. To do that for Firefox you would add the line

<codepsexec -d -u "low privileges" -p test "D:\Program Files\Mozilla Firefox\firefox.exe"

in the bat file. The file could then be moved into the start menu.

Please note that you may not be able to run all programs with limited privileges as they may stop working altogether when you try to do that. There is no definitive list of when this works and when it does which means that you are left with trial and error on this one.

Summary
Run Applications With Lower User Rights
Article Name
Run Applications With Lower User Rights
Description
The guide walks you through the steps of running programs on Windows with lower rights by running them as a limited user.
Author




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Rarst said on October 3, 2008 at 9:59 pm
      Reply

      Could probably also replace app executable with %1 in script and it would accept any as command line parameter. Place it on desktop and drag n drop on it. Or create SendTo destination. Interesting trick with psexec, I use util but mostly for remote stuff.

      PS Martin, had you enabled css compress plugin lately? I get totally broken sidebar, had that issue at my blog from css compress – it’s bugged somewhere. And issue is hard to reproduce.

    2. Martin said on October 4, 2008 at 12:10 am
      Reply

      Rarst I’m running that extension for more than a year and did not run into troubles yet. The broken sidebar is caused by default ads that are not showing. I’m trying to change that.

    3. xdmv said on October 4, 2008 at 3:36 pm
      Reply

      You can save time just using the “-l” option.
      Example:

      psexec -l -d “c:\program files\internet explorer\iexplore.exe”

      (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx)

    Leave a Reply