More on being a limited user

published: Sat, 11-Jun-2005   |   updated: Sat, 11-Jun-2005

Paul Grade responded with some extra information to my recent posting about being a limited privilege user. One of the items was something I'd missed the first time round and I have to admit it's a biggie.

When you installed a program using your main user account in the bad old days (that is, the account had administrator privileges) the installer would have created a bunch of files and folders, probably in Program Files. By default, those files and folders would have been created with two specific sets of permissions (amongst a couple of others): the CREATOR OWNER (a kind of quasi-account) and the user account that created the files/folders both with full permissions.

When you then reduced the privileges of your main user account, those permissions will remain. So, for example, I looked at my Program Files folder (using DIR /Q to show the owning accounts) and, wow, I own a whole bunch of folders. And furthermore I have full permissions in these folders. My main user account can do anything to these folders with complete impunity. If malware managed to get on my machine using my account, it too would have pretty much free rein in my Program Files folder (it couldn't create any folders under Program Files, but it could "modify" any file it wanted to in any of the subfolders I owned, for example any EXE or any DLL). Urk.

A couple of things to change. First we must change the default owner to the Administrators group instead of a specific user account. This will avoid the problem for future installs, so that even if I elevate myself to admin temporarily (there are scripts that enable you to do this) the new folders would not belong to me but to the administrators group. To do this, start up your trusty admin command prompt, type "start secpol.msc", navigate to Security Settings | Local Policies | Security Options, then change the option "System objects: Default owner for objects created by members of the Administrators group" to Administrators group. Ideally this step should be done the first time you login to your new install of Windows XP.

Now you can change the owner of the Program Files folder (and all subfolders and files) to the Administrators group. However that doesn't totally help with what you now seem to have to do: drop the special permissions for your own user account. And that I'm afraid is pretty nigh on impossible at this stage of the game. Or rather I just don't want to do it since it seems to require me breaking inherited permissions for the Program Files folder (at least that's what I think the dialog is saying). That's too scary to contemplate.

The alternative is to repave the operating system, another fairly big task (it'll take me a day essentially to repave and then reinstall everything). Phew. So, I'm going to bear this in mind the next time I have to reinstall WinXP, and leave it alone for now.

In doing all of this I suddenly discovered that the text editor I prefer to use (NoteTab Pro) assumes that you are administrator when you run it. It seems that it does something somewhere in the registry to which I no longer have access and so it doesn't bother to save my configuration on exit (the configuration INI file is stored in Program Files, which is a no-no as well). Bleugh. For now, I've changed the icon on the desktop to call

C:\WINDOWS\system32\runas.exe /U:administrator "C:\Program files\NoteTab Pro\NotePro.exe"

instead of the bare call to the executable, and I'm writing to Eric at Fookes Software to see whether there's anything else I can do. Although the program is still popular, there haven't been many updates in the past few years. Maybe it's time to switch to another app: Scott Hanselman recommends Notepad2.

Actually reading other people's experience with using LUA, I think I've been lucky so far with my roadblocks. I'll certainly be commenting more on this subject as I wander through my LUA playing cards.