I know that it is safer to use a Limited account, but how much of a hassle is it to do that? I checked in Polls and 83% of people that voted use an Administrative account. And that was here at Wilders with all us Security nuts. I have also noted in some posts people having problems with some of their security programs in limited user account. I would like the extra security but that would depend on the the extra hassle.

Hello,

Depends what you do. Are you a gamer? Do you use P2P software? Then, most likely, limited account is not for you. Then, if you know what you're doing, you can fare quite well with admin account.

Finally, what is the threshold of hassle that you're willing to suffer?

Mrk

I'm not a gamer and don't use P2P. I have what I feel like is great security software. But from time to time I read of someone bringing up ,but if you were in a Limited account. Just recently in the SSM forum dealing with the last update to prevent malware.

If youre considering a limited account I would check how all your software works with it. Some software may need admin privileges to update etc.

{QUOTE-> I'm not a gamer and don't use P2P. I have what I feel like is great security software. But from time to time I read of someone bringing up ,but if you were in a Limited account. Just recently in the SSM forum dealing with the last update to prevent malware. <-QUOTE}
See http://www.wilderssecurity.com/showpost.php?p=1048212&postcount=37 and http://www.wilderssecurity.com/showpost.php?p=1049138&postcount=54

http://cybercoyote.org/security/drop.shtml and http://msdn2.microsoft.com/en-us/library/ms972827.aspx Give information and instructions to using DropMyRights. I have my browsers and Winamp setup with icons so that when I click them, they run with reduced privileges. The first link was easier for me to understand. I hope this helps.

tlu's posts are right on.

It's interesting that so many people on Wilders refuse to use limited accounts in XP. Yet many of those very same people swear that Linux is more secure than XP, in part, because Linux by default uses limited accounts. I'm sure they have their reasons, but it still seems ironic, especially on a forum dedicated to computer security.

i set up two limited accounts. i dont use p2p programs and i dont play games online. all the software that i use works fine with winxp pro limited accounts.

{QUOTE-> tlu's posts are right on.

It's interesting that so many people on Wilders refuse to use limited accounts in XP. Yet many of those very same people swear that Linux is more secure than XP, in part, because Linux by default uses limited accounts. I'm sure they have their reasons, but it still seems ironic, especially on a forum dedicated to computer security. <-QUOTE}
Thanks for your support. Please note that you can tighten your security even more by following the steps I outlined in this (http://www.wilderssecurity.com/showpost.php?p=698115&postcount=14) post. I described them for MakeMeAdmin but you can also use suDown, of course.

Note: If you use Windows XP Home I strongly recommend using FajoXP (http://www.fajo.de/portal/index.php?lang=en&option=content&task=view&id=6&Itemid=0) in order to add the security tab available in XP Professional.

{QUOTE-> http://cybercoyote.org/security/drop.shtml and http://msdn2.microsoft.com/en-us/library/ms972827.aspx Give information and instructions to using DropMyRights. I have my browsers and Winamp setup with icons so that when I click them, they run with reduced privileges. The first link was easier for me to understand. I hope this helps. <-QUOTE}
As for DropMyRights, I still think it's the wrong way. There is at least one other process (namely explorer.exe) permanently running with admin rights which is an easy target for malware using Windows messaging (although I have to admit that this problem seems to be solved in Vista). The danger is that under Dropmyrights applications, which were started with lower rights, can break out from this security context and gain admin rights. An interesting read is also http://blogs.securiteam.com/index.php/archives/188 .

Another important drawback of the DropMyRights approach is this one: Even if you started, say, IE with limited rights there is always the danger that another instance of the browser is started indirectly by a casual click e.g. through local URL- and HTML-files and hyperlinks in Office and mail applications (DOC, XLS) or help files (CHM). These instances run with admin rights ! - and you probably wouldn't notice.

Conclusion: A limited account with suDown is the much better way.

Tlu,

Thanks anyway but I think I would rather run in a limited account than install .Net framework in order to then use sudown. If I could I would be removing more of Windows not adding more that could lead to more flaws and possible compromise. Anything that requires me to install additional Windows components is usually a no go for me. Just my opinion of course.

Hello,
some apps i use daily need admin rights so it would be so annoying to use a limited account.
lodore

It is quite simple, if you admin your PC often, you will choose an admin account, if you use your PC, you will use an user limited account, because it will suffice.
It is allways the same, it depends on the user and also skilled user does not need a limited account or do not want it and a common user do not know to use it.
But fortunatelly Vista allows common users to use the limited account, which makes it quite comfortable even for admins, who do not admin their PCs so often.

{QUOTE-> Hello,
some apps i use daily need admin rights so it would be so annoying to use a limited account.
lodore <-QUOTE}

You can easily start them with suDown - where's the problem?

{QUOTE-> It is quite simple, if you admin your PC often, you will choose an admin account, if you use your PC, you will use an user limited account, because it will suffice. <-QUOTE}

Wrong. You can administrate your PC with suDown without any problems.

{QUOTE-> It is allways the same, it depends on the user and also skilled user does not need a limited account or do not want it and a common user do not know to use it. <-QUOTE}

Wrong again. A skilled user does use a limited account beacuse he/she knows that permanently being logged in as admin is careless and unnecessary (see remark above). Have a look at Linux: Any user permanently working as root is considered a fool by the Linux community. Why should it be any different in the Windows world now that suDown is available?

{QUOTE-> But fortunatelly Vista allows common users to use the limited account, which makes it quite comfortable even for admins, who do not admin their PCs so often. <-QUOTE}

Agreed. But it can also be done in XP.

Hello thomas,
where do i download sudown?
and how does it work?
lodore

{QUOTE-> Hello thomas,
where do i download sudown?
and how does it work?
lodore <-QUOTE}

Don't know if Thomas is still on line but check out here

http://sudown.sourceforge.net/

I have checked out suDown and it seems like it will log you in as a non-admin user, and everytime you need admin access you will have to run the app via suDown. But I´m not sure if it´s the right choice for someone who doesn´t want to bothered by this stuff. I like to have complete control, and besides, right now my account is not protected by a password, it slows things up!

Of course if your HIPS is not able to stop malicious behavior, a limited user account might save your ass, but still, what if such an app asks for admin access, and you decided to trust it? Then you´re still out of luck, so I don´t think I will be running as a non-admin anytime soon. Common sense, some knowledge and high quality anti-malware tools is good/secure enough for me.

{QUOTE-> Hello thomas,
where do i download sudown?
and how does it work?
lodore <-QUOTE}

Hi Iodore - please read this (http://www.wilderssecurity.com/showpost.php?p=1049138&postcount=54) post of mine.

{QUOTE->
Of course if your HIPS is not able to stop malicious behavior, a limited user account might save your ass, but still, what if such an app asks for admin access, and you decided to trust it? <-QUOTE}

An interesting question;) If I assume that you install only applications you trust (why should you do otherwise?), your logic leads to the question: What's the use of a HIPS anyhow? Don't you allow them in your HIPS if you trust them?

{QUOTE-> An interesting question;) If I assume that you install only applications you trust (why should you do otherwise?), your logic leads to the question: What's the use of a HIPS anyhow? Don't you allow them in your HIPS if you trust them? <-QUOTE}

To be honest using HIPS is roughly the same as running as limited user but with more popups and a bit more flexibility. But using just a limited account is easier on the computer and more stable than rely on HIPS with use undocumented APIs.

I suppose you could do both but i think what Rasheed is getting at is that it probably gains you little to do both.

@ tlu, ok you got me there, I guess I´m just trying to talk myself out of running as non-admin, but I agree it´s the right thing to do for more security, that´s why they have introduced this in Vista.

I will experiment a bit more with this tool to see how things go, but I already don´t like a couple of things. I already mentioned that I don´t use a password to protect my account, the reason is perhaps a bit silly, but when I boot up my system (usually once a day) it takes about 2 minutes to boot, and I´m not going to sit behind my computer waiting for my system to bootup. Plus having to enter a password for all apps you need to run in admin mode, gets annoying after a while.

I have also noticed that some apps give annoying messages before startup, telling you that you´re not admin. Also, I had a bit of a problem with the prueba trojan, normally it shows up in "Program Files" but now I had to search for the little bugger, because even in non admin mode it still worked, a bit strange that SSM didn´t alert me about it, but this may be related to some conflict on my virtual machine. On the plus side, my security tools still seem to be working correctly.

@ LUSHER

Yes, nowadays running a HIPS which is able to protect the registry, file system (and offers protection against process tampering) will in fact do the same job as when running as non-admin. But I guess the main selling point of a tool like "suDown" is: what if your HIPS fails?

You know what would be cool, what if you could just switch between non-admin/admin mode with only one or two clicks, without the nags about passwords, at least if you don´t want to? Sort of like how you would connect/disconnect SSM´s interface. I think I might use a tool like this.

Tlu,I am confused as to the gain with suDown. I have SSM and I will have to ok something to load. If it is bad ,I foo fooed. With suDown ,won"t I have to ok it also. If I'm to download something I'm going to have to be in administrator mode. It is hard getting my head around it.

{QUOTE-> @ LUSHER

Yes, nowadays running a HIPS which is able to protect the registry, file system (and offers protection against process tampering) will in fact do the same job as when running as non-admin.
<-QUOTE}

If you go study a bit on what limited accounts do, you can pretty much spot which areas are directly equal to which HIPS functions. and which are extra ones added by HIPS (which usually are less important).

{QUOTE->
But I guess the main selling point of a tool like "suDown" is: what if your HIPS fails? <-QUOTE}

LOL. I know we are in paranoid central here, but I think anything that gets pass all your paranonia, plus AV, hardware firewall, software firewall, 2 HIPS and more besides, probably deserves to own you for all that hardwork don't you think? Don't be a spolsport and deny him with sudown.. :)

Honestly, I didn't know you could run mostly as limited user while running HIPS. I remember reading some HIPS having problems with that in the past. Personally I would either use a limited account, or run HIPS (i actually do both as the mood strikes me), but both I haven't tried.

{QUOTE->
You know what would be cool, what if you could just switch between non-admin/admin mode with only one or two clicks, without the nags about passwords, at least if you don´t want to?
<-QUOTE}

The point of the password would be so malware (or rather another less previlaged user) wouldn't do exactly the same thing and switch modes right?

{QUOTE->
Sort of like how you would connect/disconnect SSM´s interface. I think I might use a tool like this. <-QUOTE}

I'm not quite sure if conntect/disconnect SSM interface is that similar to admin/non-admin.

{QUOTE-> @ tlu, ok you got me there, I guess I´m just trying to talk myself out of running as non-admin, but I agree it´s the right thing to do for more security, that´s why they have introduced this in Vista. <-QUOTE}
I'm glad that you agree with me. :) By the way: Here's (http://technet.microsoft.com/en-us/library/bb456992.aspx) what Microsoft is saying about the "LUA approach" - interesting reading.

{QUOTE-> I already mentioned that I don´t use a password to protect my account, the reason is perhaps a bit silly, but when I boot up my system (usually once a day) it takes about 2 minutes to boot, and I´m not going to sit behind my computer waiting for my system to bootup. Plus having to enter a password for all apps you need to run in admin mode, gets annoying after a while. <-QUOTE}
Well, a password is absolutely necessary. But what are "all the apps you need to run in admin mode"? In my experience most applications work flawlessly in a limited account. All modern applications aware of user accounts should save their data in "c:\Documents and Settings\<user>\..." where you have full write access. There are still some applications that want to save data or individual configuration settings in the Programs folder (where you don't have write permission as user). In this case you should try to change the path for data etc. in the configuration of that application. If this is not possible you can grant full access to your user just for the configuration file or the data subfolder. Sometimes this is also necessary for some registry entries which you can find out with Regmon. But again - these are really rare exceptions in my experience. I haven't had any problems with newer applications.

{QUOTE-> I have also noticed that some apps give annoying messages before startup, telling you that you´re not admin. <-QUOTE}
Which ones? Those problems could possibly be solved by applying what I described above.

{QUOTE-> On the plus side, my security tools still seem to be working correctly. <-QUOTE}
Yes, KAV 7.0 and SSM work without any problems.

{QUOTE-> Tlu,I am confused as to the gain with suDown. I have SSM and I will have to ok something to load. If it is bad ,I foo fooed. With suDown ,won"t I have to ok it also. If I'm to download something I'm going to have to be in administrator mode. It is hard getting my head around it. <-QUOTE}
WilliamP, I'm not really shure what's happening on your system. If you can really only download as admin, then perhaps you input a download folder in your browser where you have no write permission. Change that to a folder in c:\Documents and Settings\<user>\... . Or if you use a folder like c:\Downloads change its permissions. Start the Explorer as admin, go to the Security Tab and grant full permission to your user account for c:\Downloads. Important note: The Security Tab is only available in Windows XP Professional and must be displayed by following the steps oulined here (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_sec_tab.mspx?mfr=true). There is no Security Tab in the Home edition (only Bill Gates knows why :thumbd: ). In this case I strongly recommend installing Fajo XP (http://www.fajo.de/portal/index.php?lang=en&option=content&task=view&id=6&Itemid=0) in order to add this tab (on this website you'll also find some useful links regarding this topic). This way also in the Home edition managing file/folder permissions is very comfortable.

tlu, please forgive my ignorance. I have never used a limited user account and assumed that it had to be in administrator to load anything. So if a program can be loaded in either account ,how does a limited account protect you?

{QUOTE->
I suppose you could do both but i think what Rasheed is getting at is that it probably gains you little to do both. <-QUOTE}
From a security standpoint this is probably true. With a HIPS you have more control over what an application is doing, e.g. accessing the Registry. On the other hand, as I wrote in another post, for trusted applications you tend to click the "Allow" button over and over again anyhow. So for me the most important aspect is if I doubleclick, say, a "good-looking" mail attachment received by a friend and this attachment is probably not able (because you are in a limited account), but trying to do something it shouldn't, and the HIPS issues a warning. This is a strong hint that something is wrong and this file might be some kind of malware.

So there is no reason to not use both since all HIPS I know work also in a limited account while protection against new techniques or zero-day attacks is definirely better than using a HIPS in an admin account.

{QUOTE-> tlu, please forgive my ignorance. I have never used a limited user account and assumed that it had to be in administrator to load anything. So if a program can be loaded in either account ,how does a limited account protect you? <-QUOTE}
You don't have to be an admin in order to start an application. The benefits of a limited user account is that the user has no write permission for the critical parts of Windows, especially the Windows folder, the Programs folder, most parts of the Registry and most of the approx. 50 autostart locations. That means that it is extremely difficult for any malware to seriously compromise your system - even without any HIPS.

A more comprehensive explanation can be found here (http://technet.microsoft.com/en-us/library/bb456992.aspx), here (http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157866.aspx), here (http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157962.aspx) and here (http://blogs.msdn.com/aaron_margosis/archive/2004/06/25/166039.aspx)

I recommend reading these articles.

Well Thomas,I gave it a try. I downloaded suDown to my test snapshot. When I rt clicked it told my to put in a password. When I put in a password it told me that it was the wrong password. So I got out of my test snapshot.

I am actually trying the Limited User Account approach here for the 1st time in XP Pro. So far it seems to be great. I have no AV and no other HIPS or security software installed, just the router. Everything is super light, fast and responsive now, it's pretty amazing. And as a backup in case anything does ever happen, I have an image of my setup, so if necessary I can restore in 10 minutes. Seems like the ideal setup for me...

Kerodo did you do a new install ? I have tried several times to simply add a limited account to an existing installation and it has always been a real pain.

Yes, I recently (2 days ago) did a fresh reformat and install of both Windows XP Pro and MS Office, fully updated both, then did an image for safekeeping. During XP install, all I created at that time was my main user with Admin priveledges.. That was it.

Later, in order to change my default main user account to Limited, I first had to create another Admin account. So I did that, then simply changed my main user account to Limited, and that was it. Everything went fine, and it was relatively painless..

Also, before I changed my main account to Limited, I installed whatever software I thought I'd need or use first. Seemed easier than trying to install with a Limited account.

At any rate, everything seems to be working fine, and I feel extra safe knowing that I have an image to fall back on should something somehow happen here..

I am trying this sudown. Installed it, and rebooted. Changed my account to limited but I cant see any sudown account type. My account is simply limited.
I see in my right clik that I can choose sudown to install a software but sudown just crashes all the time.
What am I doing wrong?
I have no hips running (only boclean and panda antivirus and looknstop) and do have NET 2.0.
When I look in control panel/ accounts it is limited but I still can install any software without using sudown ???

I couldn't quite figure out Sudown either, so I decided to just go with converting my account to a Limited account. Seems easy enough anyway. If you want to install software or run something that needs admin priveledges as a Limited account user, just right click on the program icon and select Run As. It will ask you which account you want to use to run this program. Select the check box below that says use the following user, and use the Administrator user, enter the password, and it will run and install fine. You may run into problems with some software that can't run properly in a limited account, but you'll have to wait and see if and when that happens.. So far here everything I use runs fine in Limited account.

I did another reboot and now it seems I am truly limited, but thats not thanks to sudown. It is just a basic limited account created the normal way in windows, I think. I can not install applications when I try to install them the normal way.
If I do it through the sudown link in the right click menu it still crashes. Obviously sudown desnt like my machine :(
But FDISR (which I thought needed a admin account) seems to work fine.

{QUOTE-> I can not install applications when I try to install them the normal way.
<-QUOTE}

Yes, that's part of what it means to run as a Limited User.

Can you not right click on the application file icon and select Run As, then run the install program as Administrator? That should solve that problem...

After trying SuDown, I decided that it is a waste of my time. Running as admin posses risks, that's why I have bought a crap load of software to protect me. The way I see it, to use sudown is to ditch my already secure setup in order to gain annoying extra steps that I have to complete in order to accomplish my tasks.

I ditched SuDown also, mostly because it was too much hassle setting things up with the user groups or whatever you're supposed to do. I am now just running a Limited User Account and it's not much hassle at all. I could go either way though, back to Admin account with a few necessary security apps is ok too. Main benefit I see now is XP seems to run super light and fast without any AV or other apps slowing things down. Just light and simple now, so I will stick with the LUA for a while unless it turns out to be a problem. For me, most of the HIPS programs are a lot more annoying than an occasional right click Run As needed in a LUA. But to each his own... :)

Okay, since there seem to be some probelms with limited accounts and/or suDown, I'm going to give you some hints:

The easiest way to create a new user account is to change the existing one from a administrator type one to a normal user type one. Go to Control Panel, create a new account - let's call it Admin -, define it as administrator account (define also a password), log off, log on into the new Admin account, go to Control Panel and change your old account to a user account (and don't forget to define a password also for this one if none exists!).
While you're still in your new Admin account install suDown (remember: .Net 2.0 must be previously installed - you can get it via Windows updates!), reboot and log on into the new Admin account. Go to Control Panel, where you'll find that a new user group called SUDOERS was created. Add your old (and now limited user) account to this group.
Log off and log on into your limited user account. suDown is now available by right-clicking any application and selecting sudo ... . A windows will pop up and you'll have to enter the password of your user account (not the one of your Admin account!!!). By right-clicking the Desktop and selecting sudo Control Panel you have access to Control Panel with admin rights - this way you can change all settings as you were used to do before.I hope this clarifies some things.

Hello,

For years, althought I was promoting the fact of running under a restricted user account, I was using an admin account and never hidden this fact. I was explaining that the Windows built-in "Run as" was flawed and sometimes programs and setup you launch with "Run As Administrator" fail to work or to install. Also, there is dumb programs requiring you to be part of the Administrator group to work. I still stand on that.

However, I managed to switch to a restricted user account without any hassle by creating differents accounts. One admin account obviously to defrag, make backups/image, install or uninstall security programs. Another restricted account, my day to day one I use for everything else. We could imagine to create another admin one if you have video games not working on a restricted account.

About the security programs not working on a restricted account, I would uninstall them, simply. restricted rights + restricted account compatible security programs, offer better security than admin rights + restricted account incompatible security programs. KAV6 & 7 work fine, SSM also, Jetico/Outpost/Comodo also, etc... no problem on my side (Win XP SP2 by the way). If you read Nic's tests about HIPS, you will learn that some are vulnerable if you are on an admin account (due to flaws or bugs in these HIPS) and can be disabled, whereas they are not if you are under a restricted account.

If you go the restricted way, don't have false hopes, some of your program will refuse to work (defrag, backups, games, etc...). Then if you cannot afford having to switch to a secondary administrator account for these rare tasks, you can try the right click "Run As" way, althought it is not always working fine.

Regards,
gkweb (secondary account).

EDIT : @tlu
{QUOTE->
The easiest way to create a new user account is to change the existing one from a administrator type one to a normal user type one. Go to Control Panel, create a new account - let's call it Admin -, define it as administrator account (define also a password), log off, log on into the new Admin account, go to Control Panel and change your old account to a user account (and don't forget to define a password also for this one if none exists!).
<-QUOTE}
Absolutly, the best way IMO :)

I would guess the answer will probably be yes but here goes anyway.

If running with something like Returnil or deepfreeze 6 would people still advise
running as limited ? On most machines I am behind a Netgear DG834 and have no
online security.

Hello,

{QUOTE-> I would guess the answer will probably be yes but here goes anyway.

If running with something like Returnil or deepfreeze 6 would people still advise
running as limited ? <-QUOTE}

Absolutly. This kind of software are really helpful to bring your system back to a known good state, at every boot. However, they do nothing to protect you while your computer is running, and althought malware cannot install permanently, they can still do harm while they are active.

For instance a kernel keylogger could install, record your keystroke, and send them away. Granted, the keylogger will be gone at your next reboot, but the harm is already done... I consider softwares such as Returnil or Deepfreeze as a secondary security/backup layer, not as a primary line defense. Running under a restricted account adds a valuable security margin.

Regards,
gkweb.

with vista it's suppose to be really easy running with a limited account. for some reason i never got around to finishing off my vista setup so i haven't tried it yet, if i do i'll post back.

Ok, I´m slowly getting the idea. I have been an admin all my computing life so I dont know anything else :) but now I am using a limited account. I can see the benefit not having to use any security software (well at least HIPS or CIPS) I can turn of noscript in Firefox without have to worry? If so there is a whole new world opening up here :D
I uninstalled my HIPS and only use AV and firewall, but are they really needed in a limited account? I mean I always read that the admin account is the root of all evil.
Sorry for the silly questions but I´m a bit thick headed. If nothing can install without using "runas" I shouldnt have to worry about anything, right? If I understand it right malware cant do anything really, or is this my ignorance speaking? Can it really be that simple?

I understand that image software like Shadowprotect wont work in a limited account but I can live with that.
I notice that FDISR works as it should and that fact is the thing that makes me wanna try limited user account.
I have not yet found anything annoying with limited user. Its only when I try to install anything (and when starting software like process monitor) I feel the difference...
Maybe it is only psychological but system feels faster too.

When I do run something with "runas" does that mean that all the child processes of that software have admin privileges too? Like the opposite of sandboxie for example?

Have followed instructions and made a new admin and then reset my normal admin as limited user. Seems ok so far.

Perfect disk works as limited - is the normal ? correct ?
Crap cleaner also works. I wouldn't have been surprised if they had refused.

Acronis - said no way but that's ok I can just go to admin and make an image or use the CD.

Returnil - worked quite happily from limited.

Although I have never seen a virus nor found any malware it seems like I can not really object to limited.

{QUOTE-> If running with something like Returnil or deepfreeze 6 would people still advise running as limited ? On most machines I am behind a Netgear DG834 and have no online security. <-QUOTE}

I've been running as a limited user and temporarily using Returnil, except when I need to do administrative chores like a backup in the admin account. Assuming all your software is always fully patched, adding a router and using any browser other than IE6 would negate the need for just about any real-time security software IMO, unless you have some specific requirements (which some of us do). In my case, Returnil is basically keeping me from having to delete and recreate the limited user account, should it become infected. If that wasn't an issue for me, then I probably wouldn't use Returnil, as I don't execute anything but well-known software from it's original site in my admin account on my system from home.

Concerning what gkweb rightly pointed out about malware infections like password stealing programs in the current Returnil session before a reboot: you could have 2 LUAs. A main LUA for browsing/email, and another LUA for online banking, etc. Even without Returnil running, this ensures security as well as privacy for any sensitive financial information stored on your computer (another concern with Returnil in addition to what gkweb pointed out).

{QUOTE->
While you're still in your new Admin account install suDown (remember: .Net 2.0 must be previously installed - you can get it via Windows updates!), reboot and log on into the new Admin account. Go to Control Panel, where you'll find that a new user group called SUDOERS was created. Add your old (and now limited user) account to this group.
<-QUOTE}

Tlu, I didn't see any mention of .NET 2.0 being required on the SuDown web site, nor did I see SuDown complain about it not being installed when I installed SuDown, are you sure about this? There is indeed another program called SudoWn, which does much the same thing as SuDown, and which DOES need .NET installed. Perhaps there is some confusion here? Not sure...

At this point though, I have returned to a normal Admin setup and added back my trusty security apps, just feels easier and more comfortable. However, this has been an interesting discussion.. thanks for all the info also..

{QUOTE-> I understand that image software like Shadowprotect wont work in a limited account but I can live with that. <-QUOTE}

Sure, ShadowProtect works just fine under a limited account. You have to be an admin to install it, but a limited user can control it, create new backup jobs, mount backup images, etc. To do this click on "Network View" and then add a new network node in ShadowProtect (in addition to the default) which is for your computer and specify admin credentials to be used to connect to the service, the select that new node and click on Connect. You'll then be able to backup/restore/mount/etc.

{QUOTE-> Sure, ShadowProtect works just fine under a limited account. <-QUOTE}

Well I am not really surprised :thumb:
I havent actually tried it yet (as you can figure out from my post :) ) I thought I read that SP wouldnt work under a limited account somewhere here. my bad.
Thanks for the info.

Acronis 10 works under limited. I had to remove and then reinstall but now it works using run as.

BUT in admin when I try to read a word doc it starts to install office but never finishes.

I started with admin and made a new admin and then changed the original admin to limited. Office was originally installed on the new Admin so why do I have to reinstall ?

Hello,

While running as limited is far better than admin, I do not think that removing any security software is such a good idea. I would keep at least an Antivirus and a Firewall. For instance, not all kind of keylogger need admin rights to work, some methods work under a restricted account, like shown by AKLT :
http://www.firewallleaktester.com/aklt.htm

A restricted account stops dead in their track most exploits and attacks, without any security software. It is therefore a powerful, simple, and automatic security layer. However it does not prevent 100% of the possible attacks, and for the remaining ones, antivirus and firewall are not overkill, IMO.

@LongView
I'm not sure but when you install for instance Microsoft Office Outlook (not Outlook Express) on one account, if you run Outlook afterwards on another account where it was never previously ran, then Microsft Office starts something looking like a setup start. In fact it is initializing the application account settings, and just do it once. May be is it what you are witnessing ?

EDIT : just an idea, as a "dumb" workaround, you could install OpenOffice (open source and free) instead of MS Office ;) (I call that a dumb workaround, because switching to another program is not a real "solution" per se).

Regards,
gkweb.

@gkweb

can't argue with your re the possibility BUT I can't or rather will not give up the speed that running no on line antivirus or anti spyware gives me. Before I removed all my security programs it was taking one of my programs over 30 seconds to load. now it take 6 seconds the first time and 3 thereafter. Other programs "feel" much faster as well.

Since 96 I have not seen a virus nor malware. Lots of false positives.
I would appeal to the law of diminishing marginal returns. My Netgear covers X%,
Firefox increases my protection a little bit more. My e-mail provider checks and removes spam and other bad things. Returnil of deepfreeze would kill off anything that got ( no speed loss) - in fact to me the main benefit of returnil nil is I can set up a machine the way I want it and it stays that way.

Finally if I run under limited the percentage increases yet again.

So given that no anti-virus, hips or malware program that I have seen is anywhere near perfect and given that they all seem to slow me down and given that my other protections get my percentage fairly high I can not see the trade off as being worthwhile to a safe surfer

Hello,

If speed is your top one priority, with the maximum security possible without decreasing your performances, may be a single AV with automatic protection disabled would do the trick ? Ony do an on-demand scan once in a while ?

Just an idea. I perfectly understand your concerns :)

Regards,
gkweb.

EDIT : as lightweight AV, NOD32 comes to mind.

{QUOTE->

Acronis - said no way but that's ok I can just go to admin and make an image or use the CD.
<-QUOTE}

I start it with suDown and it works perfectly.

{QUOTE-> Hello,

If speed is your top one priority, with the maximum security possible without decreasing your performances, may be a single AV with automatic protection disabled would do the trick ? Ony do an on-demand scan once in a while ?

Just an idea. I perfectly understand your concerns :)

Regards,
gkweb.

EDIT : as lightweight AV, NOD32 comes to mind. <-QUOTE}

with returnil in protected mode ( previously deepfreeze) every few weeks I run an antispyware and antivirus check. the last one I tried was Nod32 and like all the others it showed nothing.

{QUOTE-> I start it with suDown and it works perfectly. <-QUOTE}

Haven't tried sudown yet. Found I can run Acronis by run as.
still trying to get my head around what is happening. Perfect disk works as limited and admin. Strange the way that crap cleaner shows errors in admin but not in limited - suggests not looking at the same registry ?

No real problems - but I am testing on a very old machine which has really been abused over the last 5 years or so. will no doubt be better with a fresh install.

{QUOTE-> Tlu, I didn't see any mention of .NET 2.0 being required on the SuDown web site, nor did I see SuDown complain about it not being installed when I installed SuDown, are you sure about this? There is indeed another program called SudoWn, which does much the same thing as SuDown, and which DOES need .NET installed. Perhaps there is some confusion here? Not sure... <-QUOTE}
Well, I tried it once on a PC without .NET 2.0 installed and it didn't work properly. And I remember that I read a review of suDown in a magazine where this was confirmed. But you're right that it is not mentioned on its homepage.

{QUOTE-> At this point though, I have returned to a normal Admin setup and added back my trusty security apps, just feels easier and more comfortable. <-QUOTE}
Could you elaborate why? Where did you have problems?

{QUOTE-> Hello,

While running as limited is far better than admin, I do not think that removing any security software is such a good idea. I would keep at least an Antivirus and a Firewall. For instance, not all kind of keylogger need admin rights to work, some methods work under a restricted account, like shown by AKLT :
http://www.firewallleaktester.com/aklt.htm

A restricted account stops dead in their track most exploits and attacks, without any security software. It is therefore a powerful, simple, and automatic security layer. However it does not prevent 100% of the possible attacks, and for the remaining ones, antivirus and firewall are not overkill, IMO.
<-QUOTE}

Guillaume, I absolutely agree with you. On the other hand, protection against user-mode malware can be further improved by some steps I outlined in this (http://www.wilderssecurity.com/showpost.php?p=698115&postcount=14) posting. Thsi works also with suDown, of course, not only with MakeMeAdmin.

{QUOTE-> I can see the benefit not having to use any security software (well at least HIPS or CIPS) I can turn of noscript in Firefox without have to worry? <-QUOTE}
sukarof, I wouldn't do this. Noscript is an excellent protection against Javascript exploits and the more and more popular cross-site scripting (XSS) which has nothing to do with admin or limited user account.

{QUOTE-> If so there is a whole new world opening up here :D
I uninstalled my HIPS and only use AV and firewall, but are they really needed in a limited account? <-QUOTE}
Regarding HIPS, please read my opinion about them in post #29.

Regarding firewall: A firewall is necessary since some services in Windows open ports, and these services are running with sytem privileges. Thus, if there is a security hole in one of these services there is a high risk that your system might become infected. That's why it's important to close open ports. Now, that's the inbound protection part - and here the built-in Windows firewall is absolutely good enough. If you also want outbound protection (keywords: applications phoning home, leaktests) you'll need another firewall. A limited account cannot protect against these risks.

Regarding AV: If you catch a virus, e.g. by an mail attachment, and execute it carelessly it's possible that it deletes your data (like DOCs, XLSs, whatever) which you saved in a folder where you have write permission. So while malware will most probably not be able to seriously compromise your system (like installing a trojan or rootkit or making your PC a part of a botnet), data loss is nevertheless possible.

{QUOTE-> I have not yet found anything annoying with limited user. Its only when I try to install anything (and when starting software like process monitor) I feel the difference... <-QUOTE}
Yes, and here comes suDown into play which makes that part very comfortable.

{QUOTE-> When I do run something with "runas" does that mean that all the child processes of that software have admin privileges too? Like the opposite of sandboxie for example? <-QUOTE}
Yes. Regarding sandboxie, I haven't tried it.

Thanks for your replies tlu and gkweb, much appreciated.

I am still exploring this limited user accounts and have much to learn.

{QUOTE-> Yes, and here comes suDown into play which makes that part very comfortable.
<-QUOTE}

Unfortunately sudown didnt work on my machine (kept crashing on me) I might have done something wrong when I installed it. But for now I am playing with the regular LUA and will try it again later because I understand there are less hassle with sudown than windows LUA...

{QUOTE-> ***When I do run something with "runas" does that mean that all the child processes of that software have admin privileges too? Like the opposite of sandboxie for example?***

Yes. Regarding sandboxie, I haven't tried it. <-QUOTE}

Maybe sandboxie was a bit strange comparison but I get it now. :)

{QUOTE-> Regarding HIPS, please read my opinion about them in post #29.
<-QUOTE}

My goal with this exploring of LUA is to see if I can get that fuzzy feeling of secureness without all the hassle that regular HIPS give (the confirming of all sort of activities) Prevx1 is on the right track but it is still a band aid on windows. It would be great if one can achieve real security directly from windows itself. Maybe it is not possible but it´s nice to learn new stuff :)

{QUOTE-> Well, I tried it once on a PC without .NET 2.0 installed and it didn't work properly. And I remember that I read a review of suDown in a magazine where this was confirmed. But you're right that it is not mentioned on its homepage.


Could you elaborate why? Where did you have problems? <-QUOTE}
Hi tlu, well, no specific problems, I just decided that I should probably run an AV and HIPS after all, so I figured if I'm doing that, then I might as well run Admin again and avoid any future hassles or extra work. I may return to LUA later, I am changing things all the time..

{QUOTE->

My goal with this exploring of LUA is to see if I can get that fuzzy feeling of secureness without all the hassle that regular HIPS give (the confirming of all sort of activities) Prevx1 is on the right track but it is still a band aid on windows. It would be great if one can achieve real security directly from windows itself. Maybe it is not possible but it´s nice to learn new stuff :) <-QUOTE}
Sukarof, I did get that fuzzy feeling of secureness when I ran Linux, that's one great selling point for Linux in my mind. However, after distro hopping for 9 or 10 months, I returned to Xp simply because overall it's easier, everything works better right out of the box, and it's just better IMO. But you can get that secure feeling running Linux, pretty much nothing can touch you.

For now I'm using Nod32 with Firefox, and I added CyberHawk, which doesn't seem to bother me at all. I realize others maybe superior, but I am looking for a HIPS that asks me no questions if possible, and I'm willing to sacrafice a little protection for one that is basically quiet and not a bother..

I have been thinking about this subject a bit more, and have decided that for now I will continue to work in admin mode. A couple of reasons why:

{QUOTE-> 1 I like to have a non password protected account, not possible with suDown or a Limited account.
2 Having to type a password when I need to run apps in admin mode, gets annoying.
3 I believe that HIPS will protect me against "drive by" (zero day) attacks.
4 I believe that the chance of ever executing an app that´s able to bypass my HIPS is very small. <-QUOTE}

About 3, I´ve never tested this, so I can´t know for sure, but I assume that simply by blocking process execution you will stop most, if not all drive by attacks. In addition, I´m running certain vulnerable apps (browser, email, Office/PDF, media players) in "non admin" mode via the "software restriction policy" tool in XP Pro, plus IE is configured in the most safest way possible. Also, I mostly visit my favorite ("trusted") sites, most of them with javascript disabed, and I almost never download any Office files.

About 4, I´m aware of the fact that there are indeed some flaws in HIPS, I´ve tested a couple of tools this week, and they didn´t always work correctly. However, nowadays I hardly install any new tools, at least not on my real machine.

{QUOTE-> Of course if your HIPS is not able to stop malicious behavior, a limited user account might save your ass, but still, what if such an app asks for admin access, and you decided to trust it? <-QUOTE}

Btw, what if you download a malicious app (a text editor for example), it comes up clean on VirusTotal and you don´t get any alerts from your HIPS. It does however ask for admin access. If you´re really paranoid (or smart), you will probably stay away from this app. But since you didn´t get any alert from your HIPS (and it was clean) you might decide to install it anyway, and bamn! It manages to bypass your HIPS, and you´re owned. So the non-admin approach didn´t really help, but it did give a clue. So I guess you shouldn´t you run apps who require admin access for no good reason?

{QUOTE->
The point of the password would be so malware (or rather another less previlaged user) wouldn't do exactly the same thing and switch modes right? <-QUOTE}

{QUOTE-> I'm not quite sure if conntect/disconnect SSM interface is that similar to admin/non-admin. <-QUOTE}

Yes correct, but I was mainly talking about the ease of switching between modes, would be cool if you could globally switch between admin/nonadmin with one or two clicks. And of course a password is required, unless it´s somehow possible to make it so that only the Windows OS is able to switch between modes. Or what if you could choose to only run certain apps as admin, in a non-admin account? But perhaps this simply isn´t possible, or perhaps it would be easy to bypass. I really wonder how this stuff works in Vista, a lot of people complain about LUA, but perhaps it´s not that bad.

{QUOTE->


a lot of people complain about LUA, but perhaps it´s not that bad. <-QUOTE}

several times in the past I tried to set up a limited account but made a mess of it.

Having followed this thread I made a new admin and changed my existing admin to limited. Having tweaked for a few hours I now have it pretty much the way I want it. The programs I current run work with limited. everything is "protected" by Returnil. what am I missing ? what is there to complain about ?

Thanks everyone for your thoughts and encouraging me to try limited again but to get it right this time.

Hello,

{QUOTE-> The programs I current run work with limited. everything is "protected" by Returnil. what am I missing ? what is there to complain about ? <-QUOTE}

The remaining complains is that for some tasks, you need either to rely on "Run As" which does not always work fine, or to play with tools like SuDoW or other, or to switch to a different admin account to accomplish admin tasks (I prefer the later). While in the end everything works one way or another, the fact is that some people find it too much of a hassle of having to do extra steps to get things to work (I was).

But once you accept few more steps for particular apps (either "Run As" or switching account), everything is fine :)

Congratulations for going to the safer side.

Regards,
gkweb.

This is a very interesting thread. Good reading :thumb:

It makes me think of making use of a LUA for safety reasons. But I have not decided yet. Will follow this thread and see if more users post their experience. SuDown sounds interesting.

{QUOTE-> Concerning what gkweb rightly pointed out about malware infections like password stealing programs in the current Returnil session before a reboot: you could have 2 LUAs. A main LUA for browsing/email, and another LUA for online banking, etc. <-QUOTE}
I think this is a good advice. No matter what I decide I will create a limited account for on-line banking. Thanks Dogbisquit :)

{QUOTE->
Having followed this thread I made a new admin and changed my existing admin to limited. Having tweaked for a few hours I now have it pretty much the way I want it. The programs I current run work with limited. everything is "protected" by Returnil. what am I missing ? what is there to complain about ?
<-QUOTE}
Nothing much to complain about except the need to right click and Run As at times, and perhaps some apps not wanting to run or work properly in a LUA. For some people that's too annoying, for others it's not. Just depends on personal preferences I guess....

Here is a couple of more questions about limited user.

1. Problem: I installed Norman Antivirus through "run as" but I have to "switch user" to admin if I want to update the signatures. Why is that? Is it because of Norman or is it some limitation (feature?) in the LUA idea? I mean, I can understand that I can not make changes in Norman, but surely it should be able to update?!
But now it strikes me: Does this depend on where I install Norman? Should I install Norman, and other software that requires writing into their folder, on another drive or partition?

2. Does it matter if I install something through "run as" or switching user to a admin account? Is there a difference?

3. Does everything I install in an admin account automatically install in my limited account too? I notice that not everyting I have installed in a LUA (before I changed the account to limited) does show up in the admin account.
If not, is it better to make my limited user account admin temporarily and install all applications that I want and then change back to limited?

Thanks sukarof - I'm trying to figure these questions out as well.

{QUOTE-> No matter what I decide I will create a limited account for on-line banking. <-QUOTE}

Just remember that you need at least 3 accounts total in order for this strategy to work.
Your admin account (for installations, etc.) should never be used for browsing, since anything in the admin account can always access your online banking account (or any other account).

If you browse/email in a second main account (LUA), then no infection here could access your online banking account, since no access from this account is permitted outside this account.

Your third (online banking) account (LUA) is protected from the second browsing account because they are separated and denied access to any account outside themselves.

Hello Sukarof,

I advise to do installations of security softwares under your admin account and not the restricted one, even with "Run As". The reason for this is that I've witnessed "Run As" failing to install properly some applications. I think it will install fine let's say your FTP application, but not your antivirus.

I don't know if the reason for this is that the setup is given admin privileges but not sub-executables it may spawns or calls. I think that the Microsoft implementation of "Run As" is flawed somewhere. Just don't know where, how, and why.

If installed with your admin account, the security app will be installed for every account. As an example if I take Kaspersky, it updates fine under a restricted account because the update runs as "System" I reckon. If your antivirus runs with your account privileges instead, usually there is in the options the possibility to force the update using a particular account (you have to enter your admin account credentials in the antivirus options).

Do not change back your LUA into admin, simply switch to your admin account to install your security software. Usually, you have only to do it once.
About the destination folder, you can install them where you want, it works either in C: or any other partition.

Regards,
gkweb.

Thanks for the explanation gkweb :thumb: I will do as you suggest.

Cheers

Thanks Dogbisquit, gkweb and the rest of you. I get more and more tempted to try this. I known for a long time that LUA increase security, but I did not know how important it is. It's a strong HIPS;D

If more and more people try suDown I hope they post their experience with it. Or other similar tools.

Haven't tried sudown yet. so far I gave been able to do all I want with limited.
Using Returnil with Limited seems to help. Certainly the hassle factor does not seem to increase. using returnil I would have to leave protected mode anyway to update a program. now I'm simply going to admin at the same time.

If limited works what is the benefit of sudown ?

Hello,
If you want to try real limited user with 100% modularity, with no glitches and bugs, then you should try Linux. Windows can work with LUA, but it was not designed that way.
Mrk

I will be trying Linux soon - have read a couple of your guides BUT
can I run Paperport, Omniform etc under Linux ? As far as I am aware a number of programs that I rely on only work under windows ?

Hello,
You can run them using:
1. WINE (only for 32-bit apps under 32-bit kernel)
2. Virtual Machine of a sort (VMware, VirtualBox)
3. Use a similar, alternative program
Mrk

Well, I have re-evalutated things and gone back to a LUA here. Main reason is, with Nod32 and CyberHawk I was getting some substantial slowdowns in both browsing and also general system functions. Not sure which apps caused what, but it was no good for me. I value good performance above extra security. So I removed both Nod and CH, put on a basic AV which isn't as good but still offers some basic file protection, then set up my account as a LUA again. For me, this is the best way to have decent protection as well as good performance.. Now I will try to see if I can live with the LUA.. :)

{QUOTE->
If limited works what is the benefit of sudown ? <-QUOTE}
Good question, maybe somebody can answer, but I passed on sudown too as I can do everything as needed with LUA already.. Don't need sudown as far as I can tell..

{QUOTE-> Hello Sukarof,

I advise to do installations of security softwares under your admin account and not the restricted one, even with "Run As". The reason for this is that I've witnessed "Run As" failing to install properly some applications. I think it will install fine let's say your FTP application, but not your antivirus. <-QUOTE}
Yes, Runas doesn't work properly in all cases. However, I can't remember a case where installation with MakeMeAdmin or suDown didn't work. For example, I installed KAV 6.0 with MakeMeAdmin and recently KAV 7.0 with suDown without any problems. But it's true that there are some rare applications that are better installed in an admin account: As far as I remember, after installing Outpost (which I had used earlier) and reboot a configuration window automatically pops up for which admin rights are necessary. This wouldn't probably work in a limited account. This might also apply to other security applications.

{QUOTE-> Good question, maybe somebody can answer, but I passed on sudown too as I can do everything as needed with LUA already.. Don't need sudown as far as I can tell.. <-QUOTE}

The point is that for the installation of most (or at least many) applications admin rights are necessary. So if you are logged on as limited user you could switch to your admin account (which is cumbersome), try it with Runas (which works mostly but not always) or you do it with suDown which is definitely the most convenient way for me. Moreover, by right-clicking your desktop and selecting "sudo Control Panel" you can access all Windows setting for which admin rights are necessary. It couldn't be easier.

{QUOTE-> Hello,
If you want to try real limited user with 100% modularity, with no glitches and bugs, then you should try Linux. Windows can work with LUA, but it was not designed that way.
Mrk <-QUOTE}

Mrk, everybody knows that you don't like Microsoft. ;) To be sure, I, too, prefer my Kubuntu machine over Windows. Nevertheless, I state explicitly that working in a limited account in Windows can be comfortable and rather unproblematic when following the hints given in this thread.

Yes, Linux is the superior OS but even Windows can be improved, i.e. more secure than it is out-of-the-box.

Hi,

It's not that I don't like MS, don't get me wrong. It's MS that doesn't like me. When they started their guilty until proven innocent policy with WGA, it was the last straw.

Regarding LUA, I did try it quite extensively in Windows - and found it lacking severely. You know that I have zero tolerance for software and that I only go for the simplest and most convenient solutions. Unfortunately, Windows was never built to support modularity and LUA as intended.

I'm talking trying everything - gaming, sharing, P2P, security software, tweaks, etc.

Mrk

That´s funny, it looks like Vista has already implemented it in a way that I like, you can run as "protected admin" (with autologin hopefully) and this basically means that you run in "non admin" mode but as soon as you need admin rights you will get to see a prompt, with the ability to allow or deny, no password required. So it seems like a nice and hassle free extra protection method.

But just for the record, even in non-admin mode I would still use my HIPS, because LUA won´t save you from everything and besides I like to have full control over my machine. Perhaps I will make the switch to Vista faster than I expected, I just saw that PC´s have become less expensive and more powerful. And Vista SP1 is also coming up. ;D

http://en.wikipedia.org/wiki/User_Account_Control
http://www.edbott.com/weblog/?p=1602

{QUOTE-> I’ve been using the final release of Windows Vista every day for nearly three months. I rarely see a UAC prompt, and when I do, it takes one click to deal with it. On at least two occasions, I have decided against installing something as a direct result of seeing a UAC prompt. It made me stop and think about whether I really trusted the program I was installing. In both cases I went and did more research, found some bad reviews, and decided against installing the program in question. That’s worth the price of admission for UAC, in my book. <-QUOTE}

But then again, all of my favorite tools will have to work on Vista, including my security tools, and I´m not sure if HIPS will work on Vista because of certain changes in the OS.

Also, I don´t want to be bothered by annoying messages telling me that "I´m not admin" (some apps give this on startup) but this shouldn´t be a problem since eventhough your protected your still admin ("protected admin"). And from what I´ve read, the new "file/registry virtualization" feature in Vista, will make most apps run problem free in non-admin mode. :)

I've tested my comfort level on Vista Home Premium from both admin and standard (limited) user accounts. Since I've found Returnil coupled with UAC enabled in admin account, I've decided to run entirely from the protected administration account.

I'm not running antivirus until I need to scan a file for installation. Not even using Windows Defender either. I always do my "sensitive information" events after rebooting to get a fresh virtualized C partition.

I do appreciate that the standard account is better in Vista than XP's limited account for ease of use.

:thumb:

{QUOTE-> That´s funny, it looks like Vista has already implemented it in a way that I like, you can run as "protected admin" (with autologin hopefully) and this basically means that you run in "non admin" mode but as soon as you need admin rights you will get to see a prompt, with the ability to allow or deny, no password required. So it seems like a nice and hassle free extra protection method.

<-QUOTE}

I am testing the limited account in Vista right now and it is a bit easier than LUA in XP since you never have to tell Vista to "run as" Vista senses when a task is not permitted for the limited account and pops up the a small window with the admin account name and one only types the password. Little more user friendly imo.

Its a bit like UAC in a admin account, I wonder what the difference is (other than you dont have to enter a password with UAC) Are UAC and LUA in Vista equally safe? If so there seems no point in running LUA in Vista...or? (well password is always a bit safer, but other than that..)

I've been using LUA for a few months. I just installed this suDown and it seems nice. Too bad it lacks any documentation at all or settings possibility. It doesn't even install in the Program folder but in some mysterious place.
It's also strange that my account is LUA but when I login with suDown installed it becomes an admin account with LUA restriction. It's a bit strange.

I don't get this demo, http://sudown.sourceforge.net/index.php?page=demo
If I'd want to install a program wouldn't I use sudo which temporarily gives you admin rights? Wouldn't that mean that I'd get infected and the DNS servers would've changed anyway?

ive been running as limited for a while now. i dont even use realtime AV anymore

sudown looks like a good product ill give it a try. will prob save me all the hassle below

but for those who have been switching to administrator to install programs, youll notice that many wont work when you try to run them in your limited account. almost always, the problems is a file/registry permissions problem. using the sysinternals tools you can find what you are denied access to. usually is the programfiles directory of the app as well as some reg keys. give your acct full permission to those and voila the app works

Have pretty much got admin and limited set up the way I want ( protected with Returnil) and ultimately Acronis.

post #9 explains about Make me admin. I have been able to get to the point where I am supposed to stop the last few autostarts. I can get to the registry - but then what ?

I will try Sudown next but before I do will this program make it possible to stop all autostarts i.e to stop any malware from being able to run ?

any help here would be appreciated

{QUOTE->
It's also strange that my account is LUA but when I login with suDown installed it becomes an admin account with LUA restriction. It's a bit strange. <-QUOTE}
I'm not sure that I understand. What exactly have you done?

{QUOTE-> I don't get this demo, http://sudown.sourceforge.net/index.php?page=demo
<-QUOTE}
You need Macromedia Flash installed. It's also possible that you blicked this site with Noscript.

{QUOTE-> If I'd want to install a program wouldn't I use sudo which temporarily gives you admin rights? Wouldn't that mean that I'd get infected and the DNS servers would've changed anyway? <-QUOTE}
Short answer: See posting #20.

{QUOTE-> Hi,

It's not that I don't like MS, don't get me wrong. It's MS that doesn't like me. <-QUOTE}
LOL. Well, perhaps MS are listing posters here on Wilders that always argue with them ...;D

{QUOTE-> Regarding LUA, I did try it quite extensively in Windows - and found it lacking severely. You know that I have zero tolerance for software and that I only go for the simplest and most convenient solutions. Unfortunately, Windows was never built to support modularity and LUA as intended. <-QUOTE}
I don't know what you tried exactly. Read through this thread and it should become clear that LUA is possible and it can be very comfortable using the right tools (suDown).

{QUOTE-> I'm talking trying everything - gaming, sharing, P2P, security software, tweaks, etc.
<-QUOTE}
See my post #26 to solve possible problems. In general, Regmon and Filemon are your friends.

{QUOTE-> I'm not sure that I understand. What exactly have you done?
<-QUOTE}
"cheber" is added to "sudoers".
When I check on my administator account ("Users and settings) called "admin" it says "cheber" is a LUA.
When I check the account on "cheber" is says the account is an administrator account.

{QUOTE->
You need Macromedia Flash installed. It's also possible that you blicked this site with Noscript. <-QUOTE}
Heh, well I just meant I didn't understand the reasoning or how it functioned. My Flash works fine. But I guess you post #20 explains it. I also read more on the site and the Flash just wanna compare LUA and admin, not <sudo installing with LUA> and admin (which I thought) as that'd practically be the same thing.

Hello,

tlu, that's exactly the reason why not to use LUA. I don't want to play with file permissions to get things to work. That's exactly the problem. Of course you can eventually get it to work. But when I want to play a game online, I don't want to have to try 7-8 times before everything fits.

Using the given tools / options provided by LUA, I found quite a few bugs with lots of programs. Therefore, I've decided to drop the issue. I can achieve the same productivity without losing anything with admin account - or as an alternative, use Linux, which offers 100% modular limited user.

Mrk

{QUOTE-> Hello,

tlu, that's exactly the reason why not to use LUA. I don't want to play with file permissions to get things to work. That's exactly the problem. Of course you can eventually get it to work. But when I want to play a game online, I don't want to have to try 7-8 times before everything fits.

Using the given tools / options provided by LUA, I found quite a few bugs with lots of programs. Therefore, I've decided to drop the issue. I can achieve the same productivity without losing anything with admin account - or as an alternative, use Linux, which offers 100% modular limited user.

Mrk <-QUOTE}

Hi Mrk

I'm using LUA now and apart from occasionally booting to admin to load or update I haven't had any real problems.

I'm still trying to get make me admin to work and at some point I will probably try SuDown but I am trying to remove complications rather than add them.

So how would i go about achieving the same productivity without loosing anything with the admin account ?

Only problem I've had with LUA is with Nero BackItUp. It won't save backup jobs created with a LUA. But that doesn't matter as I don't create new jobs often.

I have to ask this.
Using Roboform's Customize Toolbar as an example, is there no software that is easy to use that would list all the programs that would be affected by changing user accounts and enable the user to just Add or Remove them into the limited accounts?
If there is something that simple, and stable, more people would jump into this safer way of computing.
Regards.
Doc

well if anyone knows how to write scripts or batch files they could use
http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx

I have not found any programs yet that I can not run under LUA I do have a number where I have to "run as" but as these programs are only run infrequently
I don't find that much of a problem

I apologise to those who know a better way to do this but

wanting to run Acronis True Image 10 under LUA I opened the acronis folder in program files and made a short cut. Draged the short cut to the quick launch bar. under properties/advanced I checked "run with different credentials".

so now if I want to run acronis I click on the icon and am prompted to enter
the admin user name and password.

No need to remember which programs run under limited and which "run as" - just make shortcuts to quick launch or the start menu.

Sorry, posted in error, ignore please....

{QUOTE-> I have to ask this.
Using Roboform's Customize Toolbar as an example, is there no software that is easy to use that would list all the programs that would be affected by changing user accounts and enable the user to just Add or Remove them into the limited accounts?
If there is something that simple, and stable, more people would jump into this safer way of computing.
Regards.
Doc <-QUOTE}

Not sure what you mean.
Most programs are installed so the program will be usable for all accounts. Some installers have the option "All users" and "Only current user".

{QUOTE-> I have to ask this.
Using Roboform's Customize Toolbar as an example,
Doc <-QUOTE}

I am not sure either what you mean, do you mean you have problem with Roboform and LUA?
If so, I can report that my roboform works just fine in limited account, both in XP and Vista, firefox and IE.
In XP it worked after I changed the account to limited, and in Vista I installed it through "run as"
What sort of problem do you have?

I have now been logged in as a limited user for 10 days. I have done all the stuff I usually do (when I was admin) except imaging with shadowprotect in vista (but V3 will arrive shortly) I have done the imaging in my XP snapshot.

I really dont understand my previous hesitations using LUA ??? everything work just fine, even though I find Vista LUA more reliable and user friendly than XP LUA. My system is even faster, but that might be because I dont use any sort of HIPS any more, just FW and AV. I see no reason using admin anymore. I am now officially a convert, halleluljah! ;)

Now to the next problem: What will I do with all my spare time now that I dont need to explore new security apps ;)
looks out and see that sun is shining outside..

{QUOTE->
Now to the next problem: What will I do with all my spare time now that I dont need to explore new security apps ;)
looks out and see that sun is shining outside.. <-QUOTE}

One suggestion: Try Linux - I recommend Kubuntu :)

Wow! hold your horses... baby steps, baby steps ;)

I still like to play the latest games. And for now I cant imagine a computing life without FDISR.
Now and then I install some distro but it always gets boring when trying to install something new. Why cant I just have one .exe file to download and click on when I want to install something, I dont mind the sudo prompt but many times linux requires me to install something else, other than the software I want to install. But I just read about some site that offered just that: a one click install (I cant find the article right now though)

And the file system is so confusing compared to Windows. I know, everything is a matter of getting use to, but for now Windows works exactly as I want it to so I dont feel the need to change.

I just dont understand the concept of linux. But I will keep on trying occasionally and when the privacy intrusions get too many in the windows world (or if windows gets one more cent more expensive!) I will migrate and use Windows as a gaming setup only. My dream is that FDISR would find a way to make linux snapshots, now that would be something.

{QUOTE-> But I just read about some site that offered just that: a one click install <-QUOTE}
PC-BSD (http://www.pcbsd.org/index.php?p=learnhome) (?)

Just took a very brief look at PC-BSD ( Blue Screen of death ?) and think I will stick with windows LUA. I'm sure that one day soon there will be a breakthrough
but for now I'm not going back to Office 97 or run an emulator just to be able to run windows software.

You're probably wise to stick with Win. I spent the last 10 months more or less, trying out literally dozens of Linux distros, the BSD variants as well, and although they are great fun to play with and tweak, there is just nothing like Windows for ease of use out of the box and polish. Linux IS great in that you'll never need any AV or other "security" apps again, for me that's a good selling point. But after spending much time with it, I just decided to stick with Win..

Although I liked Limited I have gone back to Admin. I have been unable to find a Reg Cleaner or cleaners that seemed able to handle Limited. Running under Admin or run as or limited seem to be 3 different things. The purpose of limited is to limit what the user can do so it seems to me that over time a limited user account will build up a load of junk which can not be removed from within limited and yet is not fully dealt with via admin ?

If anyone knows of a cleaner which is designed to run under limited I would be interested - otherwise I will probably just wait until Vista is finished.

{QUOTE-> Although I liked Limited I have gone back to Admin. I have been unable to find a Reg Cleaner or cleaners that seemed able to handle Limited. Running under Admin or run as or limited seem to be 3 different things. The purpose of limited is to limit what the user can do so it seems to me that over time a limited user account will build up a load of junk which can not be removed from within limited and yet is not fully dealt with via admin ?

If anyone knows of a cleaner which is designed to run under limited I would be interested - otherwise I will probably just wait until Vista is finished. <-QUOTE}
CCleaner works in a limited account. But, of course, it can't clean/delete anything in folders or parts of the registry where you don't have write access. But why, for heaven's sake, is it a problem to start it with, e.g., suDown once in a while ???

I had completely forgotten about Sudown -- thanks.

In fact Crap cleaner was the one giving me a problem - showing references under limited that I could not delete wheras "run as" or admin did not pick up the references. Have just tried Crap Cleaner 3 beta and it does not pick up these references under limited.

Part of the problem is the machine I'm using is badly in need of a re-install.

thanks again - when I go back to limited I will give Sudown a go.

Hmm, I'm getting tired of suDown. 3 times during a few weeks the "sudo" has vanished from the context menu for installationfiles, I could still start Control Panel as admin. I had to reinstall suDown to get it back for exe-files.

{QUOTE-> Hmm, I'm getting tired of suDown. 3 times during a few weeks the "sudo" has vanished from the context menu for installationfiles, I could still start Control Panel as admin. I had to reinstall suDown to get it back for exe-files. <-QUOTE}

Hm, strange. This never happened to me, and I've been using it for quite some time. Don't know what's happening here- sorry.

After some tests I found out it's TuneUp 2007 Regcleaner that removes suDown from the context menu.

{QUOTE-> After some tests I found out it's TuneUp 2007 Regcleaner that removes suDown from the context menu. <-QUOTE}

Thanks, cheber, for letting us know. That's really interesting and an example that regcleaners in general are not always reliable.

Anyone tried to run as limited with Process Explorer ? Eg. selecting browser
r/click run as limited user ? Does it obviate the need for a logon password ?
I run admin and have not yet tried this option in Process Explorer.

Edit: From the PE help file:

{QUOTE-> Run as Limited User
This variant on the Run command runs the application you specify in the same account as that of Process Explorer, but without administrative privileges or membership in the local administrators group. This option restricts the exposure of your system from applications, such as Internet Explorer, that might be compromised through access of untrusted data.
<-QUOTE}

{QUOTE-> Anyone tried to run as limited with Process Explorer ? Eg. selecting browser
r/click run as limited user ? Does it obviate the need for a logon password ?
I run admin and have not yet tried this option in Process Explorer.

Edit: From the PE help file: <-QUOTE}

I've never tried that (why should I in a limited account? ;)). But it seems that Process Explorer applies the DropMyRights approach. In XP this is an insecure approach as, e.g., an infected IE running with lower privileges would still be able to communicate with processes running with higher privileges (note: this is no longer possible in Vista). Amother drawdown is that by clicking a link, e.g., in an email or in a DOC or PDF document you would start another instance of IE with admin privileges, and most probably you wouldn't notice. A limited account is clearly the better alternative.