SuRun: Easily running Windows XP as a limited user

Let's enlarge the limited understanding.

Yes, there are programs, which can be installed without elevated rights. At first, there seems to be the only "problem", that you cannot install inside the program files branch, but the real problem is the following:

If you successfully install a program without limited rights, than you are the owner of this program. Every limited user, who creates a file (installing is a way to create them), can do with them, what he wants. That means, also any malware can do all, what it wants. So in the end, the whole principle of dividing between right access and read / execute access is lost.

The LUA way does only work, if you in general install programs with admin rights. The additional benefit is, that installing without elevated rights may seem to work at the first glance, but later (when you have forgotten about the way of installing) there arise strange errors because of the wrong way of installing. Installing with admin rights guards you against that problem.

Coming back to the quote:
It does not make sense to install without admin rights.

As rule of thumb: admin rights are nothing bad; but using an admin account for daily work - without administrating anything at all - opens the double door for all enemies.

 

Thanks I appreciate it

Ok, this is now very clear.
Just to make sure then, as long as I install a program with admin rights it doesn't make a difference which account (limited vs, admin) I do it from, correct?

 

newbino, this post might answer your question.

 

tlu thanks, I had read the post you refer to at least thrice before installing, but now after install and thanks to Cosmo's explanations and you kind redirection, it's clear.

 

SuRun 1.2.0.2 is out. Here's the changelog for versions 1.2.0.0 - 1.2.0.2:

 

SuRun 1.2.0.3 is out. Changelog:

 

WOW! series of updates.

 

I have problems with last 2 verions now. These versions put a little green icon in tray. SuRun installs fine, and upon first use my admin account gets added to SuRunners group fine. For some reason the context menu settings are missing other than 'Start as admin'. If I use the tray icon and go to SuRun settings, it asks for credentials. Putting in either of my two admin accounts there gives this error

And a hex error which means nothing to us.

Anyone else see this or know what it is? I did not see a forum at kay's site to post on.

Sul.

 

I've never had this problem - sorry.

The forum's URL is http://forum.kay-bruns.de/forum - there is also an English sub-forum.

 

@sully:

Following your description your account is not a member of the SuRunners - although you think so.

Beside the advice of tlu to ask about this in Surun's forum you can do the following:

Leave your account. This should bring you to the Welcome screen and you will find the actual admin account. Go there and open the Surun-settings dialog from the admin account. Check the 2nd page (SuRunners) and try to add the account you want to be a Surunner. Probably you have to repeat this. In case the error dialog should appear here also try this with another account (you can create one for testing or activate the guest account for testing purposes) and see, if you get the same error message here.

 

SuRun 1.2.0.4 is out. Changelog (particularly interesting for you, Arup ):

 

I'm seeing some different behaviour between two different computers that I've set to run on limited accounts and both using the latest version of SuRun and XP Pro SP3.

The biggest difference being that on System A, the limited account was previously an administrator account that was converted into a limited account.

On System B, it was a clean install with a limited account having been created as a limited account from the start.



Now the problem is, is that on System B, programs don't seem to be saving their settings unless they had their privileges escalated with SuRun first. For example, I would run uTorrent and it acted as if it were being run for the first time and it asked whether it should be the default client for torrents or not. Closing it and running it a second time had uTorrent force the question again. After running it with administrative privileges, it worked fine.


I don't get this behaviour on System A. Which system is working properly?

 

uTorrent may need to write to an area of the system which is restricted to limited users for saving settings. That's just a guess, though.

 

Your assumption is correct.

System B is working properly as designed, but system A is worrying though, unless it has imported the configuration settings.

SuRun is a great tool for solving problematic third-part applications containing LUA bugs, but it´s better to be really safe (than sorry) and create a new restricted account using Windows own tools. Thereby avoiding potential security problems.

/C.

 

Thanks, it seems to be working now but the open control panel as admin still fails.

 

Maybe this is what I am doing wrong then. I generally do System A (in Reimers' example). I start with an Administrators account and get all my programs installed and all my settings done. Then I create another Administrator account and sign into that and change the first account to limited. RE: "Thereby avoiding potential security problems" - Is System B the more secure method?

 

I immediately create an admin account as well as user account after fresh install. Then I log in to the admin account and do all my installations.

 

uTorrent saves it's settings in %appdata%/uTorrent.

I don't recall if it's a restricted folder or not. However, now it looks like after the initial run that saving settings, even when without escalating via SuRun, works now. So maybe it just needed to create the %appdata%/uTorrent folder first.

It might make sense since with System A, I already had most of my programs and settings setup when I converted to a limited account.

System B is actually a sibling's system so I don't see any of the "problems" first hand.

 

I´m just referring that you should use Windows own tool for creating/changing accounts rather than third-part tools for avoiding problems.

Regarding your example I honestly don´t know which way around is the most preferable from a security view, but personally I do as Arup does.

/C.

 

Dunno if it's of benefit or not but i always add KAFU even om my XP Pro. Is this neccessary?

It does tighten down those areas and makes then Off-Limits even in XP Pro.

EASTER

 

If you do nothing else than described above, your system has more security holes than a swiss cheese. This is because your account is still the owner of all files (inclusive the system and all programs). Your safe state is near to a complete usage in an admin account.

The way of Arup is the correct one.

 

Or as tlu fixed the problem, described in this thread (somewhere).

 

Mitch, right-click your program files- and windows folder, as well as the document settings\"admin name" folder, and then go to security\advanced tab to check the owner. If one of your user accounts is the owner, then change this to your "admin name" from your admin account (don´t forget to inherit the ownership to subfolders and files). But the best would be to reformat and do a new fresh install where you create new user accounts the other way around (the "Arup way"), because you maybe already got something in your critical folders without your knowledge.

/C.

 

OK, thanx Cerxes - I'll format and start again. The only thing is that in this very thread, the opening post referances this post https://www.wilderssecurity.com/showpost.php?p=1051357&postcount=41 as the method to use, but I can see what you are saying and will go the other route.

 

You should also read post #146 - that's the one Pedro was referring to.