Security → FAQ: Enabling S/W Use From Regular User Accounts

I think this is a possible FAQ. Opinions? Additional suggestions?
-----------
A tip on enabling software to run on regular (aka "limited" or "non-admin" user accounts) on Windows XP, 2000, and NT, from LangaList:
»langa.com/newsletters/20 ··· 9-02.htm

quote:

---

4) Free Tools Solve Access Problem

This specific problem was with Quicken, but the solution has much wider
application:

---

Fred, I was installing Quicken 2004 on my PC and had to run the
installer from my Administrator account (WinXP Pro SP1). After
installing it, I could run it from the Administrator account,
but not from other users' accounts.

Intuit's site didn't provide pertinent help, nor did a
newsgroups search. I figured the problem had to be that Quicken
was trying to access a registry key or a file in such a way
that access was being denied, and that was causing the failure
in non-Administrator accounts. So I downloaded NTRegMon and
NTFileMon from »www.sysinternals.com and ran them while I
attempted to open Quicken from a normal user's account. I found
that Quicken was getting an ACCESS DENIED error on two files
(qw.cfg and qw.rmd) when opening them for write access. I gave
the Users group Modify and Write privileges on those two files,
and Quicken works fine now.

While this post may have some value for a few Quicken users,
the more important principle is this means of troubleshooting
an application which works under an Administrator account but
not under other accounts--a possible reason is file or registry
key permissions, and these tools make it a cinch to sniff those
out. (Be sure to take advantage of their filtering
capabilities, or the output will be overwhelming and tedious to
examine.)

Changing file permissions is as easy as opening up the file's
properties in explorer (logged in as Administrator). Changing
registry key permissions requires running regedt32 (not
regedit), right-clicking on a key, and selecting
"Permissions..." from the context menu. Regards, Lance

---

Nice troubleshooting, Lance! Lots of other good tools available at
Sysinternals, too--- well worth a look!

---

SUBSCRIBE to LangaList (it's free!): Click here.

The possible FAQ starts here:

Security on all full featured operating systems depends on restricting what work is done and what programs are run using privileged user accounts. Only that work that requires installing new programs, or updating system files and settings, should be done on administrator accounts.

In Windows terminology, with Windows XP and 2K, this means using regular ("limited") accounts for web surfing, emailing, games, file-sharing, and ordinary office tasks.

Sometimes there is a defect in a product setup that prevents the product being run from a regular user account. Often the defect is a failure to grant the regular user account group (the User group) adequate access to the product's registry entries and files.

These defects should be reported to the product's manufacturer for a permanent correction. However, while waiting for the manufacturer to correct the problem permanently, the steps that follow may enable you to correct the problem until the next release of the product comes out.

1. Backup your entire registry (in XP create a System Restore Point):

- How to back up a registry:
»service1.symantec.com/SU ··· _doc_nam (XP, 2000, NT, Me, 98, 95)

- To create a System Restore point in Windows XP, go to Start / All Programs / Accessories / System Tools / System Restore. Select “Create a restore point” and click Next. Type in ‘Removing AV registry entries” as the name of your restore point, and click “Create”. Wait a minute while the restore point is taken, and click Close.

2. Install NTRegMon and NTFileMon from »www.sysinternals.com/ . Look for "Windows NT/2K/XP/2K3 Utilities".

3. Start NTRegMon and NTFileMon running.

4. Using a regular user account, try to run the application you concerned with.

5. Check in NTRegMon and NTFileMon to see what violations are flagged

6. Using an administrator user account grant permission for the "Users" group to "read", "read and execute" and "modify" the files flagged.

With Windows XP Pro and NTFS files the details are to:
- Locate the file or folder concerned using Windows Explorer,
- Right-click on the file, and select Properties / Security / Add
- Add Users, click OK.
- With Users hi-lighted, select Modify and Read&Execute, click OK.

7. Using an administrator ID grant permission for the "Users" group to "read", "read and execute" and "modify" the registry entries flagged.

With Windows XP the details are to:
- Locate the registry folder concerned by Start / Run / Reg32edt.exe
- Right-click on the registry folder, and select Permissions / Add
- Add Users, click OK.
- With Users hi-lighted, select Read and, if necessary, Full Control. Click OK.

8. Repeat steps 4 thru 7 to see if any further permissions are required.

9. Terminate NTRegMon and NTFileMon before their logs fill your hard drive.

Caution: Many administration and security tools are better left set so that they can only be run by administrator user accounts.

These include programs like Ad-aware SE that require access to so much of the registry that so many permissions would need to be granted to regular user accounts that the protective benefits of doing normal work with a regular user account would be lost.

The protective benefits of running on a regular user account (limited account) derive from regular accounts and programs run on them not being able to change crucial security settings and system files.

* An alternative fuller featured and more user friendly registry editing tool is here: Resplendence.com's Registrar Lite

* How to restore a registry:
»support.microsoft.com/de ··· duct=w98
»support.microsoft.com/de ··· ct=winxp
»service1.symantec.com/SU ··· _doc_nam

System Restore in Windows XP:
»support.microsoft.com/de ··· ct=winxp
»support.microsoft.com/de ··· ct=winxp

said by keith2468:

---

3. Start NTRegMon and NTFileMon running.

4. Using a regular user account, try to run the application you concerned with.

5. Check in NTRegMon and NTFileMon to see what violations are flagged

---

It might be good to be explicit about using the RunAs command in single desktop use cases (non-WTS Windows 2000 and XP where fast-user switching is disabled) versus doing this with fast-user switching (open admin desktop, start Regmon/Filemon, switch-user to non-admin destkop, start program, expose program's design and/or implementation defects, switch-user to admin desktop, save Regmon/FileMon logs, etc.), which is quite handy when using this technique.

Philip Sloss

Good catch, Keith, and very topical.

Ive had to go through the same steps. My FIRST approach is to enable full access to the user on the program folder, as it is more or so files on the disk rather than registry keys.

Reg keys only happened with adobe in my expereince, everything else is file permissions.

all good stuff with the "run as" and what some developers fail to code when you install their programs hoping it will be the same for all users on a system or PC..just do not forget this..

User Accounts That You Create During Setup Are Administrator Account Types

SUMMARY
After you install Windows XP, you have the option to create user accounts. If you create user accounts, by default, they will have an account type of Administrator with no password.
MORE INFORMATION
To change the security levels and assign passwords to these accounts:
Log on as a user that will continue to have administrative privileges.
In Control Panel, double-click Users.
Click Change an account.
Click the user account that you want to modify.
Click Change Account Type.
Click the type of account that you want to have for this user account.
Click the Change Account Type button.
To assign a password to this account, click Create a password.

»support.microsoft.com/de ··· ontent=1

Good points Philip, Joesph, Vic and NameGame.

More suggestions welcome.

I'll check back later this evening with a new draft of it.

Three questions I need answered:

1. Would the file permission instructions apply to Windows XP Home? Or does Windows XP Home, with the FAT32 file structure, not provide that sort of security?

2. Are there any differences in the detailed steps for Windows XP Home or Windows 2K? (For brevity, I'm going to assume that anyone with NT knows enough about it that they can figure out the NT details from the 2K details.)

3. Has anyone had the experience where disabling Fast User Switching is required as part of the solution? I ask because I have a *feeling* that it might perhaps be with some products.

You probably already know this, but XP/home uses NTFS or FAT32, depending on what the installer specifies. I can make folders "private" cuz I use NTFS, but the tutorial says FAT32 does NOT permit this. When you rightclick the file (to be modified), under Sharing and Security, one gets a "properties box" with a checkbox to make the file "private" and change network sharing options (if one is on a network) Same as choosing properties. HomeXp only allows this in some folders. In My Documents I can make folders private or share them. In C: drive I don't have this option. File permissions as such I can't find- at least not for files and drives. XPpro is the way to go for setting up user accounts that have adjustable permissions(in Windows anyway), it appears. When I run regedt32, I get what looks like the registry editor(regedit) and I can set permissions with a rightclick, like in your FAQ. So 1. is a a "sortof"( if the file or folder are in My Documents) 2. is a yes, and 3. I'm not sure about fast user switching- I have it disabled and I haven't seen a difference in file permissions as far as I can tell. HomeXP isn't very good for securing individual drives, folders, and files(from what I can see) compared to, say, my RedHat6.2 system. Hope this helps.

What is the result if the program is installed in the limited account using the "run as" command?

I did this on my dad's pc, installed a program from his limited account using the "run as" option.

It seemed to work, I am only asking because I hope I have not reduced the security benefits of the limited account.

Ok.

I am trying to set permissions to allow a limited user to use a Microsoft access mde database, which is in a folder in the root of C drive.

I am running XP home.

I tried as per the faq entry proposed by Keith2468, but I don't have a "security" option when I right click the folder I wasnt to grant permissions to.
This assumes that I navigated to the appropriate folder, in the administrator account.

Don of the Dead alludes to this above, but the instructions provided are insufficient to assist me.

Any suggestions?

Edit:
I am going to try and find out more about the program. It is a window pricing program that my dad uses.

Thanks, you just saved me a lot of time and research.

I'm running XPPro and did not have any Security tabs at first either. Turns out that I had "Simple File Sharing" enabled; disabling brought the Security tabs out from hiding. Not sure if it can be disabled under XPHome?

Over the last couple of days, I've been setting up a new PC on XP Home, and ran into a similar problem ... thus far, my solution has been to set up my 'limited account' with admin rights, install the programs, then set it back as a 'limited' user. So far, this has solved the problem for any software I couldn't access with the limited user after installing it as an administrator.

Can't guarantee that this will work in all cases, but I'll try it tonight with Quicken to see.

... Really wish I'd researched the differences between XP Home and XP Pro ... Home is 'stripped down' just a little too far for my liking when it comes to user permissions.

Edit: No such luck ... found a driver app with a .sys file c:\windows. Have found no way of enabling the program for a 'limited account' using XP Home.