Windows XP automatically gives user accounts administrator privileges. This is REALLY bad because any program you run, trusted or untrusted, has complete access to your system. Even if you run programs you trust, such as your favorite web browser, someone could hijack it and take over your system using your admin privileges. Once Windows has been compromised, you can no longer completely trust it with your private information.
Other operating systems like Linux have long avoided this problem by having a root (admin in Linux speak) account that can make system changes, and a limited user account for everything else. That way, attacks against the user account have a tougher time taking control of the system. In the latest versions of Windows (Vista, 7), Microsoft employs this method with UAC. Most people seem to think UAC is annoying and useless (see Apple’s “Cancel or Allow” smear ad), but it is actually an attempt to accomplish this type of privilege separation.
I was so impressed by the way Linux protects system files that I decided to take a similar approach in Windows. I no longer use Windows under an administrator account. Sounds impossible, right? Well, it’s not. Windows 7 makes this incredibly easy, but XP is a bit trickier. I’ll give you a quick step-by-step to get you started. The following steps are for XP only.
1. First, you’ll want to make an administrator account. You will perform system changes using only this account later on. (Do this using User Accounts in the Control Panel). MAKE SURE YOU GIVE THIS ACCOUNT A PASSWORD!
2. Log out of your current account and log into the admin account you’ve just created.
3. Go to the Control Panel, choose Tools from the menu bar and click Folder Options. Go to the View tab and check “Launch folder windows in a separate process.” Click OK. This will allow Control Panel and Windows Explorer windows to open with another account’s privileges.
4. Go to User Accounts and change your original account to a “Limited account.”
5. Log out of the admin account and back into your original account. You are done.
I suggest the following tweak so you can easily access your Control Panel and make system changes:
Make a shortcut called “Control Panel as Admin” and give it this path/target: %windir%\system32\runas.exe /user:youradminaccount control
When you click this shortcut, a command prompt will ask for you admin password. When you get it right, it launches the Control Panel as if you were an admin. The drawback is, if you mistype your password, it will close and do nothing.
IMPORTANT: If you need to install something, or if some lame application needs admin privileges to run, right click your victim and choose “Run As…”, pick “The following user:” and type your admin account info. This will launch the application using the admin account.
Tips, Tricks, and Notes:
- As a limited user, you CAN NOT access files and folders outside of your profile within “Documents and Settings”. Neither can your applications. You also cannot kill nor change the priority of processes that your account did not start, run Task Manager as admin to do that.
- If you run Windows Explorer or the Control Panel as admin, you can enable the Address Bar using “View > Toolbars” and go to other locations with admin privileges.
- When you run poorly-made installers as your admin account, sometimes they will place shortcuts in the admin account’s start menu where you can’t use them. You must manually copy these over using Windows Explorer in order to use them.
- I suggest you have shortcuts to the following handy so you can easily get to them as admin: Control Panel, Windows Explorer, Command Prompt, and Task Manager.
Running XP as a limited user increases the safety of your PC by restricting access to crucial system files and settings. Most newer applications should work fine with this, but if they don’t, you now how have the tools to work around it. I hope this helps you keep your computer that much safer!