Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

DropMyRights – Login as Administrator, but run select applications with limitations

I am using windows XP. I want to use my computer with administrator
privileges. For browsing or using reading e-mails, I’d like to act
temporarily as a guest with limited privileges. My aim is to increase
safety. Is there a way to do it easily?

Running as a “Limited User” in Windows XP is the ideal scenario,
where everything you do is subject to administrative
restrictions. Unfortunately, for many people it’s simply not practical
to do so. Many applications require administrative access either to
install, or occasionally even to run. It doesn’t always make sense, but
it’s also something we seem to have little control over.

The result is that we regularly login to our Windows XP machine as
Administrator, or as another account that has Administrator privileges.
We can do anything.

The problem is simple: if we can do anything, so can any malware we
might accidentally execute.

]]>

One solution is the approach that UAC in Windows Vista took: you might login as Administrator, but you’re not really administrator. When something happens that requires administrative access, you’re requested to confirm it.

Windows XP doesn’t have this option. When you’re Administrator, you’re administrator.

One approach is to login as administrator, but run programs though which exploits are common – say your web browser or email program – with more restrictive rights.

That’s exactly what DropMyRights does.

After downloading and installing DropMyRights, you then only need to modify the shortcut that starts your browser. For example, here’s a default shortcut for starting Internet Explorer:

A Common Shortcut to start Internet Explorer

Here’s a shortcut, modified to use DropMyRights:

Shortcut to start Internet Explorer using DropMyRights

The only difference is that “DropMyRights ” has been inserted before the name of the executable (“C:\Program Files\Internet Explorer\iexplore.exe”). Now instead of IE running with administrative privileges, it runs as a normal, or limited user.

Why is this valuable? Because limited users don’t have the permissions required to install things where malware likes to install things. If you happen to mistakenly venture to a site that attempts to install malware .. it can’t.

You might consider running any program that could be a vector for accidentally installing malware through DropMyRights; your browser and your email program are two obvious choices.

Caveats:

  • If you actually do want to install something, say an update to Flash Player or some other activex control or program, you won’t be able to. You’ll need to save that original shortcut that started the program with administrative rights, and run that just long enough to take the update you need.

  • The shortcut icon might change. Just click the Change Icon… button, locate the original executable (iexplore.exe in our example above), and select an icon from there.

  • This may not work for all programs. As I said at the beginning of this article, some programs, for reasons that don’t always make sense, simply require administrative privileges.

DropMyRights is actually an old program, dating back to 2004, written by a Microsoft engineer, and free on Microsoft’s MSDN site. It’s a very simple program, and its source code is even displayed there for those so inclined.

It’s not a utility that can fix everything, by any means, but DropMyRights is a useful tool to have in your arsenal against malware.

I recommend it.

Subscribe to Confident Computing! Tech problem solving & safety tips & a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

NOW: name your own price! You decide how much to pay -- and yes, that means you can get this report completely free if you so choose. Get your copy now!

4 comments on “DropMyRights – Login as Administrator, but run select applications with limitations”

  1. The opposite approach is to log-in as a restricted user and run “those” special programs by using right-click and “Run As” command where you can choose to be administrator for that application. It requires admin password to be keyed in. That improves overall security of the PC.

    The advantage is that you raise the privileges only when required and that too making a conscious effort.

    This has been my approach for overall safety for all my Windows installations. I also recommend this to my clients.

    Reply
  2. This problem has been resolved in Windows Vista.

    When a limited user wants to install a program or perform an operation that requires administrator access in Vista, a dialog box pops up allowing you to enter an administrator user name and password.

    If the user knows (or has a parent come in and enter the password) the application will be allowed to run.

    This is better than the old days when I would have to log into my administrator account, make the child’s account an administrator, log back into the childs account and install the program, then log back into the administrator account again to make the child a limited user. (phew, I’m out of breath just typing that)

    Thanks Elizabeth. Vista gets a bad rap on various issues, but this is one that they appear to have done well with.

    For those reading, Elizabeth is The Computer Lady and also does Q&A and has her own newsletter too.

    – Leo
    19-Mar-2009
    Reply
  3. Using DropMyRights with satisfaction.
    But, there is a problem with security.
    Some programs open a web page automatically using default browser. In such a case, it seems that dropmyrights is not functional.
    Could you clarify this point? thanks

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.