Two Ways to Run Windows Programs with Restricted Rights

In these days of drive-by downloads, poisoned websites and various other malware traps, it pays to have multi-layer defenses.

One general technique involves running an entire account with limited system privileges. This can have a substantial effect on usability, however, and just restricting the privileges of particular programs may be preferable for many users. At a minimum, restricting user’s rights will help quite a bit and should be implemented when possible.

Since it is on the front line, the Internet browser is frequently run with limited rights. To do this, strengthen your security in this way with the programs “Sandboxie” and “Drop My Rights” (to be covered in an updated review out shortly).

Sometimes it is convenient to have a choice of running a program with either limited or more elevated rights. This is a freeware utility from Microsoft. (The first time you use one of these programs you will have to agree to a Microsoft EULA.) This method is especially applicable to Windows XP, which has fewer security defenses than Windows Vista/7. Note that it is supplementary to more general methods and do not replace them.

Using PsExec to run a program as a limited user the easy way

PsExec.exe is part of a kit of utilities called PsTools that can be downloaded from Microsoft at this link. Unzip the containing folder called PsTools to a convenient location. There will be a number of different tools in the folder but this tip uses only PsExec.exe.

Its basic function is to launch programs remotely but with certain switches it can also be used to create a shortcut to run a program with reduced privileges. It uses the same method as “Drop My Rights”. In this way, there can be two shortcuts to a program—one with reduced rights and one with normal or elevated rights—giving you an easy option. Here is how to create a shortcut that will run with restrictions:
1.Right-click a blank place on the desktop
2.From the context menu, select “New”
3.Click “Shortcut”
4.In the box labeled “Type the location of the item”, enter:
“{path1}\PsTools\psexec.exe” -l -d “{path2}\your-program.exe”
Fill in the actual paths on your computer for {path1} and {path2} and use the quotes if any names have spaces.
5.Click “Next”
6.Enter a name for the shortcut and click “Finish”

PsExec  uses the command line so a command window will briefly flash when you click a shortcut.

The most common use of this method is to run Internet Explorer with reduced rights in Windows XP. IE8 has a protected mode in Vista/7 but does not in Windows XP. Assuming you put the PsTools folder in the Programs folder, a shortcut for IE would use the following in step 4 above:

“c:\program files\PsTools\psexec.exe” -l -d “c:\program files\internet explorer\iexplore.exe”

This shortcut could be used to browse with IE using restricted rights while reserving the usual IE shortcut for safe sites where you might want to download and install something.  I also have used this method in Windows XP for Windows Media Player and Outlook Express.

If you do not want to use the entire PsTools collection, you can just copy the file psexec.exe to the Windows folder. Then you won’t have to write out the entire path when constructing a shortcut.

PsExec will also run in Windows Vista/7 but only as an administrator, which is confusing since you are actually running a program with reduced rights. It is psexec.exe that is running as an administrator. Because of User Account Control and other security, this tip is less useful in these newer systems.



About SCB Enterprises
System Solutions and Integration

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: