Not running as Admin....

by Michael S. Kaplan, published on 2005/03/02 11:05 -05:00, original URI: http://blogs.msdn.com/b/michkap/archive/2005/03/02/383595.aspx


Each day, for security reasons, more and more people are making sure that we are not running as an administrator on their computers. And even though for most purposes this process has little pain, it is those small pain points that make people hesitant to make the jump. Luckily, there are places like Aaron Margosis' WebLog (The Non-Admin blog - running with least privilege on the desktop). There are a lot of interesting posts about how to work in the world where one voluntarily chooses to not be all-powerful....

Aaron has two specific posts that caught my eye:

Remembering Calculator and Character Map Settings

Here’s an odd little one you might not have noticed.  The Windows Calculator applet remembers whether it was last displayed in “Standard” or “Scientific” view, and whether digit grouping was selected, and restores those settings the next time you use it.  Because this applet dates back to the very early days of Windows, it saves these settings in the win.ini file in the Windows folder.  There are two problems with this:  1) the settings apply to all users of the computer, and 2) you need to be an administrator to write your settings into this file.  Likewise, the Character Map applet remembers the last font and codepage selected, and whether “Advanced view” was checked – but only if the user is an admin.

Changing the system date, time and/or time zone

By default, only Administrators and Power Users can use the “Date and Time” applet to change the computer’s date, time, or time zone.  A regular User double-clicking on the clock in the notification area of the taskbar gets only an error message that says, “You do not have the proper privilege level to change the System Time.”  This is probably the #1 annoyance for people who have tried running as non-admin.

These articles both deal with particular pain points that have hurt me in the past, so seeing the ways to work around the issues is great.

Rock on, Aaron! You are definitely on the list of the blogs I read....


# Serge Wautier on 2 Mar 2005 8:25 AM:

Calc:

Amazing this wasn't fixed since Calc was improved in the recent versions, as explained by Raymond Chen:

http://weblogs.asp.net/oldnewthing/archive/2004/05/25/141253.aspx

System Time:

Larry Osterman explained that this applet was intended to MODIFY time SETTINGS but experience shows that people want to open it simply because it contains a calendar !

http://weblogs.asp.net/larryosterman/archive/2004/09/22/232938.aspx

# Michael Kaplan on 2 Mar 2005 8:30 AM:

Well, they did have other fish to fry with Calc.EXE, but it I admit it might have been nice to fix up the admin stuff while they were in there. :-)

That thing with the datetime usage is totally true. Given how the calendar works in there it is actually a little embarrassing, all things being equal....

# Brian on 2 Mar 2005 8:39 AM:

The only thing I ever use the time applet for is looking at the calendar. Is there another place to find a calendar in Win XP?

# Michael Kaplan on 2 Mar 2005 8:41 AM:

Not built in, no. Which is kind of the problem....

But this works around the non-admin blocker for that usage nicely. :-)

# Peter Ibbotson on 2 Mar 2005 9:35 AM:

More irritating still there was a nice calendar application in Win3.11 which got dropped and subsumed into the clock applet.
Like most folks I just use it as a calendar nothing else.
Does anyone do a good replacement that isn't full of adware?

# Michael Kaplan on 2 Mar 2005 10:05 AM:

Probably easier to write one than to find one, in the end. :-)

# J. Daniel Smith on 2 Mar 2005 10:16 AM:

I think running w/o Administrator rights would instantly solve a significant percentage of the various "security" problems.

It bothers me that such an option is hardly mentioned in all the talk about spyware, malware, virus detection, firewalls, etc.

Of course, Microsoft itself isn't helping any here; rather than investing in new spyware detection software, they should be working hard to ensure that using Administrator rights is rather infrequent: http://spaces.msn.com/members/jdanielsmith/Blog/cns!1pRjebUoVh0bNLSJvrecmAEg!164.entry


# Robert on 2 Mar 2005 10:57 AM:

Calendar? Do you not have outlook?

# Mike Dimmick on 2 Mar 2005 11:07 AM:

Daniel: there will apparently be a lot of changes in this area for Longhorn, but it's the kind of thing way too risky to backport to XP.

See Keith Brown's article "Security in Longhorn: Focus on Least Privilege" at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/leastprivlh.asp

# John Mo on 3 Mar 2005 5:33 AM:

I have Outlook and I know there's a great calendar in it, but I still go to the clock applet when I just want a quick glimpse of the present, previous or next month. It just seems quicker than ALT-Tabbing over to Outlook, grabbing the mouse, and hunting down the calendar in Outlook.

# Anon on 3 Mar 2005 9:00 AM:

"Does anyone do a good replacement that isn't full of adware?"

http://www.ipi.fi/~rainy/index.php?pn=projects&project=rainlendar

# J. Daniel Smith on 3 Mar 2005 12:51 PM:

Mike Dimmick: yea, I know...

This "Wait for Longhorn/Whidbey" dance is getting tiring through :-(; the article you reference is already almost a year old.

# Michael Kaplan on 3 Mar 2005 1:38 PM:

I agree it gets old -- but that is a lot of why people like Aaron post info on the workarounds until we get fixes here....

# J. Daniel Smith on 4 Mar 2005 7:05 AM:

Michael: your blog has lots of interesting information and doesn't mention Whidbey/Longhorn every other sentence.

Sure, I'm excited to see all this stuff coming, and I can't wait to use it. But after months and months of talk, "show me the money!"

I hope that back-porting of Avalon & Indigo to XP is the new way of doing things at Microsoft: delivering new stuff in smaller chunks as it is ready rather than a single large release as is being done for Whidbey. You can still have a periodic Visual Studio 2005 release that puts everything together.

# Jonathan Hardwick [MSFT] on 6 Mar 2005 9:49 PM:

In the meantime I've set up http://nonadmin.editme.com as a community site for information about running as a non-administrator. Full-on wiki-editing or drive-by comments are equally welcome :)

referenced by

2006/12/20 The message queue runneth over, and may not be in sync

go to newer or older post, or back to index or month or day