Windows

Implementing User Account Control-type protection in Windows XP

If you like the idea of the User Account Control (UAC) system but you're not ready to upgrade to Windows Vista, you can use UAC's predecessor in Windows XP: the RunAs command. Here's how to use Windows XP's version of UAC.

In order to protect Windows Vista from malware and inadvertent disastrous mistakes, Microsoft endowed the operating system with the User Account Control (UAC) system. This system requires all users to use the standard user mode, and then prompts for administrative credentials before performing an operation.

If you like the idea of the UAC system, but you're not ready to upgrade to Windows Vista, you can use UAC's predecessor in Windows XP: the RunAs command. Here's how to use Windows XP's version of UAC:

1. Log in as the Administrator.

2. Launch User Accounts, locate your user account, and change your account type from Computer Administrator to a Limited account.

3. Log out of the Administrator account and log back in with your new Limited account.

4. Whenever you encounter a situation in which you need administrative credentials, press [Shift] as you right-click the application's executable file or its icon and select the RunAs command.

5. When you see the RunAs dialog box, choose The Following User option button to select the Administrator account, and then type in the password.

6. Click OK.

Now you can perform any operation that requires administrative credentials.

Note: This tip is for both Windows XP Home and Professional.

Miss a tip?

Check out the Windows XP archive, and get more hands-on Windows XP tips.

Stay on top of the latest XP tips and tricks with our free Windows XP newsletter, delivered each Thursday. Automatically sign up today!

About

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

18 comments
cokesrini
cokesrini

hi grey useful shortcut for desktop - can us explain little more.

snideley59
snideley59

Geeze kind of like the Unix/Linux su command (switch user) What a novel concept

WoW > Work
WoW > Work

I've run into problems using RunAs > Admin with things that are user specific, like Outlook setup, or Active Sync. Outlook becomes setup under Admin, not the current logged in account. Other than that, I'm always using this...especially running IE with Admin Privileges, then going to My Computer, using IE like Windows Explorer. EDIT: Spelling correctly rocks.

gerald.sharp
gerald.sharp

Once I have modified the account to use Admin for a specific operation that needs it, how can I set my permissions back to limited without having to reboot my computer?

Salvatus
Salvatus

To access the control panel with admin rights (assuming a GPO hasn't stripped away everything already), you can also from the start menu (This does not work from the Pinned Items in XP, only the actual program shortcut under "Programs") right click on the Internet Explorer Icon and "Run As". This will then launch the browser with elevated rights. Simply browse to Control Panel. When you close the window, all the rights are gone. It's great for Add/Remove Program Changes and such.

richard.n.carpenter
richard.n.carpenter

I've used this technique successfully since learning about it a few years ago. Now, I browse the Internet knowing I'm just a bit safer logged in with limited privileges. But, when privileges are required by an autoinstaller running under a restricted user account, I get blown-off with the usual note:your account lacks sufficent...blah, blah, Question: is it too late to override with a jump to the UAC to promote the process privilege??

dougby86
dougby86

how to make win xp boot faster

okn916
okn916

I've always used the 'Run As' option but was just wandering how similar this makes the account to an administrative a/c. What I mean is, would you recommend installing programs like this - can you really do everything that you would normaly need an administrative account for? And I think this is a common problem with XP, many programs won't function if you are not logged in as an admin> and so just in order to launch the program you have to use the run as option. What seems a better way of installing programs (purely from the point of view of their running reliability) is to switch to your admin a/c change your user a/c to an admin, log out, log in as user xxx install your program, switch to your admin a/c and change the a/c back to a limited user, log out, and finally log back in as your user xxx. A bit long winded (to say the least) but programs do seem to function more reliably. So back to my original question do you think its ok to install programs with the run as saving all this too ing and frow ing? And not (yet) being familiar with Vista does the UAC solve all these issues? Do you have to enter your admin password every time or just once per log in session (cos thats a drag to).

GreyTech
GreyTech

The problem with the "Shift-right click" on an application is does not work on some commands. The shortcut just does the same as using the "Run" "Runas /user:administrator "application name" It will ask you for your administrator password then leave you a cmd window open as an administrator. Anything you run from this window will be as an administrator.

GreyTech
GreyTech

I have a shortcut on the desktop with the "Target" set to: %windir%\system32\runas.exe /user:administrator "cmd.exe /k " and "Start in" set to %windir% set this up while logged in as an administrator and put in the "Documents and Settings\All Users\Desktop" folder. This is useful for running commands like services.msc or lusrmgr.msc you can also run diskmgmt.msc and dfrg.msc from the window. I used to run explorer.exe and control.exe which gave me admin rights in that instance of the apps but it doesn't seem to work now and I haven't found out why. Anyone got any ideas?

nacht
nacht

This very-useful workaround no longer works with IE7, sadly.

bswift77
bswift77

I also log in as administrator as opposed to using the run as option. I also find it that applications run better when your logged in as an admin. To answer the question of does Vista require a password everytime you do an "administrative action" the answer is YES and it is very annoying. I think there's a post about how to disable that feature in Vista. I'llread it and post my findings.

gtech.innovator
gtech.innovator

Well whenever u log in ur computer ...u session always active until when u logged off.....well u can create an user account and add in administrator group..and give the full right permission.........

Bomber1JZ
Bomber1JZ

Whenevr we re-image a machine, we create an local admin account on it. Then whenever a user needs an app installed, we can just right click, run as and then enter the password for the local admin account as this one is the default. The user doesn't have to be logged out / back in and the application installs fine...

cokesrini
cokesrini

Thanks GreyTech its working.

Chemical X
Chemical X

TechNet Magazine September 2007, Johansson: The most secure configuration is to log-out as standard user, log-in as administrator and install or execute the desired program, and log-in again as the standard user. Fast-user switching helps here. The use of an over-the-shoulder elevation by a standard user carries some risk in Vista and more in XP, but is much more secure than constantly running as administrator in either OS.

okn916
okn916

Is there any difference between the local (machine) admin a/c and user with admin a/c? Done a whole lot of unnecessary Logging then!

3xp3rt
3xp3rt

Is no difference between the local admin and user who belong to local administrators group. We can say it?s the same. But it may be a different: the Administrator is a built in account, and the user with administrator rights, is a defined account.

Editor's Picks