You may have thought or heard about certain limitations of working as a limited user, such as using certain programs that require administrative privileges or even having the ability to change the system time. Maybe your just not sure that you want to be limited in what you can do on your computer.
These are valid concerns, some programs do require administrative privileges (although, I beleive this is becoming less common of an issue) and you may want to change the system time but without having to switch to your administrative account to do so.
Thankfully there is a way to work within a Limited User Account without losing administrative privileges when you need them the most. It's called SuRun, an open-source project from a German developer named Kay Bruns.
To explain what SuRun is and what it does I will quote from the English ReadMe.txt that is included in surun.zip file.
SuRun eases working with Windows 2000 or Windows XP with limited user rights.
The idea is simple and was taken from SuDown (http://SuDown.sourceforge.net). The user usually works with the pc as standard user. If a program needs administrative rights, the user starts "SuRun ". SuRun then asks the user in a secure desktop if should really be run with administrative rights. If the user acknowledges, SuRun will start AS THE CURRENT USER but WITH ADMINISTRATIVE RIGHTS. SuRun uses the trick from SuDown:
- Put the user in the local Administrators user group Start
- Remove the user from the local Administrators user group
SuRun also installs a hook that appends "Run as admin..." and "Restart as admin..." to the system menu of every application that does not run as administrator. That makes it possible to accomplish tasks that you otherwise could not, e.g. setting the Windows clock by double clicking it in the task bar notification area would normally display a "Access denied" Message and exit. With SuRun you are able to click "Restart as admin..." and to set the clock.
SuRun integrates with the windows shell and adds "Start as admin..." to the Shell context menu of bat, cmd, cpl, exe, lnk and msi files.
------------------------------------------------------------------------------Why not use the built in "Run As..." Windows command?
------------------------------------------------------------------------------*Windows loads the registry and environment for the user that you run as. If a software is about to be installed, the installation program will see the admins HKEY_CURENT_USER and may create registry entries there. Also the software sees "C:\Documents and Settings\Administrator" as the users profile path.
SuRun uses the current user account, so all registry entries and file system paths are the same as the user would expect.
*Windows asks for the user name and password directly on the users desktop Any spy (or even the friendly Autohotkey) could get an administrator password.
------------------------------------------------------------------------------Why not use SuDown?
------------------------------------------------------------------------------*SuDown can very easily be used to spy your account password. SuDowns password dialog runs in the users desktop and the password can be caught by any application that uses Windows hooks, even by autohotkey.
*SuDown puts every SuDoer, after he logged on, into the Administrators group. Spying the password and using it in a call to CreateProcessWithLogonW would make the spy running as administrator.
*SuDown starts any process as administrator without asking for permission for a couple of minutes after the user entered the correct password.
*SuDown does not work in a plain Windows 2000 because the windows function "LogOnuser" in Windows 2000 requires a privilege that only system processes have.
------------------------------------------------------------------------------Why use SuRun?
------------------------------------------------------------------------------*SuRun uses a secure desktop for sensitive user interaction: SuRun uses a service to create a secure desktop in the window station of the users logon session. On that desktop it will ask the user for permission or the password. The desktop is not accessible by user applications. Keyboard and mouse hooks will also not work on that desktop.
*SuRun does not leave the user in the administrators group. After creating the administrative process, SuRun removes the user from the administrators group immediately. So spying even out the password would not increase the chance that the system could be infected by malware.
Installation is straight forward as well as the configuration options. You can also define applications which you always want to start with admin rights so SuRun won't ask you in the future.
After configuring SuRun, log off of your Administrator Account (a reboot should not be necessary) and log onto your limited account. Right-click any application you want to run with admin rights and chose "Run as admin" in the context menu. - A window will open that offers you to input the password of your admin account in order to become a member of the user group SuRunners. - Now another window will open where you have to input the password of your limited user account.
Both inputs have to be done just once as the passwords are stored in an encrypted form in the Registry. From now on, whenever you want to start an application with admin rights, just right-click it and chose "Run as admin". A window (=secure desktop) will open where you have to confirm your decision just with one mouse-click.
You can also right-click anywhere on your desktop and choose "Control panel as administrator" for making system wide changes.
You can download SuRun from the authors website at http://kay-bruns.de/wp/software/surun/. The site is in German but offers translation. Or here is the page translated by Google.
Thanks you to tlu a frequent poster at the Wilders Security Forums for bringing this software to the attention of persons running as a limited user.
