Surviving a Windows XP Limited User account

As I mentioned in my last post, it's a good idea to use a "Limited User" account under Windows XP (I haven't experienced Windows Wished'a -- erm, Vista -- so I can't speak for that OS, but chances are it's the same).

But it's so limiting!

You have to login as admin to install software, to install new hardware devices, to setup new internet connections (mostly referring to VPNs, here) -- even to install those bulky Windows Updates!

How do I deal with it?

With much exasperation, to be assured, but windows comes with tools to "make it easier". The main tool I use is "runas". This is a command line tool that takes a variety of options, and lets you run a program as a different user (including admin users). The catches: 1) you almost exclusively have to use it on executable files, and 2) you have to know the other user's password. Which isn't a problem if both user and admin accounts are yours. Also useful, right-clicking an executable file (and a few other file types) offers a "Run as..." option, which is similar but a bit more limited than the runas command line tool.

I use the runas command combined with shortcuts in my quicklaunch menus to launch Windows Explorer, Regedit, and Control Panel under my admin account. This allows me fairly convenient access to these things, though I still have to type my password, which delays access. But it's better than nothing.

To set these shortcuts up, you will need the "Secondary Logon" service to be running (the runas commands rely on this service). The Quicklaunch directory can usually be found at C:\Documents and Settings\{user}\Application Data\Microsoft\Internet Explorer\Quick Launch , where {user} is the name of whichever account you will be using. Alternatively, you can right-click on an empty spot on your quicklaunch toolbar (best is between the last icon and the drop-down arrow that shows the rest of the shortcuts) and click the "Open Folder" option, upon which Explorer will present you with the mentioned directory.

Now, on to exactly which shortcuts I use. In all of the following, {admin} will refer to the name of the admin account you will be logging in under (not your normal user account). When you see (or don't see) the "/env" and "/noprofile" switches for the runas program, they are optional for the most part:

Windows Explorer: Create a new shortcut in your quicklaunch folder and point it to C:\WINDOWS\system32\runas.exe /env /user:{admin} "explorer.exe /e,\"%USERPROFILE%\Desktop\"" This will open a new Explorer window open to the current user's Desktop folder. You can also replace %USERPROFILE%\Desktop with another folder, or, to have My Computer selected, with ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}. The escaped quotes (\") are necessary. For your reference, I've listed some other system folders that you may find convenient to have shortcuts (runas-admin or otherwise) to.

Control Panel: Create a shortcut to C:\WINDOWS\system32\runas.exe /env /user:Root "explorer.exe /e,\"::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\"" Again, you have to omit the /noprofile switch for it to work.

Registry Editor: Create a shortcut to C:\WINDOWS\system32\runas.exe /env /noprofile /user:Root regedit (If you don't understand the following paragraph, you may not even need this shortcut) The problem with using regedit through this method is that HKEY_CURRENT_USER is the admin user. You can still edit other users' accounts by finding their tree under the HKEY_USERS key. If I'm not mistaken (and on this point I very well could be), the trees (under HKEY_USERS) referring to actual users have long strings of numbers separated by dashes, the last number group being 100x (where x is a decimal [possibly hex] number).

Services, Device Manager, Event Viewer, and the like This part gets a little trickier. To pull up the system services, for example, under an admin account, I would normally use Start > Run..., then type "services.msc" and click OK. This works under limited accounts, but you can't start/stop/edit services. And, for some reason, you can't use runas with services.msc; it just won't work. There are two workarounds: 1) find the .msc or whatever file that refers to the administrative tool you want to use under the C:\Windows or C:\Windows\System32 folders, right-click, choose "Run as...", and enter your credentials, or 2) Use the Start > Run... option to run

runas /user:{admin} mmc

then, in the resulting window, File > Add/Remove Snap-in... > Add... and select/add whichever tools you want to work with. Not pretty, not easy, but it's there if you need it.

So, there you go. A few tools (derived from one tool) that I use to tweak my system as a Limited User. Hope you found it helpful, and feel free to ask questions or make suggestions (or boast of whatever tools you use) in the comments!

Also, as promised, some additional system folders:

• My Computer: ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
• Recycle Bin: ::{645FF040-5081-101B-9F08-00AA002F954E}
• Desktop: ::{00021400-0000-0000-C000-000000000046}
• Printers: ::{2227A280-3AEA-1069-A2DE-08002B30309D}
• Dial-up networking: ::{A4D92740-67CD-11CF-96F2-00AA00A11DD9}
• Fonts: ::{BD84B380-8CA2-1069-AB1D-08000948F534}
• Internet Explorer: ::{871C5380-42A0-1069-A2EA-08002B30309D}
• Microsoft Outlook: ::{00020D75-0000-0000-C000-000000000046}
• Network Neighborhood: ::{208D2C60-3AEA-1069-A2D7-08002B30309D}
• Inbox: ::{00020D76-0000-0000-C000-000000000046}
• Subscriptions: ::{F5175861-2688-11d0-9C5E-00AA00A45957}
• URL History Folder: ::{FF393560-C2A7-11CF-BFF4-444553540000}
• Briefcase: ::{85BBD920-42A0-1069-A2E4-08002B30309D}
• Internet Cache Folder: ::{7BD29E00-76C1-11CF-9DD0-00A0C9034933}
• ActiveX Cache Folder: ::{88C6C381-2E85-11D0-94DE-444553540000}
• Control Panel: ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}

These were taken from the documentation file for KKMenu 2.8, whose author says:
"Please note, that I have taken the list above from the Aqua-Soft discussions (thanks to hydrostereo and fireball) and I have never tested if all of the items do really work. Please e-mail me in case of any inconveniences to: <email removed>."