Helping people with computers... one answer at a time.

DropMyRights is a small program that lets you securely run programs with more restrictions than they might get based on your login account.

I am using windows XP. I want to use my computer with administrator privileges. For browsing or using reading e-mails, I'd like to act temporarily as a guest with limited privileges. My aim is to increase safety. Is there a way to do it easily?

Running as a "Limited User" in Windows XP is the ideal scenario, where everything you do is subject to administrative restrictions. Unfortunately, for many people it's simply not practical to do so. Many applications require administrative access either to install, or occasionally even to run. It doesn't always make sense, but it's also something we seem to have little control over.

The result is that we regularly login to our Windows XP machine as Administrator, or as another account that has Administrator privileges. We can do anything.

The problem is simple: if we can do anything, so can any malware we might accidentally execute.

One solution is the approach that UAC in Windows Vista took: you might login as Administrator, but you're not really administrator. When something happens that requires administrative access, you're requested to confirm it.

Windows XP doesn't have this option. When you're Administrator, you're administrator.

One approach is to login as administrator, but run programs though which exploits are common - say your web browser or email program - with more restrictive rights.

That's exactly what DropMyRights does.

After downloading and installing DropMyRights, you then only need to modify the shortcut that starts your browser. For example, here's a default shortcut for starting Internet Explorer:

A Common Shortcut to start Internet Explorer

Here's a shortcut, modified to use DropMyRights:

Shortcut to start Internet Explorer using DropMyRights

The only difference is that "DropMyRights " has been inserted before the name of the executable ("C:\Program Files\Internet Explorer\iexplore.exe"). Now instead of IE running with administrative privileges, it runs as a normal, or limited user.

Why is this valuable? Because limited users don't have the permissions required to install things where malware likes to install things. If you happen to mistakenly venture to a site that attempts to install malware .. it can't.

You might consider running any program that could be a vector for accidentally installing malware through DropMyRights; your browser and your email program are two obvious choices.

Caveats:

  • If you actually do want to install something, say an update to Flash Player or some other activex control or program, you won't be able to. You'll need to save that original shortcut that started the program with administrative rights, and run that just long enough to take the update you need.

  • The shortcut icon might change. Just click the Change Icon... button, locate the original executable (iexplore.exe in our example above), and select an icon from there.

  • This may not work for all programs. As I said at the beginning of this article, some programs, for reasons that don't always make sense, simply require administrative privileges.

DropMyRights is actually an old program, dating back to 2004, written by a Microsoft engineer, and free on Microsoft's MSDN site. It's a very simple program, and its source code is even displayed there for those so inclined.

It's not a utility that can fix everything, by any means, but DropMyRights is a useful tool to have in your arsenal against malware.

I recommend it.

Article C3673 - March 12, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

4 Comments
Rahul Mehta
March 13, 2009 6:56 AM

The opposite approach is to log-in as a restricted user and run "those" special programs by using right-click and "Run As" command where you can choose to be administrator for that application. It requires admin password to be keyed in. That improves overall security of the PC.

The advantage is that you raise the privileges only when required and that too making a conscious effort.

This has been my approach for overall safety for all my Windows installations. I also recommend this to my clients.

Elizabeth Boston
March 18, 2009 6:34 AM

This problem has been resolved in Windows Vista.

When a limited user wants to install a program or perform an operation that requires administrator access in Vista, a dialog box pops up allowing you to enter an administrator user name and password.

If the user knows (or has a parent come in and enter the password) the application will be allowed to run.


This is better than the old days when I would have to log into my administrator account, make the child's account an administrator, log back into the childs account and install the program, then log back into the administrator account again to make the child a limited user. (phew, I'm out of breath just typing that)


Thanks Elizabeth. Vista gets a bad rap on various issues, but this is one that they appear to have done well with.

For those reading, Elizabeth is The Computer Lady and also does Q&A and has her own newsletter too.
- Leo
19-Mar-2009

Dr. Faruk Ergul
March 31, 2009 1:25 AM

Using DropMyRights with satisfaction.
But, there is a problem with security.
Some programs open a web page automatically using default browser. In such a case, it seems that dropmyrights is not functional.
Could you clarify this point? thanks

Rony
March 13, 2011 5:30 PM

Hi! you can also use runasspc:
http://runakay.blogspot.com/2011/03/running-applications-as-administrator.html

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.