Restrict application privileges for greater security

By Scott Dunn

In recent columns, including in the Aug. 9 issue, I’ve told you how to limit user and application permissions in XP for greater security.

Our readers have responded with their own questions and suggestions on running programs with greater or fewer privileges.

Use PsExec with nonstandard Office shortcuts

In my Aug. 9 article, I explained how to use the free PsExec utility to run applications in a low-privilege state even when you’re logged in as an administrator. But reader Tim McGowan ran into a problem when he tried to customize his shortcuts to Microsoft Office:
  • “In Windows XP Home SP2, I was trying to modify the shortcuts for Word 2000 and Excel Viewer 2003. These two shortcuts don’t have a path that can be copied. It’s grayed out, and it lists only the application name: Microsoft Word 2000 SR-1 and Microsoft Office Excel Viewer 2003, respectively.”

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    PC Drive Maintenance (Excerpt)

    Subscribe and get our monthly bonuses - free!

    Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



    “I tried using PSExec to launch the *.lnk file that starts these programs, but the utility is designed to run executables, not shortcuts. Can you write a follow-up piece, showing us how to obtain paths for these shortcuts?”
No problem, Tim. Although Microsoft Office uses nonstandard shortcuts to launch programs from the Start menu, you can create the more conventional kind if you know the right .exe file.

First, find the folder where you installed Office. A common place to look is:

C:ProgramsMicrosoft OfficeOffice

If necessary, you can search for winword.exe, the executable for pretty much any version of Word for Windows.

Once you’ve found the right .exe file, use the right-mouse button to drag it to your desktop or your desired Start Menu location. When you release the mouse button, choose Create Shortcuts Here. You can right-click this new shortcut and choose Properties to edit its command line (for use with PsExec), modify the icon, and so on.

Advanced tools solve permissions issues

The Aug. 2 issue explained how to run XP as a standard user as a security precaution to limit the access that most programs have to your system. If you encounter problems running applications in such an account, you may find reader Alan Kobb’s advice useful:
  • “Since most of the users in my company run as non-admin, occasionally you come across a mission-critical legacy program that only works as an administrator. I have two tools that I use to fix that.

    “First is a program from Aaron Margosis called LUA BugLight. Aaron works with Microsoft Consulting Services and wrote this program to help you determine why a program won’t run as a non-administrator. Most of the time, a simple tweak of file or registry key permissions is all that it takes to run a program as a non-administrator. This program, along with hints on his blog, tells you how.

    “Another useful program is called CPAU from a Web site called Joeware.net. The developer, Joe, is a Microsoft MVP who has written a ton of useful utilities (Joeware) such as this one.

    “On the surface, CPAU is simply a clone of the Run As command. But behind that is a lot of functionality. For example, for the occasional program that cannot run under a non-administrator account, you can use CPAU to embed an encrypted user ID and password in a file along with a command to start up the program. Running CPAU and specifying that file will start the program as an administrator, without the user having to know an administrative password.”
Thanks, Alan! Both of these programs are for the serious system administrator. As such, neither is particularly user friendly, especially CPAU, which is entirely command-line based (i.e., no graphical user interface). But if you’re having problems running a program in your low-privileged account, these tools may prove useful.

More information on CPAU is found in today’s column by Mark Edwards in the paid section of the newsletter.

Details on encrypting files on flash drives

In the Aug. 2 issue, I told readers they could use the freeware tool TrueCrypt to encrypt data on a flash drive. However, reader John Aspinall points out some important details:
  • “The recommended TrueCrypt used in ‘traveler mode’ still requires administrator privileges, unless TrueCrypt is installed on the PC on which the flash drive is being used.

    “However, a utility by Yap Chun Wei named TCExplorer overcomes this issue. TCExplorer is portable software to import, export, delete, and rename files in TrueCrypt containers and works very well if used in conjunction with a shredder such as Cybershredder or UltraShredder (I prefer the former).

    “The process is very simple; you explore the TrueCrypt volume on the flash drive and drag the required file to free space on the flash drive, where it can be worked on as required. On completion, you drag the file back to the TCExplorer window, encrypting it when the volume is closed. Then shred the copy of the file on the unencrypted portion of the flash drive using your preferred shredder utility. All the software is free.”
Thanks for the information! As John implies, removing encryption from a sensitive file and working on it using a public or other non-secure computer involves risks. John’s solution is to use freeware to “shred” (delete in an unrecoverable way) the work copy after it has been saved and copied back to the encrypted container.

Both Cybershredder and Ultrashredder can be run from a flash drive. You can find TCExplorer at the CodeProject site.

Readers McGowan, Kobb, and Aspinall will receive gift certificates for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.
= Paid content

All Windows Secrets articles posted on 2007-08-16: