How to simulate User Account Control in XP

Scott dunn By Scott Dunn

Vista users love to complain about the intrusiveness of User Account Control, but it does provide a degree of security.

If you’re using Windows XP, I’ll show you what steps you can take to give yourself a similar level of safety.

Protect your system from attacks

One of the most common complaints about Windows Vista is its frequent requests for confirmation. Vista User Account Control (UAC) feature pops up when you launch certain kinds of programs, attempt to customize the Start menu, configure parental controls, install applications or drivers, and so on.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

The Windows 7, Vol 3 (Excerpt)

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

But annoying or not, this feature provides important safeguards against intrusions by viruses and malicious users. UAC is also an important component of Internet Explorer 7 in Vista. It allows IE 7 to run in “protected mode,” in which the browser lacks the rights to install start-up programs or directly reconfigure Windows.

If you use Windows XP, you can’t add all the protections afforded by UAC, but you can take steps to limit the damage malware can do.

Don’t run as administrator all the time

Most people using Windows XP routinely log in administrator privileges. At first glance, this makes sense — why wouldn’t you want to have all the rights necessary to control your own system?

The answer is that doing so also gives unlimited access to every program you run. The single best way to simulate user account control in Windows XP is to run as an ordinary user. Don’t worry; I’ll show you how to get around the limitations when you really need to.

Step 1. Start anew. Since your existing administrator account might come in handy, don’t demote it. Instead, create a new, restricted account: In XP, click Start, Run. Type lusrmgr.msc and press Enter. With Users selected in the left pane, choose Action, New User. Fill out the dialog box with the new user name and other desired options. Click Create.

To make sure your new profile is a restricted account, double-click its name in the list of users. Click the Member Of tab. If “Administrators” or “Power Users” appears in the Member Of list, select them and click Remove. To keep the new profile as safe as possible, you want it to be a member of Users only. Click OK. Close Local Users and Groups by choosing File, Exit.

To test your new profile, click Start, Log Off {Your Name} or (if you don’t see that command) click Start, Shut Down, and choose Log Off {Your Name} from the drop-down list and click OK. Now log in using the new account name and password.

Step 2. Transfer your settings. At this point, you may be thinking of all the custom settings you’ll need to re-create in this new account. Fortunately, Windows gives you a quick way to transfer these to your new profile.

First, make sure you’ve logged into the new profile at least once (as explained in the previous paragraph). You’ll also need to reboot the computer at least once before proceeding. Also, be aware that any changes you made or files you added to the new profile will be obliterated in this process, so it’s best to do this to a brand new profile that has no vital information.

At this point, log into a profile that is neither the one you are copying from or copying to (preferably, another administrator account you’ve created). In Explorer, right-click on My Computer and choose Properties. Click the Advanced tab and, under User Profiles, click Settings. Select the profile whose settings you want to copy to the new, restricted profile and click Copy To. In the Copy To dialog box, click Browse and navigate to the folder corresponding to the new profile you created (it should be in the Documents and Settings folder). Select it and click OK. Now click OK and wait while the transfer takes place. Then close the remaining dialogs.

Step 3. Get around limitations. As you use your new profile, you’ll discover some of its restrictions. For example, you won’t be able to install applications and drivers; create or change users and groups; stop or start services (for example, using services.msc) that are not started by default; and more. For some such tasks, you’ll simply have to log out and log back into your administrator profile.

But, in some cases, you can simply make an application itself run as an administrator for the current session. For example, to run an application with your old privileges without logging out, simply right-click its shortcut or its .exe file and choose Run As. Select the option The following user and, if necessary, edit the user name to the profile you want (using the form computeruser). Type the password and click OK.

Some programs (such as Microsoft Installer files with an .msi extension) don’t display the Run As command on their context menus. In that case, you can use Run As on the command prompt (Start, All Programs, Accessories, Command Prompt) to launch the installer with administrator privileges. Any application you launch from that command prompt will have administrator privileges as well.

If you find that you frequently need a command prompt with administrative rights, you can create a batch file that launches one. Open Notepad and type:

runas /user:computeruser cmd.exe

Press Enter to end the line. Replace computeruser with the name of your computer and the name of your administrator account, respectively. Then save the file, giving it a .cmd extension (not .txt). Anytime you need this “power prompt,” just double-click the file, type your password, and press Enter.

Remember, using Run As to give applications administrator privileges gives that application the same access to your computer as if you launched it in your administrator profile. So avoid running applications with elevated rights unless you really need to do so.

Use NTFS for added PC security

Here’s another important security measure: If your hard disk is not already using the NTFS format, consider converting it. NTFS provides more security than the older FAT32 file system, as well as allowing encryption and compression. For example, NTFS is required for administrators to control the permission levels of the various users of a computer.

You can convert an existing volume to NTFS by opening a command prompt and typing:

convert x: /fs:ntfs

where x is the letter of the drive you want to convert. Be aware that once you’ve made the change, you can’t convert back to the old file system without reformatting the drive, effectively wiping out all its data. If you’re unsure, make a complete backup of the partition first. And consider opening Windows Help and searching for the topic “Choosing between NTFS, FAT, and FAT32.”

These measures don’t provide all the protections of Vista’s UAC. For example, the UAC protections provided to Internet Explorer 7 are only available in Vista. But the above steps can limit the damage an attack can do to your system.

Now it’s your turn: What are your favorite tips for securing your computer? We’ll publish the best ones in an upcoming issue. Use our Windows Secrets contact page. We’ll send a gift certificate for a book, CD, or DVD of your choice if you send a tip we print.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.
= Paid content

All Windows Secrets articles posted on 2007-08-02: