Running restricted -- What does the "protect my computer" option mean?

If you’ve been reading my “non-admin” posts, by now I assume you have seen the Windows XP “Run As” dialog. (If you haven’t, please read this post first: "RunAs" basic (and intermediate) topics .)

The initial settings when the “Run As” dialog opens are to run the program as the current user, with an option selected to “Protect my computer and data from unauthorized program activity”. It further states that “This option can prevent computer viruses from harming your computer or personal data, but selecting it might cause the program to function improperly.” What does that mean? How do you decide whether to use it? As far as I know, there hasn’t been any accurate public documentation about the “protect my computer” option, let alone any guidance as to when it might or might not work for any particular application.

The net effects

The bottom line is that the app runs with a “restricted token” that basically has these net effects:

  • Group membership: If you were logged in as a member of Administrators, Power Users, or certain powerful domain groups, the app runs without the benefit of those group memberships.
  • Registry: The app has read-only access to the registry, including HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. The app has no access to HKCU\Software\Policies.
  • File system (assuming NTFS): The app cannot access the user’s profile directory at all. That includes “My Documents”, “Temporary Internet Files”, “Cookies”, etc.
  • Privileges: The app has no system-wide privileges other than “Bypass traverse checking”.

These are very powerful restrictions, particularly those around the registry and profile folders. It’s probably a safe bet that most apps do not expect “access denied” errors when writing to HKCU or the user’s temp or MyDocs folders, and probably do not handle such errors gracefully. When I tried to use Outlook Express with “protect my computer”, it failed to start up at all. This isn’t entirely surprising – all its data is in the user’s profile folder hierarchy.

The only thing I ever really use with “protect my computer” is Internet Explorer when I want to really constrain a particular site and not allow it to write to my hard drive at all. (Note that this is only an additional element of defense in depth, not an entire defense.) IE works fairly well this way, but with some odd and annoying problems:

  • You can’t use SSL (https) at all.
  • If you right-click on a hyperlink and choose “Open in New Window”, nothing happens.
  • If you enter a URL in the address bar without “https://” in front of it (e.g., “www.msn.com”), you get an error message like “C:\Documents and Settings\aaronmar\Desktop is not accessible. Access is denied.”, before IE goes ahead and loads the site anyway.
  • On XP SP2 and on Server 2003, toolbars do not appear where you configured them, if they appear at all. E.g., PrivBar always needs to be re-enabled; “Links” appears (on my machine) in the upper left, to the left of the menu bar. (This wasn’t a problem with XP SP1.)

That’s about all the “guidance” I’ve got as far as what to expect if you use the “protect my computer” option. If anyone really cares, I could write a lot more about the geeky details around restricted tokens, deny-only SIDs, how access checks are performed against restricted tokens, which groups get marked deny-only with “protect my computer”, etc. But maybe Larry Osterman will save me the trouble and follow up on some of his recent security posts (e.g., What is this thing called, SID?)

Comments

  • Anonymous
    September 09, 2004
    Ok, I'll see if I can get some of them written for next week.

  • Anonymous
    September 11, 2004
    The comment has been removed

  • Anonymous
    September 13, 2004
    cacls can give restricted full control over a file object.


    cacls apppath /e /g restricted:f

    processed dir: C:Documents and SettingsDavid CandyDesktopAppPath

    And the GUI permissions now list restricted as full control (or read only or whatever you tell it to do).

    Remember to use quotes if anything contains a space.

  • Anonymous
    September 15, 2004
    The comment has been removed

  • Anonymous
    September 15, 2004
    Sean, yes, it would seem useful, but since a lot (most?) apps just completely break when run with the "protect my computer" option, it would probably be pretty much unusable. E.g., let's say it's a Word doc. First, Word wouldn't be able to read a copy of the doc cached in your %Temp% folder, since it wouldn't have access. Likewise, Word wouldn't be able to save it (as-is or edited) to your "My Documents" folder. Word wouldn't have access to your user-specific normal.dot or other config info stored in the file system in your profile. And on and on.

    AFAIK, there is no ACL that prevents an app from creating a TCP/IP network connection.

  • Anonymous
    September 15, 2004
    BUT - that reminds me of something else I meant to mention. A "protect my computer" restricted token cannot authenticate on the network using your Windows identity. So while you can still connect to remote resources that allow anonymous connections, the restricted app cannot act "as you" on the network.

  • Anonymous
    September 19, 2004
    IMO, while an ambitious option, it's still not usable in it's current form due to app compat issues.

  • Anonymous
    September 19, 2004
    The comment has been removed

  • Anonymous
    September 30, 2004
    The comment has been removed

  • Anonymous
    January 20, 2005
    A very interesting serie of postings over at Aaron Margosis' WebLog showing the advantages of running as a limited user. A special interesting entry is the "Protect my computer" option, and the priviliges toolbar....

  • Anonymous
    April 18, 2005
    Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.

  • Anonymous
    June 10, 2005
    Get your friends and family, all those folks that come to you for computer help once their machines have...

  • Anonymous
    June 27, 2005
    Today I got a bug report that the app I'm working on doesn't work with work when launched with Run As......

  • Anonymous
    May 31, 2006
    I tried this with IE and Firefox and neither launched at all (XP Home).

  • Anonymous
    May 31, 2006
    James Gerber:  If IE didn't launch, my guess is that you have an IE add-in installed that failed with the restricted token and caused the process to exit.  No idea about Firefox.

  • Anonymous
    June 01, 2006
    Sadly, I thought I would ask all my coworkers if they knew how to do this.
    Guess the outcome.
    I wish I wish I could educate with a lasting effect. It seems people just dont care until they lose their Identity or are scammed out of money. Then they come around. Too late.
    Great Post !

    Take care,

  • Anonymous
    June 06, 2006
    Seems like the "Protect My Computer" option should be implemented as a virtual machine that isolates any changes the application makes and can discard them on exit. Microsoft already has the Virtual PC product/technology and the App Compatibility Toolkit so it might be able to integrate limited versions of these into Windows.  I got Virtual PC initially to test my software on a clean install of various Windows configurations and I also thought it would be good to try out other people's software and keep it isolated from my "real" installation.

  • Anonymous
    August 10, 2006
    When the IE icon on my computer is right clicked, I do not see a "Run as" option at all. Is there some other way to get to this option?

    Thanks,

    Russ It's not on the context menu if you click on the IE icon at the top of the Start menu, but it is if you right-click on an IE icon somewhere else, such as in the Quick Launch area, on the desktop, or in the All Programs part of the Start menu. HTH -- Aaron

  • Anonymous
    August 12, 2006
    Thanks, Aaron. Found it!

    And thanks for pointing this out to us. Such is becoming more important each day.

    Regards,

    Russ Tucker

  • Anonymous
    August 12, 2006
    Hi Aaron,
    Need to know how to restrict the user to use the system after 12.00 midnight? Or the system force the user to logout after 12 midnight

    Best regards/

  • Anonymous
    August 22, 2006
    Help!  Somehow my machine ended up running the ENTIRE OS in restricted.  I can right-click anything and uncheck the 'Protect my computer and data..." etc and it opens, but how do I GET RID of that?  I want to just be able to run my programs.  I am the administrator of the machine and the only user.  I have no clue why this suddenly started happening.  

    At the moment if I double-click any application it the icon is busy for a second and no application starts. If I right-click (run as..) and remove the checkbox it starts.  This was NOT the case yesterday.

    I can only guess, but my guess would be that some kind of registry modification was made that shouldn't have been made -- possibly by malware, possibly just by accident.  IIRC the Windows Setup disks will help you repair an existing Windows installation - you might try doing that.-- Aaron

  • Anonymous
    August 28, 2006
    Hi Aaron,
    is there a way to unset or set the option “Protect my computer ..." programmatically in the linkfile?
    I would like to do this with a MSI custom action DLL i already use to set the option in a link, which let it pop up the "Run as" dialog.
    Thanks a lot for the very good info on your blog.
    Regards, Nick Look for SDLF_RUNAS_USER on this page and this page.  Note that setting the flag will only cause the "Run As..." dialog to appear -- it still requires user interaction to make the target program run restricted. HTH -- Aaron

  • Anonymous
    October 10, 2006
    this guy   sent software to my computer--and he got every name and dialogue from yahoo that i had used in months--how can i prevent this from happening again

  • Anonymous
    October 13, 2006
    You might want to look at http://windowzones.com, which is currently in beta. It allows you to lock applications down into a "safe zone" which is like a sandbox, but with much better app compat than restricted tokens (doesn't have all of the problems noted for IE, for example).

  • Anonymous
    December 07, 2006
    In Windows 2000, I am attempting to disable the function performed by "protect my computer and data" in Windows XP. Is this possible? I don't quite understand -- are you trying to disable the UI (dialog) that exposes "protect my computer"? -- Aaron

  • Anonymous
    January 10, 2007
    The comment has been removed

  • Anonymous
    March 28, 2007
    I'm also getting this same problem on a user's XP SP2 machine: Help!  Somehow my machine ended up running the ENTIRE OS in restricted.  I can right-click anything and uncheck the 'Protect my computer and data..." etc and it opens, but how do I GET RID of that?  I want to just be able to run my programs.  I am the administrator of the machine and the only user.  I have no clue why this suddenly started happening.   At the moment if I double-click any application it the icon is busy for a second and no application starts. If I right-click (run as..) and remove the checkbox it starts.  This was NOT the case yesterday.

  • Anonymous
    March 30, 2007
    30 March 2007 I have a brand new Mac notebook.  What does msi mean?  Thank you! Katy:  It probably doesn't mean the same thing on a Mac as it does on a Windows computer.  On Windows it is a Microsoft Windows Installer package.  No idea what it is on a Mac. -- Aaron

  • Anonymous
    April 22, 2007
    Very interesting insight of security topics on Windows operating system by Aaron Margosis.

  • Anonymous
    July 23, 2007
    So far, several people have asked how to turn off the restricted user option. So far there has been no answer to that question. People have replied to the posts but have not provided the answer. So, how do you turn off the option? Yes, I know it is more risky...yes, I know that it has been added by microsoft to make my computing experience more pleasant. The thing is, I just want to be able to click on an icon and have the program run. Simple eh? So, how do you turn off the run restricted option? [Aaron Margosis] What you're seeing is most likely due to corrupted registry settings.  It's certainly not due to anything the Windows developers intentionally designed.  I don't know which specific registry settings might be involved, so I don't have an answer to the question.

  • Anonymous
    August 01, 2007
    HI KJK::Hyperion The link you have mentioned not work properly ...whats the prob with ... Thanks


Ahitub http://computersnext.com

  • Anonymous
    September 28, 2007
    So, how do you turn off the run restricted option?

  • Anonymous
    November 05, 2007
    pls.. help me out... m also getting this same problem on a user's XP SP2 machine

  • Anonymous
    November 15, 2007
    I am another simple user that wants to double click an icon and get the program start. The only way I can do this is to "run as" and uncheck the protection.  Can this protection remain unchecked? This is a VERY unconfortable situation.

  • Anonymous
    January 16, 2008
    I think its MS trying to strong arm individuals into purchasing VISTA. Ugh. It seems to be progressive. Phase one OS in phase one out. How else will they continue their empire. Gone are the days you purchase it you own it. Security update!! Security updates!! Security updates MY ask me no questions....  

  • Anonymous
    April 11, 2008
    The comment has been removed

  • Anonymous
    June 27, 2008
    I have the same problem, but my situation happened after the 2nd time I rebooted just after doing my last Microsoft update - I believe it was a security update.

  • Anonymous
    August 28, 2008
    I've had the same problem for several months until I discovered today that I had 'Mark Any Content Safer' installed. It probably came with a video application. After complete removal I can again launch my apps without the 'Run As' dialog. [Aaron Margosis]  Very interesting.  What is "Mark Any Content Safer"?

  • Anonymous
    September 05, 2008
    If you are having the problem of everything running in restricted mode, it is most likely a registry issue. Download the registry fix here: http://www.geekstogo.com/forum/index.php?act=attach&type=post&id=5794 Reboot in safe mode and run the downloaded program. Reboot and problem should be solved. Only works with XP as far as I know. Not resposible for your computer bursting in to flames. -Matt [Aaron Margosis]  That link downloads a zip file that contains a .reg file that appears to be mostly the XP default settings for HKCR.exe and HKCRexefile.  It does have one extraneous setting (adding a property sheet handler for "PEAnalyser").  That would appear to be something added to the system by the person who exported this .reg file. Caveat:  this is based strictly on the observations I made, based on what was downloaded at the time that I clicked on the link.  I cannot provide any assurance that the hyperlink above will still point to the same zip file when you click on the link; nor can I provide any assurance that the zip file is not malformed in some way to exploit a vulnerability in various versions of unzipping programs.  (I extracted it using Explorer's built-in capabilities.)  I also won't make any assertions here about whether that extraneous "PEAnalyser" entry will or will not have any impact on any given system, nor whether restoring this set of defaults will be sufficient to fix the problems people have described above.

  • Anonymous
    September 06, 2008
    This is a DRM application favored by Samsung. It quietly hijacked some entries in the registry, apparently those which are used when an application is launched. I could only partially remove this thing the first time around, so some entries were not cleared. Ivan

  • Anonymous
    January 24, 2009
    hi there, i was wondering if it was better to run a supicious (or in general) little app that only comes as a single .exe file with right-click and "run as...." then my own credentials but with this checkbox activated (protect my computer from malicious activity...) or if it would even be better to "run as..." and then using the guest user (i have guest user activated on windows xp sp3) for this task. can a malicious program mess my system when i run it as only in the guest credentials, or is the first option better with the checkbox? thanks for any hints. greets.

  • Anonymous
    June 25, 2009
    I also have the same problem when I click on any icons on my desktop the will not run unless I do a run as or uncheck the protect my files. Is there any way to remove that check mark and have it stay off.

  • Anonymous
    July 24, 2009
    Thanks for posting this.  Only came noticed the checkbox 5 years later! Is there a well know SID that this causes the software to run with?   Or must I check for this state with IsTokenRestricted to see if this has been checked when my program runs?

  • Anonymous
    August 13, 2009
    thanks the reg fix did the trick!

  • Anonymous
    March 04, 2010
    After running (successfully) McAfee's Stinger, all my applications are configured with the 'Protect my computer and data..' option checked.  The only way to start an application is to do Run As... and uncheck that option.  If I try to open normally the app, I find the 'Open With' window, which works OK for a document, but not for an application. The worst is that the default mode for the app is staying with the option checked, so I have to do that everytime. My question: is there a way set the default so that this option stays unchecked? either for each app individually, or, even better for all apps? Thanks for the help. [Aaron Margosis]  Wow.  Are you sure that McAfee did that?  As you can see from earlier comments, others have had that same symptom, but since I've never seen it on a system I had control over, I've never diagnosed it.  The root cause should be fairly easy to identify with Process Monitor.  In the meantime, if you're sure McAfee caused it, contact them. Actually, if you want me to take a look (I'm curious again), run the following commands at a command prompt, and send the output to me via the email link on this page: REG QUERY HKCR.exe /s REG QUERY HKCRexefile /s

  • Anonymous
    March 05, 2010
    The comment has been removed

  • Anonymous
    March 05, 2010
    The comment has been removed

  • Anonymous
    March 31, 2010
    Hi I am also facing the following issue: +++++++++++++++++++ " all my applications are configured with the 'Protect my computer and data..' option checked.  The only way to start an application is to do Run As... and uncheck that option.  If I try to open normally the app, I find the 'Open With' window, which works OK for a document, but not for an application." +++++++++++++++++++ and I ran the query sent by Aaron with below results:


C:>reg query HKCRexefile /s ! REG.EXE VERSION 3.0 HKEY_CLASSES_ROOTexefile    <NO NAME>   REG_SZ  Application    EditFlags   REG_BINARY      38070000    TileInfo    REG_SZ  prop:FileDescription;Company;FileVersion    InfoTip     REG_SZ  prop:FileDescription;Company;FileVersion;Create;Size HKEY_CLASSES_ROOTexefileDefaultIcon    <NO NAME>   REG_SZ  %1 HKEY_CLASSES_ROOTexefileshell HKEY_CLASSES_ROOTexefileshellopen    EditFlags   REG_BINARY      00000000 HKEY_CLASSES_ROOTexefileshellopencommand    <NO NAME>   REG_SZ  "%1" %* HKEY_CLASSES_ROOTexefileshellrunas HKEY_CLASSES_ROOTexefileshellrunascommand    <NO NAME>   REG_SZ  "%1" %* HKEY_CLASSES_ROOTexefileshellex HKEY_CLASSES_ROOTexefileshellexDropHandler    <NO NAME>   REG_SZ  {86C86720-42A0-1069-A2E8-08002B30309D} HKEY_CLASSES_ROOTexefileshellexPropertySheetHandlers HKEY_CLASSES_ROOTexefileshellexPropertySheetHandlersPifProps    <NO NAME>   REG_SZ  {86F19A00-42A0-1069-A2E9-08002B30309D} HKEY_CLASSES_ROOTexefileshellexPropertySheetHandlersShimLayer Property Page    <NO NAME>   REG_SZ  {513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} C:>reg query HKCR.exe /s ! REG.EXE VERSION 3.0 HKEY_CLASSES_ROOT.exe    <NO NAME>   REG_SZ  secfile    Content Type        REG_SZ  application/x-msdownload HKEY_CLASSES_ROOT.exeDefaultIcon    <NO NAME>   REG_SZ  %1 HKEY_CLASSES_ROOT.exePersistentHandler    <NO NAME>   REG_SZ  {098f2470-bae0-11cd-b579-08002b30bfeb} HKEY_CLASSES_ROOT.exeshell HKEY_CLASSES_ROOT.exeshellopen HKEY_CLASSES_ROOT.exeshellopencommand    <NO NAME>   REG_SZ  "C:Documents and SettingsthomshabLocal SettingsApplication Datavma.exe" /START "%1" %*    IsolatedCommand     REG_SZ  "%1" %* HKEY_CLASSES_ROOT.exeshellrunas HKEY_CLASSES_ROOT.exeshellrunascommand    <NO NAME>   REG_SZ  "%1" %*    IsolatedCommand     REG_SZ  "%1" %* HKEY_CLASSES_ROOT.exeshellstart HKEY_CLASSES_ROOT.exeshellstartcommand    <NO NAME>   REG_SZ  "%1" %*    IsolatedCommand     REG_SZ  "%1" %*


Hope this helps... [Aaron Margosis]  Yes, there are settings in there that don't belong and that look like they were put there with malicious intent.  Can you also post the results for "reg query hkcrsecfile /s"?

  • Anonymous
    March 31, 2010
    The comment has been removed

  • Anonymous
    June 24, 2010
    Can you use this "protected" mode to run IE8? I have Windows XP SP3 and when I try to do this, nothing happens.... ? [Aaron Margosis]  Yeah, for about the same reasons it doesn't work with IE7 I wouldn't expect it to work with newer versions.

  • Anonymous
    December 03, 2016
    As of XP SP3, I don't see the stated reading restrictions for profile or registry. All others are in place.