Utility to grant admin rights to a user in Windows XP for few hours/days?

I have two accounts on my windows xp home desktop. The default regular user is used for everything and the 2nd user which has admin rights is used only for installations. I do this to avoid malware infestations during web browsing and limited user account is guarding against online threats to a good extend but many programs refuse to run under limited rights like revo uninstaller. many installs i run from limited user by selectin "run as" from right click context menu of the .exe file. but some apps need admin rights for certain. I use "switch user" to go to admin mode and do the install/uninstall. but the admin user has none of my preferences bookmarks setup nor has my locate32 indexing done and ready for fast search Is there a utility which I can use "run as" login in administration login and use that to grant my limited user admin rights for a limited amount of period like few hours or days? Please help. I guess MS might have closed many doors of it for fear of exploitation of the API. are there any?

user15660

Posted 2010-04-27T20:17:01.900

Reputation: 403

I don't think that there is any way of doing this, but it's a good idea. – ChrisF – 2010-04-27T20:19:37.653

It might be possible to use the security API to create a token with your SID but Administrator rights (maybe DuplicateTokenEx() and SetTokenInformation()) and pass it to CreateProcessWithTokenW(). It would need some magic though... There's also AdjustTokenPrivileges(), which would probably be easier. – user1686 – 2010-04-27T20:29:04.050

Windows 7 does it naturally, even users with admin rights have to confirm them every time by entering password unless UAC is disabled. – Dani – 2011-07-30T13:48:23.250

Answers

The most common reasons why a program needs admin rights to run are

It writes to a file in the %Program Files% folder
It writes to a file in the %Windows% folder
It writes to a protected area of the registry

The first two are easy to mitigate. Find the file it is trying to write, move it to a non protected folder, ie User documents, then place a hardlink (mklink) in its old place.

The third one is tougher. I'm not sure how to mitigate that.

surfasb

Posted 2010-04-27T20:17:01.900

Reputation: 21 453

There's RunAsAdmin, an open source project that brings a "UAC-like" experience to Windows XP. Basically it takes an Administrator account and runs the shell (and, by extension, most of your applications) with the Administrator token stripped. So most of the time you run as a limited user. It also allows for elevating particular programs as needed.

I tried it briefly once a long time ago and it seemed to work as advertised.