Fog Creek Software
Discussion Board




A Reg Hack to Make windows red for RUNAS

I have finally decided to do the right thing and stop running as Admin on my system, but obviously to do development I still need to do the occasional runas to do certain config style things.

I like the idea the first comment poster has here: http://weblogs.asp.net/ptorr/archive/2003/09/21/56188.aspx to make windows borders red for that user but I don't know what kind of registry hack would be required, and i have tried logging in properly as my admin account and settings its profile to have a windows style of red borders but that didn't work either.

I am using Windows XP. Does anybody know how I might be able to do this?

Chris Ormerod
Tuesday, May 25, 2004

Ye gads man! Are you rowing with both oars in the water?? What on Gods earth would make you want to do such a confounded thing as stop running as admin? You must be sadomasochistic, right? Love the pain, hmm? Well, why dont you just jab a hot poker in your eye and get it over with, rather than drag it out the agony over many a fist shaking tirades? Some people i'll just never understand...

Anon-y-mous Cow-ard
Wednesday, May 26, 2004

Its getting that way... been about 1.5 hours so far and I have thought about going back about 10 million times.

The amount of things I do that requires admin rights I just didn't realise, I have had a admin mode explorer and command prompt open the whole time and I am wondering if it is even worth sticking with it.

Chris Ormerod
Wednesday, May 26, 2004

And I am still looking for the reg keys, I have fiddled with the stuff under HKCU\ControlPanel\Colors for the admin user and it all seems correct.

I have also switched out 1 program so far, I was using the Microsoft XP Virtual CD Control panel for ISOs, have switched to DAEMON tools which seems to be more non-admin friendly. I predict there will be at least 5 more to be gone before the day is out... or I will get too annoyed and just switch back...

Chris Ormerod
Wednesday, May 26, 2004

When I say "seems correct" I mean the keys all seem to be set correctly but the windows still don't come up red.

Chris Ormerod
Wednesday, May 26, 2004

create a user account named "Chris" with Administrator rights.


DUH!!!!

My Cousin Vinniwashtharam
Wednesday, May 26, 2004

And you create a regular user account for running tests.

Simon Lucy
Wednesday, May 26, 2004

OK, please don't jump on me with both feet for being ignorant, for I am at heart (and at work) a Unix guy who has been dragged into acting as sysadmin for both my parents and girlfriend.  (Both are running W2k on PCs I got for them (legitimately!) from an imploding former employer, and both are online via cable modems behind Linksys firewalls.)

For a long time both machines were set to just log in as admin.  Then, largely as a result of advice I gleaned here on this forum, I renamed the admin accounts (and changed the password, yikes) and then set everybody up with personal accounts in the "Power Users" group.

There were a few hitches & glitches at first related to permissions & settings but now all seems smooth.  At present, we only log in as the admin user to get Windows updates, new virus definitions, or install software.

This setup seems like a good idea, to protect the PCs not only from intruders/malware but also from mistakes by my well-meaning-but- technically-naive loved ones.  (And honestly, when it comes to Wintel knowledge, I'd rank myself as intermediate at best - I feel like the proverbial blind leading the blind here).

But now I read this thread, where several people make it sound like this sort of setup is the height of insanity (or at least masochism).  Is this true only for you power-user Win developer types who are up to your elbows in the internals of the OS all day every day?  Or is this setup too restrictive even for email-Word-web-type users?

Advice appreciated...

- former car owner in Queens
Wednesday, May 26, 2004

I feel your pain.  I asked how to do something similar before.  Seems friigin impossible.

hoser
Wednesday, May 26, 2004

There's a difference between a user that's a developer (or a tester), and a user that's well a user, and just wants to use the machine.

You can craft a set of permissions that gets nearly everything you want as a developer, but all too often its easier just to have admin permissions, even if its just the local machine.

In truth though, the developer generally needs permissions to install software, uninstall it and such.  If you can manage this without granting administrative rights all well and good.

Some of the other likely things that developers need to do in a Windows environment include prodding the registry (frequently to fix their own bugs in writing to it in the first place).

Regular users aren't likely to want to do anything like that.

Simon Lucy
Wednesday, May 26, 2004

Former Car Owner,

No, you are absolutely right!  Spot on.  DO NOT CHANGE BACK TO ALLOWING THEM TO RUN AS ADMIN (sorry for the caps -- I feel strongly about this).  Running as admin in Windows is just as insane as it is in Unix, it's just that for historical reasons it's been almost impossible for developer and system administrator types to get by without it, so they learn to tread carefully.

In my former life I was a system administrator in an enterprise with approx 1000 users and once we got everyone migrated over to Windows 2000, *no one* outside of the sys admins got admin rights, including the CEO.  We were even mean to our developers and made them call us whenever they needed to make changes to their machines (I do feel a little bad about that now).  It worked great.  Help desk calls for system malfunctions (i.e. other than requests or "how do I...") almost went away.  We did use as many tools as possible to make life easy, like a central tool for pushing out windows updates, and, to a lesser degree (as we were still planning the AD domain when I left), remote software installation.  Obviously since you are only administering a network of a few machines, it's worth doing those things manually to save the headaches down the road.

So (climbs off soapbox) no, the web, email, MS Office type user definitely does not need admin rights to function smoothly on a daily basis.

OffMyMeds
Wednesday, May 26, 2004

The problem with developing as admin is that, especially in n-tier systems, you can be either creating big security holes or writing nonfunctional software without knowing it.

The earlier you discover a bug, the cheaper it is to fix, right? Do you really want to wait until QA gets the app to find out that that crucial table you're calling or that registry key you need to write to can only be accessed by an admin?

That's the theory.

Philo

Philo
Wednesday, May 26, 2004

BTW Chris, I applaud your effort.  I've been thinking of doing the same thing for a couple of weeks now -- maybe when my current project slows down a little.

The funny thing is I've been running as a non-privileged user and using "su" in Linux for five years and never felt the need to do otherwise.  I think the windows world is finally catching up in that department.

OffMyMeds
Wednesday, May 26, 2004

"We were even mean to our developers and made them call us whenever they needed to make changes to their machines... It worked great."

No, it didn't work great. Developers would have to call you, and if you happened to be at your desk you'd put in a "trouble ticket", otherwise we'd leave voice mails that you may or may not listen to. Then the "trouble ticket" would always get lowest priority, because you were always running around putting out fires. Meanwhile, we'd sit at our desks getting nothing done because our tasks involved writing software that had to change registry settings you locked us out of.

Angry Developer
Wednesday, May 26, 2004

Incidentally, the next best thing would be to have a dev test machine available for unit testing - either a separate box or a Virtual PC image.

Best of both worlds, perhaps.

Philo

Philo
Wednesday, May 26, 2004

Angry,

You would be right (which is why I couched the aside about devs not having rights in "we were mean..."), but the way you quoted me makes it sound like I was saying it was specifically the act of locking our devs out that "worked great".  We had 1000 users, only 5 of whom were devs.  The *policy* of locking users out was what worked, not locking devs out specifically.

:-)

That said, they rarely experienced the scenario you described because we had a well empowered help desk (you got a human every time you called, never voice mail) and we employed remote administration tools effectively.  Usually the time to make adminstrative changes on a machine was only increased by the amount of time added in communicating the need.  On top of that, if a dev knew ahead of time he was going to have to be doing a lot of intrusive and abusive testing on a project, we would issue a test laptop and let them trash it, then just re-image it as often as they needed.  The combined time savings in not having to fix the day to day malfunctions on their primary machines was clearly a win.  At least one dev acknowledged that he appreciated the the fact that he could test away and never worry about breaking his primary machine.

That said, I don't practice what I preach.  I am now a dev at a different company and I'm running as admin, and I would be pissed if someone tried to take it away from me.  I'm just saying that from a support point of view the policy works.  From a developer happiness point of view... well that's another story.  I think the ideal compromise is only now unfolding as Windows and Windows software is starting to play nicely with the run unprivileged and use "run as" approach.  When that's possible, I think it would be ideal for devs and sys admins alike to voluntarily conform to that model.  That's what I entend to do as soon as I have time to devote to the discomfort of making the transition.

offMyMeds
Wednesday, May 26, 2004

I just looked back at what I initially wrote.  Let me ammend the above to clarify that the way *I* wrote the portion  that Angry quoted made my assertion sound specific to developers.  Angry Dev did not mis-quote me.

offMyMeds
Wednesday, May 26, 2004

Thanks everyone for such a long discussion about this issue.

My experience from my first full day is that I had to keep an admin command prompt open and an explorer window open as admin open at all times. So I can do the admin stuff and still be developing as a normal user, so hopefully this provides the correct environment to prevent any "requires admin" problems in the software in the future.

Cousin Vinni, Unless it wasn't clear from my OP, I already have the 2 accounts setup, I have my normal Chris account which was running as admin but now is just a user, and I made myself another account ChrisAdmin that I have made a local administrator.

My question was about wether I could get applications I RUNAS that admin user from within my normal login to appear in a different colour/theme as the poster in the linked blog suggested.

Chris Ormerod
Wednesday, May 26, 2004

To the OP,

I think after reading the linked page, the admin user has their colours within their profile set to red borders on the windows and then when the normal user does a runas, it picks up the profile colours of the admin user. I haven't tested this, it's my reading of the article linked to.

Hope it helps.

ko
Wednesday, May 26, 2004

1) try running with win2k themes, not winxp themes. the xp stuff overrides the older stuff, though some windows (e.g. command prompt) won't be themed and thus will pickup thet settings.

2) for your command prompt, set the color to something hideous. either in the shortcut or with the 'color' command.

mb
Wednesday, May 26, 2004

ko,

yeah I have it set like that but it doesn't seem to pick up the profile colours from the other user.

mb,

I tried turning off XP themes as well and it doesn't help. And I figured out the command prompt, that was easy. I was more wanting the windows to have a border so i would know if I was using a Admin explorer or not.

Oh well, I have spent enough time on this for now. I will just live without it and if I get time another day I might try and figure it out again.

Chris Ormerod
Thursday, May 27, 2004

Dear Chris, for explorer you could always have tree veiw enabled forn one of the accounts and not another. The command prompt is more dffiicult. Resize the windows immediately you fire them up and have the admin a vertical rectangle and the user a horizontal one perhaps?

Stephen Jones
Thursday, May 27, 2004

Here's how to do it - the ide is that you fiddle with reg setting for IE and use IE as Explorer (because that's all explorer is)
http://www.pluralsight.com/keith/book/html/howto_runasnonadmin.html

Scroll down the the heading: "But I hate the command prompt!"

Duncan Smart
Thursday, May 27, 2004

Duncan,

Yeah I figured out how to do that custom background BMP last night. But thanks for that article, looks like it has many other useful tips for problems I am likely going to run into.

Thanks.

Chris Ormerod
Thursday, May 27, 2004

*  Recent Topics

*  Fog Creek Home