Easy Ways to Run Windows Programs with Restricted Rights


In these days of drive-by downloads, poisoned websites and various other malware traps, it pays to have multi-layer defenses. One general technique involves running an entire account with limited system privileges. This can have a substantial effect on usability, however, and just restricting the privileges of particular programs may be preferable for many users. Since it is on the front line, the Internet browser is frequently run with limited rights. Beefing up security in this way with the programs “Sandboxie” and “Drop My Rights” is discussed by Gizmo elsewhere on this site.

Sometimes it is convenient to have a choice of running a program with either limited or more elevated rights and in this tip I’ll discuss two methods that provide an easy way to switch between options. Both use freeware from Microsoft/Sysinternals. (The first time you use one of these programs you will have to agree to a Microsoft EULA.) These methods are especially applicable to Windows XP, which has fewer security defenses than Windows Vista/7. Note that they are supplementary to more general methods and do not replace them.

Using PsExec to run a program as a limited user the easy way

PsExec.exe is part of a kit of utilities called PsTools that can be downloaded from Microsoft at this link. Unzip the containing folder called PsTools to a convenient location. There will be a number of different tools in the folder but this tip uses only PsExec.exe.

Its basic function is to launch programs remotely but with certain switches it can also be used to create a shortcut to run a program with reduced privileges. It uses the same method as “Drop My Rights”. In this way, there can be two shortcuts to a program—one with reduced rights and one with normal or elevated rights—giving you an easy option. Here is how to create a shortcut that will run with restrictions:

  1. Right-click a blank place on the desktop
  2. From the context menu, select “New”
  3. Click “Shortcut”
  4. In the box labeled “Type the location of the item”, enter:
    “{path1}\PsTools\psexec.exe” -l -d “{path2}\your-program.exe”
    Fill in the actual paths on your computer for {path1} and {path2} and use the quotes if any names have spaces.
  5. Click “Next”
  6. Enter a name for the shortcut and click “Finish” 

PsExec  uses the command line so a command window will briefly flash when you click a shortcut.

The most common use of this method is to run Internet Explorer with reduced rights in Windows XP. IE8 has a protected mode in Vista/7 but does not in Windows XP. Assuming you put the PsTools folder in the Programs folder, a shortcut for IE would use the following in step 4 above:

“c:\program files\PsTools\psexec.exe” -l -d “c:\program files\internet explorer\iexplore.exe"

This shortcut could be used to browse with IE using restricted rights while reserving the usual IE shortcut for safe sites where you might want to download and install something.  I also have used this method in Windows XP for Windows Media Player and Outlook Express.

If you do not want to use the entire PsTools collection, you can just copy the file psexec.exe to the Windows folder. Then you won't have to write out the entire path when constructing a shortcut.

PsExec will also run in Windows Vista/7 but only as an administrator, which is confusing since you are actually running a program with reduced rights. It is psexec.exe that is running as an administrator. Because of User Account Control and other security, this tip is less useful in these newer systems.

Process Explorer

Menu in Sysinternals Process Explorer

Another free utility from Microsoft Sysinternals that can be used to run an application with limited privileges is Process Explorer (download here). Of course, this utility has many uses besides the one given here.

Open the file menu and choose an executable to run using the menu shown in the figure above. This method is good for testing purposes rather than regular use.

Get your own favorite tip published!  Know a neat tech tip or trick?  Then why not have it published here and receive full credit?  Click here to tell us your tip.

This tips section is maintained by Vic Laurie. Vic runs a Windows blog called The PC Informant and also operates a computer education website.

Click here for more items like this. Better still, get Tech Tips delivered via your RSS feeder or alternatively, have the RSS feed sent as email direct to your in-box.

Please rate this article: 

Your rating: None
Average: 3.7 (14 votes)