Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Tool takes away privileges -- when you don't want them

If you need to log on as an admin but want a way to run crucial processes with fewer privileges, Microsoft has the tool for you: DropMyRights.

Please let us know how useful you find this tip by rating it below. Do you have a useful Windows tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize!

I've written in the past about the problems inherent in running programs casually under the Administrator account. If you want to adopt more security-conscious computer habits, running as Administrator is never a good idea for a few reasons. For starters, it exposes your data and your computer at large to attack from the Internet; and it becomes possible to make irreversible changes by accident (or maliciously so).

However, there is a big gap between knowing this advice and implementing it simply because it's not easy to do many day-to-day things as an administrator unless you are logged in as one.

But what if you need to stay logged in as administrator often, but want to have a way to run some crucial processes (such as web browsing) with fewer privileges than you normally would?

Microsoft has created a tool, called DropMyRights, that fulfills that need. When used on Windows XP and Windows Server 2003, it lets you run a program with certain key tokens and privileges disabled -- creating files in the %systemroot%\system32 directory, terminating or disabling processes, changing Registry values and so on. All of these tasks normally require administrative access to work, and DropMyRights allows them to be disabled on a process-by-process basis.

The program is simple enough to use. Create a shortcut to DropMyRights, with the path to the executable to run safely as a command-line parameter. For instance, if you have DropMyRights installed in c:\dmr\ and you want to run Internet Explorer safely, use:
C:\dmr\dropmyrights.exe "c: \program files\internet explorer\iexplore.exe"
as the target for the shortcut. You can also supply three other command-line arguments at the end of the line. N runs the application as a normal user (the default); C runs the application as a constrained (guest-level) user; U runs the app as an untrusted user. (This last option may not work for many applications.) DropMyRights can be downloaded here as an MSI installer package, and a full article on the application (originally written as a programming example for security exercises) is available on the MSDN site.

Editor's Note: If you would like to receive similar tips on how to manage Windows as well as other expert advice, be sure to subscribe to The Administrator Tip newsletter. Sign up now!

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators -- please share your thoughts as well!

Dig Deeper on Windows legacy operating systems

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.