Geek Answers Handbook

Do you support standard users in Windows XP?

Update: Since the development machine has migrated to Vista, I now automatically test as a standard user. And with the gradual cessation of XP, this question is not so happy.

Based on the Windows 2000 logo requirements, Microsoft requires applications to run as standard users. Like everyone else, I always ran my desktop as an administrative user. And like every developer: I log in, develop, run and test as an administrative user.

Now with a new click, in order to finally support standard users, I tested my applications, launching them as a regular user - either through RunAs, or when my application restarted itself with normal rights using [SaferCreateLevel][1] / [SaferComputeTokenFromLevel][2] if he discovers that he is working as an administrator. I quickly see how some of my applications fail under Windows XP as a standard user (due to my own stupidity). I also see how the same applications work fine under Vista (thanks to this there are numerous pads to fix my errors for me).

Beyond this: Ironically, applications are more likely to run on Vista as a standard user than on XP.

The question is, do you check your applications for standard user compatibility? Are you developing as a standard user on XP? Do you ignore standard user access and hope for the best?

I tried as a bonus that my application would restart itself as a limited user (and not a regular user). It doesn't even fit - Windows says it failed to initialize. Thus, there is an area of ​​future research on my part: to make the application even support a limited user.

I specifically referred to standard users on XP, not Vista, to provide the truth that Vista is no different from XP in terms of compatibility. And everyone who says that their application does not work in Vista should understand that it also fails in XP.

+6
security windows
source share
10 answers

I work on XP as a limited user almost all the time and by default. (In Vista, I use an administrative account and rely on UAC.)

I am developing as a limited user. In Java and Visual Studio development, there are very few that require more privileges than this.

If I need to run something under a limited account, but with administrator privileges, I use MakeMeAdmin (renamed and configured as ConsoleMeAdmin) .bat script, which creates an administrative console session.

If I really need to be an administrator to make the installation and take the first steps, so my security software can be self-determined to allow access to the new code (or not), etc., I will raise my limited user account to the administrator long enough. to do all this and then restart the account as a limited user again. In addition to updates for Windows, I perform all my downloads as a limited user, and then install offline work after upgrading to administrator.

Since I only have a small workgroup local area network without Active Directory, the only useful types of accounts are "Administrator and Limited User" on XP. (I tried to work with the user when I first started using XP, but found that I could do without it, and I prefer what it teaches me, independent of the special privileges in the code I'm building.)

[PS: I also have data execution protection (supported on hardware) by default on my XP system, and you'll be surprised at what happens.]

+5
source share

I'm going to point you to Crispin Cowan " " Design Guidelines for the Windows Standard User . " It's worth a look.

+16
source share

If you want to sell your application to enterprises, then yes, you should test your application that works as a standard user. If your application cannot run without administrative privileges, this will result in any commercial transaction.

Even in the domestic market, many people can and can use limited users for daily activities; I know that.

Even administrative applications that ultimately need administrative privileges must behave wisely while acting as a limited user. They should bring up a dialogue informing the user that administrative rights are necessary to carry out any task that they tried to perform.

The best way to create software that complies with these restrictions is to develop your software as a limited user. Thus, every time you develop a function, you implicitly check whether it will work in a limited environment.

None of this is complicated, it just requires a certain discipline - like all quality assurance procedures. People have been developing for decades as non-root users on * nix. In this regard, Windows development is behind the curve.

+11
source share

Crispin, in his discussion of PDC , made a very good point, one that I have never considered before.

Google Chrome is installed as a standard user: it is installed in the folder for each user, without the need for a UAC or OTS invitation, and all this is convenient, because the installation is so simple. Unfortunately, it is installed in the folder for the user , where the user can change it.

In other words: malware can modify Chrome exe.

Chrome will now be the biggest target for any mal-ware. And if some malware modifies it, Chrome now sends your usernames, passwords and credit card information back to your home base, because the new Chrome exe does it.

This is why you sometimes want applications to be installed in secure locations.

Edit: The entire Microsoft Click Once deployment initiative is at risk.

+7
source share

In a business environment, most users are standard Windows domain users. To ignore standard user compliance tests is a really bad move. And you will receive every domain administrator who has to install your application very much, and they will go to your competition.

+5
source share

IMHO, developing as an administrator, is not only superfluous, but also very dangerous! Suppose you check something on the Internet during development (stackoverflow comes to mind) and you catch some malware - history shows that it is much easier than you might think, for example. through the banners. As an administrator, this malware will infect your computer, and you may never get rid of it. This can even be dangerous for all your developments (think of industrial espionage)!

If you need to run / test something as an administrator, use runas or even better virtual machines . Thus, you can use separate systems with a specific behavior (lots of problems with Windows software come from libraries, which, of course, are available on the developer's PC, but almost nowhere!). In the days of Microsoft Virtual PC and VMWare Server (free), there is not even an excuse for the high prices of virtualization software.

I developed several Windows applications several years ago, and besides their installers, ANYTHING has ever required administrative rights. Runtime settings always belong to the user, not to the device.

And yes, I run Windows XP as a regular user at home, like my family members (parents, etc.). Sometimes the crap part of the software requires write access to the installation folder, but 95% of all installed applications today work fine.

+3
source share

Yes, we test it.

Probably the simplest but most abused rule is that you should not do anything that requires write access to your program installation folder. Instead, there is a special folder called Application Data for this type.

+2
source share

Yes, and I accepted the general advice that it is much easier to get an application to work on Vista if it works fine on XP as a limited user. To achieve this and to know if there were problems with the limited user, I used LUABuglight .

I do not develop as a limited user at all, but only register as a limited user for testing.

The number of programs that require administrator rights and are written to their Program Files folder is amazing. Honestly, I found very few programs that work correctly as a limited user from any software company, large or small.

+1
source share

Anything else is ridiculous that Windows developers consider it normal to run as Admin (apparently), but Linux developers almost never run as root

0
source share

Like the old BOFH, I will burn out with ugly words over someone who asks for increased rights to operate their client applications. This is simply out of the question since 2001-2002, when we switched from Win9x to XP (sic).

As a newborn developer in a place where each XP is a local administrator using forced group policy, and it seems to take a lot of time to change it, and no one really wants to start either - I installed RunAsAdmin , which reduces me to a normal user for most tasks, including development - like in Vista. Recommended if you are stuck as a local administrator on XP ^^

0
source share

More articles:


All Articles