I
ILiya
As a best practice, it is often recommended to run workstation as a regular
user for security reasons.
The problem I see is however with application installation process. Most of
applications keep their settings in the registry, which can be grouped into
per-computer and per-user settings. They are stored in HKCU and HKLM
registry branches respectively.
In order to install an application the setup program must be run with
Administrator account privileges, probably using runas command prompt
utility to impersonate the user without having to completely log-off.
The setup program will write HKLM registry settings correctly however the
user part HKCU will be screwed up because registry has its own HKCU zone for
each defined user, so when the setup program will write the current user
registry settings, it will only see Administrator HKCU and not the one I use
when running workstation. This will lead to an odd application behavior or
even cause application malfunctioning.
For example, when I decided to add a new newsgroup server to Outlook
Express, I forgot to run it as Administrator and made the operation as a
regular user (no warnings or low access messages were displayed), this
resulted to all the newsgroups folders were showing absolutely nothing
despite the fact they were full of postings. I could only view the newsgroup
folders in OE under Administrator account.
So, I had to runas Administrator the OE, configure all the settings, runas
Administrator regedit applet, export all the OE settings from HKCU and then,
manually import them as a user into my HKCU to reflect OE configuration in
my domain.
So the reason I wrote this post is I see neither runas nor logging in as
Administrator to be not a very good way to install applications. As far as I
see temporary for application installation period raising user privileges
to be the best installation approach. Maybe there is the uility like runas
which can temporary raise the privileges living all the user associations
alone.
I'd like to see the other views and opinions on the subject.
Thanks
user for security reasons.
The problem I see is however with application installation process. Most of
applications keep their settings in the registry, which can be grouped into
per-computer and per-user settings. They are stored in HKCU and HKLM
registry branches respectively.
In order to install an application the setup program must be run with
Administrator account privileges, probably using runas command prompt
utility to impersonate the user without having to completely log-off.
The setup program will write HKLM registry settings correctly however the
user part HKCU will be screwed up because registry has its own HKCU zone for
each defined user, so when the setup program will write the current user
registry settings, it will only see Administrator HKCU and not the one I use
when running workstation. This will lead to an odd application behavior or
even cause application malfunctioning.
For example, when I decided to add a new newsgroup server to Outlook
Express, I forgot to run it as Administrator and made the operation as a
regular user (no warnings or low access messages were displayed), this
resulted to all the newsgroups folders were showing absolutely nothing
despite the fact they were full of postings. I could only view the newsgroup
folders in OE under Administrator account.
So, I had to runas Administrator the OE, configure all the settings, runas
Administrator regedit applet, export all the OE settings from HKCU and then,
manually import them as a user into my HKCU to reflect OE configuration in
my domain.
So the reason I wrote this post is I see neither runas nor logging in as
Administrator to be not a very good way to install applications. As far as I
see temporary for application installation period raising user privileges
to be the best installation approach. Maybe there is the uility like runas
which can temporary raise the privileges living all the user associations
alone.
I'd like to see the other views and opinions on the subject.
Thanks