Problem solve Get help with specific problems with your technologies, process and projects.

Try the RUNAS command

An alternative to using the administrator account.

It's fairly common knowledge that logging in as an administrator in a Microsoft Windows computer is dangerous....

Most people realize that in theory, you should only be logged in as an administrator when you're actually doing something that requires administrative privileges. Any other time, you should be logged in as a regular user.

There are two primary and intuitively obvious reasons for this. The first is that as administrator, it's easy to break things accidentally. As a regular user, you shouldn't have the permissions required to do destructive things like deleting system files. And if you're installing some software as a user, it generally won't have the permission to overwrite anything important (to the system) either.

The second reason is that malicious attackers can't use you to attack the system as easily. For instance, if you're surfing the web as an administrator a website could run some malicious applet, or if you're using an instant messaging client or peer-to-peer file-sharing program as administrator, those represent avenues of attack as well. In all these cases, the damage they could do would be substantially limited if you're logged in as a user instead of an administrator.

But let's face it, administrators are generally a combination of overworked and lazy, which means they don't want to take the time to shut down all their open applications, reboot the system, log in as administrator, performs some administrative task, reboot again, log in as a user, and reopen all their applications. The solution to this problem in the old UNIX world is that you can log in as a user and still run a specific application as "root" with SUDO or use the "su" command to get root access for one terminal session while all your other applications use regular permissions.

In Windows 2000/XP, there is a similar feature. You can mimic this functionality by using "Run As". This can be invoked in one of two ways: from the command line (type "runas /?" for help) or from the start menu. To do this, hold down the shift key, and RIGHT-click a menu item and select Run As.

Note that this feature is also very useful if you're supporting a lot of users. When you go to troubleshoot a user's PC, instead of making them log out so that you can log in as an administrator and fix their problem, just leave them logged in and use Run As.

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.

This was last published in April 2003

Dig Deeper on Microsoft Active Directory Migration

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.