The Core Technologies Blog

Professional Software for Windows Services / 24×7 Operation

AlwaysUp Feature Spotlight: Run your App Without Admin Rights

Run your App Without Admin Rights

Why should I run my application without admin rights?

A Windows Service typically runs in an account with extensive/elevated rights. In fact, most services run as LocalSystem — a built-in account with near total control of the computer.

But that power isn’t granted lightly. It’s actually given out of necessity.

The reality is that a service often requires broad access to your computer to tackle its complex tasks — like interrogating the network, terminating rogue processes or checking RAM levels. Unfortunately, working in a normal, non-admin context won’t cut it.

But even though it’s needed, there are serious risks when operating with so much latitude. That’s because awful things can happen if a fully-empowered service is compromised or becomes infected with malware!

Running applications without admin rights is safer

As reported by SoftPedia in 2015, almost all of the vulnerabilities detected in Windows could have been avoided by removing administrator rights from the programs involved:

Critical vulnerabilities involving admin rights

That is, running programs without administrator rights substantially reduces risk and makes your PC much safer to use.

How do I make AlwaysUp start my application with basic rights only?

It’s easy to make AlwaysUp launch your program with normal, unelevated rights. To do so:

  1. Edit your application in AlwaysUp (select Application > Edit/View from the menu.

  2. Move to the Logon tab.

  3. Check the Launch the application without admin rights box:

    Launch your app without admin rights
  4. Save your changes.

The next time your AlwaysUp service starts, it will launch your application with basic rights only.

What are your best tips for running my application without admin rights?

Tip #1: Test thoroughly

Are you sure that your application works properly without administrative rights? Unfortunately, not all applications do.

Be sure to test all functionality and confirm.

For example, can your application still read and write to the file system? Or will it fail because it cannot communicate with another program running in a different security context?

Tip #2: Examine your application’s security groups with Process Explorer

If you want to inspect your application’s permissions, you can open your app in Process Explorer and review the Security tab.

For example, here’s OneDrive running without admin rights. You can see that:

  1. The integrity level is Medium, indicating that the process isn’t elevated;

  2. The user has been denied access to well-known administrative groups, like “Administrators” and “Power Users”:

    OneDrive running without admin rights

Also, many of the low-level privileges are disabled.

Posted in AlwaysUp | Tagged , , , , | Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *