{"id":12362,"date":"2024-04-01T05:29:30","date_gmt":"2024-04-01T12:29:30","guid":{"rendered":"https:\/\/www.coretechnologies.com\/blog\/?p=12362"},"modified":"2024-04-01T05:29:30","modified_gmt":"2024-04-01T12:29:30","slug":"alwaysup-feature-spotlight-run-your-app-without-admin-rights","status":"publish","type":"post","link":"https:\/\/www.coretechnologies.com\/blog\/alwaysup\/alwaysup-feature-spotlight-run-your-app-without-admin-rights\/","title":{"rendered":"AlwaysUp Feature Spotlight: Run your App Without Admin Rights"},"content":{"rendered":"<div align=\"center\"><img loading=\"lazy\" decoding=\"async\" src=\"\/blog\/images\/windows-service-no-admin-rights.webp\" title=\"Run your App Without Admin Rights\" alt=\"Run your App Without Admin Rights\" border=\"0\" width=\"310\" height=\"150\" ><\/div>\n<div id=\"blog-toc-container\" style=\"margin-top:20px;\">\n<ul>\n<li><a href=\"#overview\">Why should I run my application without admin rights?<\/a><\/li>\n<li><a href=\"#how-to-use\">How do I make AlwaysUp start my application with basic rights only?<\/a><\/li>\n<li><a href=\"#tips\">What are your best tips for running my application without admin rights?<\/a><\/li>\n<\/ul>\n<\/div>\n<p><a name=\"overview\"><\/a><\/p>\n<h2 class=\"blog-caption\">Why should I run my application without admin rights?<\/h2>\n<p>A Windows Service typically runs in an account with extensive\/elevated rights. In fact, most services run as <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/services\/localsystem-account\" target=\"_blank\" rel=\"noopener\">LocalSystem<\/a> &mdash; a built-in account with near total control of the computer.<\/p>\n<p>But that power isn&#8217;t granted lightly. It&#8217;s actually given out of necessity.<\/p>\n<p>The reality is that a service often requires broad access to your computer to tackle its complex tasks &mdash; like interrogating the network, terminating rogue processes or checking RAM levels. Unfortunately, working in a normal, non-admin context won&#8217;t cut it.<\/p>\n<p>But even though it&#8217;s needed, there are serious risks when operating with so much latitude. That&#8217;s because awful things can happen if a fully-empowered service is compromised or becomes infected with malware!<\/p>\n<h3 class=\"blog-caption\">Running applications without admin rights is safer<\/h3>\n<p>As <a href=\"https:\/\/news.softpedia.com\/news\/Want-to-Make-Windows-as-Secure-as-Linux-Remove-Admin-Rights-477381.shtml\" target=\"_blank\" rel=\"noopener\">reported by SoftPedia in 2015<\/a>, almost all of the vulnerabilities detected in Windows could have been avoided by removing administrator rights from the programs involved:<\/p>\n<div align=\"center\"><a href=\"\/blog\/images\/remove-admin-rights-stats.png\" class=\"zoomPopup\" title=\"Critical vulnerabilities involving admin rights\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"image-padding\" src=\"\/blog\/images\/remove-admin-rights-stats.png\" title=\"Critical vulnerabilities involving admin rights (click to enlarge)\" alt=\"Critical vulnerabilities involving admin rights\" border=\"0\" \/><\/a><\/div>\n<p>That is, running programs <b>without administrator rights<\/b> substantially reduces risk and makes your PC much safer to use.<\/p>\n<hr class=\"blog-section\">\n<p><a name=\"how-to-use\"><\/a><\/p>\n<h2 class=\"blog-caption\">How do I make AlwaysUp start my application with basic rights only?<\/h2>\n<p>It&#8217;s easy to make AlwaysUp launch your program with normal, unelevated rights. To do so:<\/p>\n<ol style=\"margin-bottom:24px\">\n<li>\n<p>Edit your application in AlwaysUp (select <b>Application &gt; Edit\/View<\/b> from the menu.<\/p>\n<\/li>\n<li>\n<p>Move to the <b>Logon<\/b> tab.<\/p>\n<\/li>\n<li>\n<p>Check the <b>Launch the application without admin rights<\/b> box:<\/p>\n<div align=\"center\"><a href=\"\/blog\/images\/alwaysup-launch-without-admin-rights.png\" class=\"zoomPopup\" title=\"Launch your app without admin rights\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"image-padding\" src=\"\/blog\/images\/alwaysup-launch-without-admin-rights.png\" title=\"Launch your app without admin rights (click to enlarge)\" alt=\"Launch your app without admin rights\" border=\"0\" \/><\/a><\/div>\n<\/li>\n<li>\n<p>Save your changes.<\/p>\n<\/li>\n<\/ol>\n<p>The next time your AlwaysUp service starts, it will launch your application with basic rights only.<\/p>\n<hr class=\"blog-section\">\n<p><a name=\"tips\"><\/a><\/p>\n<h2 class=\"blog-caption\">What are your best tips for running my application without admin rights?<\/h2>\n<h3>Tip #1: Test thoroughly<\/h3>\n<p>Are you sure that your application works properly without administrative rights? Unfortunately, not all applications do.<\/p>\n<p>Be sure to test all functionality and confirm. <\/p>\n<p>For example, can your application still read and write to the file system? Or will it fail because it cannot communicate with another program running in a different security context?<\/p>\n<h3>Tip #2: Examine your application&#8217;s security groups with Process Explorer<\/h3>\n<p>If you want to inspect your application&#8217;s permissions, you can open your app in <a href=\"\/blog\/windows-services\/essential-tools-for-windows-services-process-explorer\/\">Process Explorer<\/a> and review the <b>Security<\/b> tab.<\/p>\n<p>For example, here&#8217;s OneDrive running without admin rights. You can see that:<\/p>\n<ol style=\"margin-bottom:24px\">\n<li>\n<p>The <a href=\"https:\/\/en.wikipedia.org\/wiki\/Mandatory_Integrity_Control\" target=\"_blank\" rel=\"noopener\">integrity level<\/a> is Medium, indicating that the process isn&#8217;t elevated;<\/p>\n<\/li>\n<li>\n<p>The user has been denied access to well-known administrative groups, like &#8220;Administrators&#8221; and &#8220;Power Users&#8221;:<\/p>\n<div align=\"center\"><a href=\"\/blog\/images\/onedrive-no-admin-rights-process-explorer.png\" class=\"zoomPopup\" title=\"OneDrive running without admin rights\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"image-padding\" src=\"\/blog\/images\/onedrive-no-admin-rights-process-explorer.png\" title=\"OneDrive running without admin rights (click to enlarge)\" alt=\"OneDrive running without admin rights\" border=\"0\" \/><\/a><\/div>\n<\/li>\n<\/ol>\n<p>Also, many of the low-level privileges are disabled.<\/p>\n<hr class=\"blog-section\">\n<div style=\"margin-top:30px\" align=\"center\">\n<div class=\"cta-button-1\">\n<table role=\"presentation\" cellspacing=\"0\" cellpadding=\"0\" border=\"0\" align=\"left\">\n<tbody>\n<tr>\n<td align=\"center\"><a href=\"\/blog\/tag\/alwaysup-feature-spotlight\/\" title=\"More AlwaysUp features\"><span><nobr>More AlwaysUp features&#8230;<\/nobr><\/span><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<!-- relpost-thumb-wrapper --><div class=\"relpost-thumb-wrapper\"><!-- filter-class --><div class=\"relpost-thumb-container\"><style>.relpost-block-single-image, .relpost-post-image { margin-bottom: 10px; }<\/style><h3>You may also like...<\/h3><div style=\"clear: both\"><\/div><div style=\"clear: both\"><\/div><!-- relpost-block-container --><div class=\"relpost-block-container relpost-block-column-layout\" style=\"--relposth-columns: 3;--relposth-columns_t: 2; --relposth-columns_m: 2\"><a href=\"https:\/\/www.coretechnologies.com\/blog\/software\/dropbox-selective-sync-popup\/\"class=\"relpost-block-single\" ><div class=\"relpost-custom-block-single\"><img decoding=\"async\" loading=\"lazy\" class=\"relpost-block-single-image\" alt=\"Watch out for Dropbox Prompts when Running as a Service!\"  src=\"https:\/\/www.coretechnologies.com\/blog\/wp-content\/uploads\/hand-stop-150x150.png\" style=\"aspect-ratio:1\/1\" style=\"aspect-ratio:1\/1\"><\/img><div class=\"relpost-block-single-text\"  style=\"height: 75px;font-family: Arial;  font-size: 12px;  color: #333333;\"><h2 class=\"relpost_card_title\">Watch out for Dropbox Prompts when Running as a Service!<\/h2><\/div><\/div><\/a><a href=\"https:\/\/www.coretechnologies.com\/blog\/alwaysup\/windows-password-management\/\"class=\"relpost-block-single\" ><div class=\"relpost-custom-block-single\"><img decoding=\"async\" loading=\"lazy\" class=\"relpost-block-single-image\" alt=\"Q&amp;A: Where does AlwaysUp store the Password for my Windows Account?\"  src=\"https:\/\/www.coretechnologies.com\/blog\/wp-content\/uploads\/password-security-150x150-1.png\" style=\"aspect-ratio:1\/1\" style=\"aspect-ratio:1\/1\"><\/img><div class=\"relpost-block-single-text\"  style=\"height: 75px;font-family: Arial;  font-size: 12px;  color: #333333;\"><h2 class=\"relpost_card_title\">Q&amp;A: Where does AlwaysUp store the Password for my Windows Account?<\/h2><\/div><\/div><\/a><a href=\"https:\/\/www.coretechnologies.com\/blog\/srvany\/stop-srvany-service\/\"class=\"relpost-block-single\" ><div class=\"relpost-custom-block-single\"><img decoding=\"async\" loading=\"lazy\" class=\"relpost-block-single-image\" alt=\"Q&amp;A: Why doesn&#039;t Srvany Close my Application when I Stop the Service?\"  src=\"https:\/\/www.coretechnologies.com\/blog\/wp-content\/uploads\/gear-question-150x150-1.png\" style=\"aspect-ratio:1\/1\" style=\"aspect-ratio:1\/1\"><\/img><div class=\"relpost-block-single-text\"  style=\"height: 75px;font-family: Arial;  font-size: 12px;  color: #333333;\"><h2 class=\"relpost_card_title\">Q&amp;A: Why doesn&#039;t Srvany Close my Application when I Stop the Service?<\/h2><\/div><\/div><\/a><\/div><!-- close relpost-block-container --><div style=\"clear: both\"><\/div><\/div><!-- close filter class --><\/div><!-- close relpost-thumb-wrapper -->","protected":false},"excerpt":{"rendered":"<p>Why should I run my application without admin rights? How do I make AlwaysUp start my application with basic rights only? What are your best tips for running my application without admin rights? Why should I run my application without &hellip; <a href=\"https:\/\/www.coretechnologies.com\/blog\/alwaysup\/alwaysup-feature-spotlight-run-your-app-without-admin-rights\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":12373,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[346,26,345,135,143],"class_list":["post-12362","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-alwaysup","tag-admin-rights","tag-alwaysup-tag","tag-alwaysup-feature-spotlight","tag-run-with-restricted-rights","tag-security"],"_links":{"self":[{"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/posts\/12362","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/comments?post=12362"}],"version-history":[{"count":18,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/posts\/12362\/revisions"}],"predecessor-version":[{"id":12433,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/posts\/12362\/revisions\/12433"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/media\/12373"}],"wp:attachment":[{"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/media?parent=12362"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/categories?post=12362"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/tags?post=12362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}