The first part of this posting on dealing with software crashes covered preventing the leakage of personal information, portable applications, and controlling the programs that run automatically when Windows starts up. Here we look at dumps, event logs, and disk checking, but first, we pick up on the topic of drivers.
Driver Verifier
In Windows, the term "driver" refers to software used by the operating system to control the hardware in the computer. Each piece of hardware (sound, video, printer) has an associated driver program.
The last topic in the previous posting was an airplane analogy to illustrate the potential for problems with Windows drivers. They run alongside the most critical parts of Windows itself and a bug in the driver can crash Windows.
Considering this, it should come as no surprise that Microsoft has a utility program designed to weed out bugs in drivers. The program is called Driver Verifier, and it is included in all recent versions of Windows (Windows 2000 and later).
Driver Verifier does extra checking on the actions of drivers, while they are running, looking for potential problems. Think of it as super-debugging mode. Quoting Microsoft: "Driver Verifier monitors kernel-mode drivers and graphics drivers to detect illegal function calls or actions that might corrupt the system. It can subject the drivers to a variety of stresses and tests to find improper behavior."
I bring this up because it can be a useful thing for debugging. When working with a tech-support person, ask them if drivers are a possible cause of the software problem you are experiencing (video drivers were a suspect in the problem described in The Wall Street Journal story). If so, then ask if Drive Verifier would be helpful. If nothing else, use Driver Verifier to gauge the reaction of the person assisting you.
There is a performance cost to the extra error checking Windows does on the drivers being verified. If verification is turned on for all drivers, Windows may be noticeably slower. Hopefully, the tech-support person can limit the verifying to a small number of drivers.
But, every PC has a different set of drivers. Fortunately, Driver Verifier can list the installed drivers, their version number, and the company that produced them. To run it, open a Command Prompt window (aka DOS window) and type "verifier" without the quotes. You can then close the Command Prompt window. In Vista, a security dialog will ask for permission.
I suggest starting with the radio button that displays existing settings. If this is the first time Driver Verifier has been used, there should be no drivers listed in the right side of the resulting window.
This window also shows different types of tests that will all be set to "No" initially. Windows XP offers eight types of verification tests; Vista has a few more.
Click the back button, turn on the radio button to create standard settings, and then click the Next button. If you "Select driver names from a list," you can see all the installed drivers.
Unless you are a serious Windows techie, driver verifier does not produce any output that is of use to you. It is best used when working with assistance from professional tech support.
Minidumps
Another thing to look for when Windows software crashes is a minidump--a snapshot of the state of the system at the time of the failure.
Dumps can be invaluable to a tech-support person. I spent many years doing technical support and can attest that verbal descriptions of a problem over the phone are not much to go on. Dumps and event logs (the next topic) give a picture of the problem that no person can.
Windows dumps are only useful to someone familiar with the internal working of the operating system. Normal users can't even look at the contents of a dump, Windows does not include the necessary program (Dumpchk.exe) to format it.
Minidumps are small (88K) so sending them to tech support should not be a problem. If you're not asked to look for, or provide, a dump, it would make me wonder how capable the support person is.
By default, Windows XP writes dumps to folder C:\WINDOWS\Minidump. If this folder is empty on your computer, consider yourself lucky.
You can control a number of dump-related options. To do so in Windows XP, start at the Control Panel, then System, then the Advanced tab, and finally click on the Settings button in the start-up and recovery section.
In the system failure section (the bottom half of the resulting window, shown above), I suggest enabling the option to write an event to the system log and turning off the option of automatic restart.
In the write debugging information section, "small memory dump 64K" is the default and should be fine. Only if a tech-support person says this small/minidump doesn't provide enough information, would I chose one of the other options.
The small dump directory defaults to %SystemRoot%\Minidump, which normally translates to C:\WINDOWS\Minidump. There is no need to change it.
Minidumps have a file type of .DMP. The format of the filename is MiniMMDDYY-99 where the last two numbers are a sequence number. For example, Mini110407-01.dmp is the first dump taken on November 4, 2007.
Event Logs
Event logs provide a history of problems and thus can be very helpful in debugging software problems.
To look at the event logs in Windows XP, start at the Control Panel, select Administrative Tools, then Event Viewer. There are at least three different logs: Application, Security, and System. Each log is separate file. To determine the filename and location, right-click on the name of the log, get the Properties, and look for the "Log name." By default, the Application, Security, and System log files are respectively:
C:\WINDOWS\system32\config\AppEvent.Evt
C:\WINDOWS\System32\config\SecEvent.Evt
C:\WINDOWS\system32\config\SysEvent.Evt
A tech-support person should be interested in some, if not all of these files. Event logs shouldn't be that big; in XP they max out at 512K by default.
Check Disk
A corrupted file system may play a part in any software failure. One of the first steps to take when dealing with a software crash should be to run the Windows Check Disk utility.
To do so, open My Computer and get the properties of the C disk. Then go to the Tools tab and click on the Check Now button. This opens a windows with two Check Disk options; I suggest turning on both options. When you click the Start button, Windows will say it can't check a disk that's in use and ask if you want to schedule the checking for the next restart. Say yes and then restart Windows.
Checking a disk can take a long time and Windows does not stop when it's done to let you view any messages. But there is no need to watch the thing run since a summary of the disk checking is written to the Application log. Just after Windows starts up, look at the top of the Application log (where the most recent events should be) for an event with a source of "Winlogon" and a type of "Information." Double-click on it to see the results of the disk check. In my experience, minor inconsistencies are the rule rather than the exception.
May your Minidump folder be forever empty.
There is only one email program for Windows users. No, I haven't lost my mind, and yes Windows users can chose from many client side email programs. But this is a Defensive Computing blog and speaking defensively, that is, with the hope of avoiding problems in the future, there is only one choice when it comes to email programs (webmail is another topic entirely - if you use webmail exclusively you can stop reading here).
Outlook
Outlook is out because it stores all your email in a single file. You don't need to be a techie/nerd to know how dangerous it is to have all your eggs in one basket. A single bad hard disk sector will suck up your time, money and/or email. And because the basket can get very large, backing it up is a pain. Not to mention it's expensive (OK, I did mention it).
Outlook Express
Outlook Express starts with two big advantages, it's free and pre-installed in Windows XP and earlier versions of Windows. And it stores each folder as a
separate file, avoiding the
big Outlook design flaw. I never liked it, in part because it
uses Internet Explorer to display HTML formatted email and thus inherits the
security problems of IE. But don't rule it out for this reason alone.
A few days ago, Leo Notenboom wrote that Outlook Express is dead. At his
Ask-Leo website someone asked about un-installing and re-installing Outlook Express, a classic tactic for
a problematic application. No can do. Quoting Leo: "With the introduction of
Internet Explorer 7, Outlook Express has apparently been put out to
pasture, at least if you're on Windows XP."
There never was a standalone download of Outlook Express, it was
always married to IE5 and IE6. When you updated Internet Explorer, you
also updated Outlook Express, like it or not. With the
introduction of IE7, Outlook Express was thrown overboard,
it's no longer included with the browser.
Thus, if you're currently using Outlook Express on Windows XP, or an earlier version
of Windows, you'd better hope it doesn't start acting up. Leo
describes a number of ways to try and fix a broken copy of Outlook
Express, but none are mainstream operations (I suggest reading the article to see
if the fixes are things you're comfortable doing). And his suggested
fixes are all Windows things, not Outlook Express things. In my opinion, you're better off using an email program that is not an integral part of the operating system.
Windows Mail
Windows Mail is the replacement for Outlook Express in Vista (it only runs in Vista). According to Leo, there is no stand-alone download of Windows Mail, so it too can't be easily un-installed and re-installed and is, perhaps, too much a part of the operating system. Also, it's new and thus likely to be buggy.
Windows Live Mail
Leo Notenboom updated his posting September 1st to include Windows Live Mail, an email program that neither he nor I was aware of. It's a new version of Outlook Express that runs on both Vista and XP with Service Pack 2.
First off, I can't believe the name. Microsoft learned nothing from the confusion they caused non-techies by similarly naming two totally different email programs (Outlook and Outlook Express). My guess is that it will eventually be referred to as Live Mail, both because the "Windows" is superfluous and to help differentiate it from the Vista-only program (which they should have called Vista Mail).
Whatever it's name, the software is in beta, so the jury is still out. Except, that is, when choosing defensively. Beta software is out of the question when it comes to applications that really matter to you.
Thunderbird
I recommend Thunderbird from Mozilla, the same organization
behind Firefox. According to Leo Notenboom "Thunderbird is free,
fairly similar to OE to use, and actually somewhat more powerful. It's
free, downloadable, it's being updated, works on Windows XP and Vista
as well as the Mac and Linux, and there are many add-ons available for it."
To this I'll add that Thunderbird, like
Firefox, is very good about updating itself with bug fixes. Keeping
your applications up to date is a great defense against malicious
software. And since Thunderbird does not use Internet Explorer under
the covers to display HTML formatted email, it's safer still.
The
safety provided by Thunderbird comes at virtually no cost. Not only is
the software free, but it's easy to use. I say that not based on my own
use of the program but based on the reaction of many of my non-techie
clients.
You can download Thunderbird from Mozilla or from download.com where the Editor's review gave it 5 stars (out of 5) and where 511 users (as of September 1, 2007) rated it 4.5 stars.
Eudora
Eudora is liked by many techies but it's in transition and thus I'd
be wary of trusting it with my email. The official website says "The Paid mode commercial versions of Eudora are no longer available as of May 1st, 2007. The Sponsored mode versions of Eudora continue to be
available for download. An open source version of EudoraŽ is being developed by Mozilla and will be free of charge."
To translate, "sponsored mode" refers to a free ad-supported version. While free is good, abandoned is not. The new open source version of Eudora is called Penelope and the first beta was released August 31, 2007. Any brand new software is likely to be buggy for a while. I'll pass.
Lotus Notes
Perhaps the most hated email program to ever walk the face of the earth.
Updated September 1, 2007: Added Lotus Notes, Windows Live Mail, link to download.com for Thunderbird and Penelope.
The first posting of this three part series on DropMyRights explained what the program is and why, I think, everyone running Windows XP should use it. The second part covered the somewhat unusual procedure for installing and configuring DropMyRights. This final posting describes using Windows XP after DropMyRights has been installed, and responds to some reader comments.
Although I have only discussed using DropMyRights with Windows XP, it also works with Windows Server 2003. It does not work with Windows 2000. On a technical level, it should work with Windows Vista and Windows Server 2008, however there isn't the need for it there because, by default, users are not administrators (that is, they don't run in unrestricted mode).
OOBE
The first thing you will notice (OOBE = Out of Box Experience) when using DropMyRights to run an application in restricted mode is that a black command window appears for literally a second. This brief black window is the DropMyRights program. As shown in Part 2, you first run DropMyRights and then it, in turn, runs the target application. The black window is your assurance that DropMyRights is on the job.
But how can you tell if an application is really running in restricted mode?
With a Web browser, try to save a local copy of a Web page (File -> Save As in IE 6 and IE 7 or File -> Save Page As in Firefox v2). No matter what, you should be able to save the page into the My Documents folder. The real test comes when you try to save the page into a system folder such as C:\Windows or the root directory of the C disk. An unrestricted Web browser can save files into system folders, a restricted one cannot.
The excellent and free Process Explorer program from Microsoft can be used to check if any program is running in restricted mode or not. Double click on the process, go to the Security tab and look at the Privileges in the bottom half of the window. If there is a single privilege called SeChangeNotifyPrivilege with flags of "Default Enabled" then the process is running in restricted mode. If many privileges are listed (even though most are disabled) then the process is unrestricted. Michael Howard offered a more detailed and technical explanation of this in his January 2005 article "Browsing the Web and Reading E-mail Safely as an Administrator, Part 2."
Restrictions are inherited
If a restricted application spawns another application, the new one also runs in restricted mode.
For example, if you are running a restricted instance of an e-mail program and click on a link in an e-mail message to open a new copy of the default Web browser, the browser runs in restricted mode. However, if an unrestricted instance of the default browser was already running, it remains in unrestricted mode when displaying the page from the link in an e-mail message. (Of course, if you are using DropMyRights, then there shouldn't be an unrestricted instance of a Web browser.)
When IE 6 and IE 7 and Firefox v2 are running in restricted mode, any new windows or tabs they open also run in restricted mode. Likewise, should a restricted mode browser launch another application such as Windows Media Player, iTunes or the Adobe Acrobat Reader, they too run in restricted mode.
Java
Java is an interesting case because it has its own security rules, separate and distinct from Windows.
Java applets that run in their normal sandbox run fine within a restricted mode browser. For example, there is an applet at my javatester.org Web site that displays the version of Java being used. I've run it many times from a restricted mode Web browser without a problem.
Java applets that need to violate the Java sandbox have to ask for permission. This is true, for example, of the free Transaction Guard utility from Trend Micro. When run from Firefox, it starts off as a Java applet (from IE it starts as an ActiveX control) that can't run until you approve it. When approved, the Transaction Guard applet downloads, installs and executes a pair of Windows programs, even when run from a restricted instance of Firefox. Process Explorer and Task manager both show that Transaction Guard consists of two processes, tgsvc.exe and tgui.exe.
How is this possible?
Both Transaction Guard programs run out of the same folder
C:\Documents and Settings\userid\Local Settings\Application Data\Trend
Micro\HCMS\tsafe\en-US\
(where userid represents the current Windows logon id)
This is a user folder, not a system folder. Every directory under C:\Documents and Settings\userid\ is updatable, even to a restricted Windows user, which is why Transaction Guard can be installed there. You can see this yourself by trying to save a Web page there from a restricted mode browser.
It may seem dangerous that a restricted instance of Firefox was used to install and run two Windows programs, and in some ways it is. These programs can delete or modify anything in the My Documents folder as well as the other sub-folders under C:\Documents and Settings\userid\.
On the other hand, both Transaction Guard processes inherited the restricted mode of the Web browser that spawned them. Thus they can't be fully installed and will not run the next time Windows starts up.
The threat of a program wiping out all the files in the My Documents folder is similar to the threat faced by a restricted user in Linux or the Mac OSX. Restricted users can't corrupt the operating system, but they can corrupt their own files. Backup. Backup. Backup.
Problems
One thing that won't work in restricted mode is Windows Update. Sometimes the error message specifically mentions logging on as an Administrator, but other times, the errors are useless. Still, generating an error message at all puts it ahead of Flash. Installing a new version of Flash just hangs. Likewise, the F-Secure online virus scanner hangs, without producing an error message, when it starts to remove tracking cookies.
DropMyRights can be transparent; thus, if you're like me, you can forget that it's being used. Every now and then I get an error when I try to install software. This happens after downloading a program from a restricted instance of my browser and then having the browser display the folder where the downloaded file was saved. At this point, Windows Explorer is running with the inherited restricted rights of the browser, so it can't install software. No big deal, all that's necessary is starting a new instance of Windows Explorer.
I have read, but not confirmed that:
- Shockwave sometimes needs to run in
unrestricted mode.
See "Reducing browser privileges" by Mark Squire, October 2005 - Intuit QuickBooks 2006 needs to run unrestricted
- Family Tree Maker 2006 needs to run unrestricted
- Turbo Tax needs to run unrestricted for the auto-update feature
If you can confirm any of this, please leave a comment.
Is DropMyRights the right approach?
Some commenters suggested another approach to solving the same basic problem (running programs in unrestricted mode when they can, and should, be run in restricted mode)--logging on to Windows as a restricted mode user. In theory, this is the right approach, but practically speaking it simply presents the problem from the other side. For a program to run in unrestricted mode, you have to poke a hole in the default restrictions. Think of it as UpMyRights. There are a number of programs that do this, and you can refer to the reader comments for references.
In my opinion, while that may be a more secure approach, the fact is that many/most Windows users already log on as an unrestricted user (Administrator) and thus DropMyRights is the easier solution for them to implement. A techie familiar with DropMyRights can walk up to a Windows XP machine for the first time, copy the program from a thumb drive, and make new shortcuts for the Web browser and e-mail program in literally a minute. DropMyRights offers a lot of protection for very little work.
Logging on as a restricted user may offer more protection, but at a higher cost in terms of time and effort. In April 2006 Brian Krebs, writing in the Washington Post said: "Ever since I wrote a column late last year urging Windows users to reconfigure for limited accounts, hardly a week has gone by when I haven't heard from some reader who's had problems as a limited user." ("Windows Users: Drop Your Rights"). For more about logging on to Windows as a restricted/limited user, see Aaron Margosis' "Non-Admin" WebLog.
Whether the extra protection offered by logging on to Windows as a restricted user justifies the extra effort, depends on the specific situation and will always be a matter of opinion. If a computer is shared by parents and their children, then having the children log on as restricted users is probably worth the time and effort.
Finally, I hope that installing and configuring DropMyRights, unusual though it is, didn't seem too daunting back in Part 2. It may sound worse than it is. But, the price of security always has been and always will be inconvenience.
Update August 26, 2007. I just added a posting on what to do if an Office file doesn't display or work properly when the application is run in restricted mode.
And to respond to some reader comments:
No matter where the DropMyRights.exe file is located, the "Start in:" box of the shortcut properties window should be the folder where the target application (IE, Firefox, etc.) resides. Good question, I should have mentioned this.
Using DropMyRights does effect the speed at which an application starts up but the effect has been trivial in my experience; I'd guess the delay to be under a second, but your mileage may vary.
I haven't tried running auto-started programs with reduced privileges, but I would expect it to work the same as manually started programs. If the auto-started program is started using the Startup folder, then it's controlled by a normal shortcut which can be modified as described in Part 2. However, if the auto-started program is kicked off by a registry entry, then modifying the registry should be possible, but again, I haven't actually done it. Anyone who has, please feel free to leave a comment with your experiences.
This is a follow-up to my previous posting about DropMyRights, where I tried to make the case that every Windows XP user should use it.
You can download DropMyRights either from Microsoft or from CNET's Download.com.
What is downloaded is an MSI file rather than the usual EXE. Double-click on the MSI file to start the DropMyRights setup wizard. The wizard is pretty standard--you agree to the license, then select an installation folder. Interestingly, it defaults to installing DropMyRights in a subdirectory of My Documents (MSDN\DropMyRights) rather than the usual C:\Program Files.
After final confirmation, the installation itself takes about 5 to 10 seconds. When it completes, it opens Windows Explorer showing the folder and files it just created. The wizard installs five files, but the only one that is needed is DropMyRights.exe (it's 56KB). The other files are the source code and EULA.
I suggest copying the DropMyRights.exe file to the root of the C disk at this point. Two reasons for this follow shortly.
After installation, DropMyRights shows up in the control panel Add/Remove Programs applet. There is no need for it to be installed; you can uninstall DropMyRights immediately after installing it. Thus, the first reason to copy the DropMyRights.exe file is that uninstalling DropMyRights deletes the copy Windows knows about.
This is the last time you'll have to install DropMyRights. In the future, if you want to use it on other computers, simply copy the DropMyRights.exe file. It will run from any folder, and, since it is self-contained, there is no problem keeping multiple copies of it on one computer.
Making icons
DropMyRights works by taking the program you want to run in restricted mode as a parameter. As I mentioned in Part 1, my preference is to have two shortcuts for each application that I want to run in restricted mode. The legacy shortcut runs the application directly, the other runs DropMyRights. Using the Thunderbird e-mail program from Mozilla as an example, the procedure is:
- Start with the existing Thunderbird icon and copy it
(right click on it, select copy, then paste it onto the Windows desktop). - Rename the new shortcut "Thunderbird restricted" or something to that effect.
- Get the properties of the new shortcut.
- The cursor will be in the Target box on the right end. Scroll it to the far left of the Target box.
- Enter the full path to DropMyRights followed by a space.
This was the second reason for copying the EXE file to the C disk root--less typing. Can you tell I've done this often? - You should end up with a Target box like this:
C:\DropMyRights.exe "C:\Program Files\Mozilla Thunderbird\thunderbird.exe"
Note: quotes are needed when there is a space in the name of any directory. - Click the OK button.
This satisfies all the technical requirements, but since the shortcut now points to DropMyRights instead of Thunderbird, the icon is ugly and confusing. To restore the Thunderbird icon:
- Right click on the restricted shortcut and get the Properties
- Click on the "Change Icon..." button.
- You'll get an error message about there being no icons in the EXE file. This is normal. Click OK to exit the error message window.
- Click the "Browse..." button and navigate to the main Thunderbird executable (the full path is above) and click on it, then click the Open button.
- If at this point you see a single icon, click on it and then click the OK button. Often there are multiple icons embedded in an EXE file. If that's the case for any of the programs you're setting up for DropMyRights, then Windows will display all the available icons and you can choose any of them.
Restricting Internet Explorer may not be as straightforward because the IE icon on the Windows desktop may not be a shortcut. One way to tell is to look for the black arrow in the bottom left corner of the icon. Another way is to get the Properties of the icon. If, instead of a normal Properties window, you see the Internet Properties window, it's not a shortcut.
If it's not a normal shortcut, we can still make a restricted mode icon for Internet Explorer by starting with the main IE executable file. For IE 6 this is:
C:\Program Files\Internet Explorer\iexplore.exe
Navigate to this file in Windows Explorer, the right click on iexplore.exe and create a shortcut to it. Then copy or move this shortcut to the Windows desktop. The procedure from this point is the same as above, starting with renaming the new shortcut to something like "IE restricted".
Quick Launch and portable apps
If there is an Internet Explorer icon/shortcut in the Quick Launch Toolbar (next to the Start button) this too, can be replaced with a restricted mode version of itself. Start by right clicking the IE icon in the Quick Launch bar and deleting it. Then drag the restricted mode IE shortcut from the desktop to the Quick Launch bar. For whatever reason, Windows XP does not display the name of this icon when the mouse pointer hovers over it. However, you can get the properties of the icon and modify the Comment field to something like "Restricted mode IE" which will be displayed in the yellow tooltip box.
Restricting portable applications is also possible, but the procedure is a bit different. Since the whole idea of portable applications is that they are portable, we can't rely on there being a copy of DropMyRights in the root of the C disk. So, put a copy of DropMyRights in the same folder as the main executable for the portable application.
Right click on this copy of DropMyRights.exe and make a shortcut to it. Rename the shortcut to reflect the fact that it runs the portable application in restricted mode. Get the properties of the shortcut and on the right side of the Target box (this time the cursor is positioned where it's needed) add the name of the main EXE file preceded by a space.
For example, to run the portable version of Firefox, add " FirefoxPortable.exe". There is no need to enter the full path to FirefoxPortable.exe because it's in the same folder as DropMyRights. The net result will be something like this:
Q:\PortableApplications\Firefox\DropMyRights.exe FirefoxPortable.exe
Again, you'll want to change the icon to that of the target application. Get the icon from the FirefoxPortable.exe file, not from any non-portable copy of Firefox that may be installed. You want the icon to be portable too. Many free, portable applications are available at PortableApps.com.
Which programs should be restricted?
DropMyRights can be used to run any program with restricted system access, but which applications should be restricted?
Back in November 2004, the developer, Michael Howard, suggested using it with all Internet facing applications: Web browsers, e-mail clients and instant messaging. That's certainly good advice.
For a long time now, I have used DropMyRights to restrict Firefox and IE 6. I don't work on many machines with IE 7, so if you've done this, feel free to leave a comment about your experience. Mr. Howard himself has moved on to other things and has not tried DropMyRights with IE 7 either. I also haven't tried using it to restrict Opera or the recently released Safari for Windows. If you have, please leave a comment.
As for e-mail, I use DropMyRights with Thunderbird every day, and have seen it work fine with Outlook 2003. Mr Howard says it works with Eudora and Lotus Notes.
But there's more.
Microsoft Office applications are a popular carrier of malware (malicious software) and they too, should run, by default, in restricted mode.
In October 2006, Joris Evers of CNET News.com wrote about how Office files are used in targeted attacks for industrial espionage. See "The future of malware: Trojan horses." The article described attempts at installing keystroke loggers and other malware using a Microsoft Office file exploiting a known bug for which the target machine has not applied the patch (if there even is a patch).
Do you use Excel? If so, have you applied the latest bug fixes/patches in the last few weeks? If not, then opening a spreadsheet can result in Windows being infected with malicious software. In July, Microsoft issued a fix for a bug in Excel 2000, 2002, 2003 and 2007. For more, see Microsoft Security Bulletin MS07-036.
However, as with Internet Explorer, you may find that the shortcuts used to invoke Word, Excel and other Office applications are not normal shortcuts--there may be no Target box to modify. If so, then navigate in Windows Explorer to the main executable file for these applications (such as winword.exe for Word) and make a normal shortcut to the EXE file. Then proceed as described above.
Other applications are also very much Internet connected. To be safe, you might also run iTunes, QuickTime and Windows Media Player in restricted mode.
There's still more to be said about DropMyRights. Next up: living with DropMyRights after installing it.
Update. November 6, 2007. Additional thoughts on which applications should be run in restricted mode are here Restricting insecure applications.
If you are running Windows XP, you should install the free DropMyRights program. Hopefully this posting will convince you of this.
DropMyRights is a free program that greatly increases the security of Windows XP and has not gotten the attention that I think it deserves. Everyone running Windows XP should use it. Yes, everyone.
Windows, Macs and Linux all support the concept of restricted and unrestricted users. Restricted users are limited in the changes they can make to the system, perhaps the biggest restriction being on installing software. Windows unrestricted users are called Administrators, with Macs and Linux the sole unrestricted user is called root.
A big reason that Macs and Linux are safer than Windows is that running as a restricted user is the norm. Trying to run Windows while logged on as a restricted user comes with a host of problems, so the reality is that almost everyone runs their Windows XP computer as an unrestricted (Administrator) user. This is a shame, because it means that malicious software can be surreptitiously installed and once running, it can modify or delete critical Windows system files.
The way DropMyRights makes Windows more secure is by running selected programs in a restricted environment (i.e. with lower rights) even when logged on to Windows XP as an Administrator.
Think you don't need it? I'm being alarmist? You're protected by antivirus software, so why bother?
A Windows XP computer can be surprisingly vulnerable to malicious software, especially if you are not up to date on installing bug fixes/patches to both Windows and all your applications. (Soon I plan a posting about the Secunia Software Inspector that makes it easier to keep up to date on bug fixes for many popular applications.)
- Did you know that Windows can get infected just by viewing a Web page? It can.
- The old rule about not opening e-mail attachments is not sufficient anymore. Simply reading an e-mail message can infect Windows.
- There have been instances where simply viewing a picture could have installed malicious software.
And, you're not safe if all you do is visit "good" Web sites. Reputable sites get compromised by the bad guys in an attempt to install malicious software on your computer. The Web site owner might not realize this has happened for quite a while, if ever. There is no longer a good neighborhood on the Web that you can safely browse around in.
While you're safer with antivirus and antispyware programs installed, no one application catches everything (no two applications either). Got a firewall? Great, but the problems discussed here are not ones that a firewall can protect you from.
At the risk of repeating myself, everyone running Windows XP should use DropMyRights.
Safe and trusted
DropMyRights comes from a Microsoft employee named Michael Howard. Mr. Howard is a specialist in security, working in the Secure Engineering group at Microsoft. Among his many credits is co-authoring a book called Writing Secure Code. In short, it comes from a trustworthy source.
Mr. Howard released DropMyRights back in November 2004, so if there were any problems with it, they would surely have been discovered by now. But problems were unlikely as DropMyRights is a small, relatively simple program and Mr. Howard went so far as to release the source code. The tires have been well kicked on it.
Unlike most security software, DropMyRights does not need constant updating. In fact, it doesn't need any updating at all. You just install it and forget about it.
And, did I mention that it's free?
User experience
After DropMyRights is installed and configured, the result is a bunch of icons. For each application that you want to run in restricted mode, there should be a new icon for doing just that. It can sit, side-by-side if you want, with the original unchanged icon for running the program. The picture below shows this arrangement for the Thunderbird e-mail program from Mozilla.
I prefer to keep the restricted mode icons visible on the Windows desktop while moving their unrestricted siblings under the Start -> Programs menu so they are out of the way. To each his own.
As a rule, run potentially dangerous applications in restricted mode all the time. (Next time, I'll discuss the applications that are potentially dangerous.) Should you come across something that doesn't work correctly in restricted mode, it could very well be that DropMyRights has just protected your computer from some type of malicious software.
If you really must do whatever it is that does not work in restricted mode, then simply run the application in legacy, unrestricted mode. DropMyRights is easy to bypass. On the other hand, if you don't want children to ever run an application (Internet Explorer comes to mind) in unrestricted mode, then delete that icon. The icon is just a shortcut, the actual application is still installed and can always be run unrestricted by navigating to the main .EXE file in Windows Explorer and double clicking on it. Hopefully this will be too much for the child in question.
DropMyRights does not work with Windows 2000, but it does work with Windows Server 2003. You can download it from Microsoft.
Next time, installing and configuring DropMyRights.
- prev
- 1
- next
