Use 'Run As' To Protect The Registry

by Tony Bradley [Published on 25 Jan. 2005 / Last Updated on 25 Jan. 2005]

Members of the Administrators group typically have full control to modify registry keys. Unwittingly executing a malware-infected or other questionable program with Administrator privileges can result in registry additions or edits which may adversely affect the system. To safeguard the registry without logging out you can use this trick.

Windows XP has some limited built-in protection designed to safeguard the registry. By default, normal users have only Read permissions for most branches of the registry and are only able to modify registry keys that only affect their own account (the HKEY_CURRENT_USER branch).

Members of the Administrators group on the other hand are granted full control over the various branches of the registry (HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER and HKEY_USERS)and can add, remove or modify registry keys. Many programs require the ability to add to or modify the registry in some way during installation which is why they often warn that Administrator privileges are required in order to execute the setup.

Even when a system has security measures in place to detect and remove viruses or other malware, there are times when it is still better to be safe than sorry. This is particularly true when executing obscure or unknown shareware or programs acquired through peer-to-peer (P2P) networking systems or files received as email attachments.

There is an added feature in Windows XP which allows both regular users and members of the Administrators group to test out a suspicious program to determine if it causes any harm or makes the computer act odd in any way while protecting the registry. Follow the steps below:

  1. Right-click on the icon or program file you wish to execute
  2. Select Run As
  3. Select Current User for the credentials to use
  4. Check the box next to Protect My Computer And Data From Unauthorized Program Activity

Following these steps will allow the program to execute, but will add the Restricted SID (security identifier) token to the registry access which will limit the program to Read permissions and ensure that it does not alter the registry in any way.

Be warned that running a program under these restrictions does more than just secure the registry. The program will be unable to access data or files in the user's profile in any way, including the My Documents folder or even Cookies and Temporary Internet Files and will have virtually no system-wide access. This is great if you are unwittingly executing a virus-infected program, but may also cause perfectly safe programs to be unable to run properly.

Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security (http://netsecurity.about.com), providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security (http://www.tonybradley.com).

Featured Links