Drop My Rights

Your Windows XP computer will be more secure online if you run under a limited account, rather than with an administrator account. But that is very inconvenient for many users. Vista's UAC (user access control) provides similar improvement in security by reducing rights, but with less inconvenience.

Alternative: It's advisable to run at least your internet-facing programs -- browser, email program, media players, etc. -- with reduced privileges. This option is fairly easy to set up. You just need to install a simple program -- DropMyRights -- and set up some special shortcuts (icons) for your internet-facing programs.

  • Michael Howard's article was the first place that I found that tells how to use Microsoft's DropMyRights program (free).
  • I have added my own instructions for using DropMyRights below.
  • I also created some special DropMyRights shortcuts for Firefox, Thunderbird, Outlook Express, Internet Explorer and Windows Media Player. You'll need to use them or clone [instructions below] your own to use DropMyRights.
  • Michael Horowitz at CNet has a nice article on using DropMyRights for internet-facing programs.
  • Gizmo Richards at Tech Support Alert also has a comprehensive article on using DropMyRights.

Mark Russinovich of Sysinternals describes an alternative way to run Internet-facing programs with reduced rights. It uses the same "CreateRestrictedToken" function that "Drop My Rights" does. The article will also give you a better idea of what's involved. [update]

Update: I'm now using Online Armor Personal Firewall, which I also use to run my internet-facing programs with reduced rights. It's particularly handy because you can easily run the program at full rights directly from Online Armor. I use Online Armor -- a stout firewall combined with a robust HIPS -- in my own security system.

Just close any of the program's windows you have open, and then use Online Armor to "Run normal." [Open the "Programs" section in the "Configuration" window of Online Armor (from the Tray area of your Taskbar) > Right-click the program whose rights you want to temporarily elevate > select "Run normal", and it will open in "Normal" (administrator) mode.]

Instructions

Install DropMyRights

  1. Download the DropMyRights.msi file from Microsoft. Look for the link on the page.
  2. Double-click the file's icon to start installation.
  3. Install DropMyRights in C:\Program Files\DropMyRights\ If you pick another folder my shortcuts won't work without modification.
  4. Note: DropMyRights is not a program that you open in the normal way. It works behind the scenes to open other programs. It runs them with Limited rights.

Create special shortcuts (icons)

  1. Download DropMyRights.zip which contains special shortcuts that I created to use with DropMyRights.
  2. They assume that you installed DropMyRights.exe in C:\Program Files\DropMyRights\ -- otherwise see "Cloning/modifying shortcuts" below.
  3. Unzip DropMyRights.zip and extract the shortcuts anywhere you want them, e.g., on your Desktop.
  4. Double-click the shortcuts to start your internet-facing programs under limited rights.
  5. Note: Keep the original shortcuts for your Internet programs. Sometimes, for example to install plugins like Shockwave, it's necessary to run these programs with full rights. After you finish, be sure to close the program and restart it with reduced rights.

Running programs under limited rights

Cloning or modifying limited rights shortcuts (icons)

You can also create "DropMyRights" shortcuts for other programs. Just clone one of the examples, as shown in my directions below. Use the same approach to modify shortcuts if you have installed DropMyRights.exe in a folder different from C:\Program Files\DropMyRights\.

  1. Start the cloning process by copying and pasting one of the original shortcuts to create a new one.
  2. Right click the new shortcut, and select "Properties". You'll get a dialog box similar to the one at the right.
  3. Notice that the Target: is "C:\Program Files\DropMyRights\DropMyRights.exe" (quotes are included in this situation). What you don't see is the argument that is passed to DropMyRights.
  4. Right-click the text in the Target line and select copy. [If it is not already selected (blue) then click "select all" and then you should be able to copy.]
  5. Paste the text to Notepad or Wordpad. Here's what you'll see:

    "C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet Explorer\iexplore.exe"

    (Except it will all be on one line, with one space between the two text segments as shown again below the image.) The astute will have realized they can just copy the line from this page. :-)
  6. Now comes the fun part: Replace the second text segment with the path to the executable file for the program you need a shortcut for. For example, it would be

    "C:\Program Files\FeedDemon\FeedDemon.exe"

    for my web feed reader.
  7. Copy this new line and paste it into the Target line, replacing what was there before.
  8. Next, click the "Change Icon..." button, and navigate to the program's executable file, e.g., FeedDemon.exe, and select the icon you like.
  9. Click OK, and then try out your new shortcut. You should see a brief flash, maybe even a black box for an instant, and then your program will open. It will be running with limited rights.

Here is what you will be working with in Notepad (or Wordpad). Copy the original line, and then edit it to create the cloned line. Notice the single space between the two segments of each line. Mucho Importante!

"C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet Explorer\iexplore.exe" original line
"C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\FeedDemon\FeedDemon.exe" cloned line