Slashdot Mirror
Windows XP, Games, and Administrator Privileges?
An anonymous reader asks: "I manage my kids' computer, running Windows XP Professional, with an iron fist. They have limited access rights as I do not want them accidentally deleting the wrong file or downloading trojan software. However, software products, particularly games, fight my user management schemes at every turn. Each user on the computer is member of the 'Gamers' group. This group has full access to the games directory, the place I install all of the game software. I did this since games often need to update configuration files or write save files. Despite these changes, I still run into problems. Our latest two games, Age of Mythology and Battlefield 1942, require administrator privileges irrespective of the file privileges. I have not been able to overcome the problem and it seems, based on Googling, that others are in the same boat.
Fellow Slashdot readers, what have you done to overcome this problem?"
1- Dual Boot (WinXp for you + Win98SE for your kids)
2- A ghost image of the win98SE partition
3- Let them play
4- Wait for them to say "Dad it doesn't work anymore !"
5- Restore your ghost backup
6- Goto 3
Seems a bit dub, but it works better and it's less a pain than managing XP user rights.
____
nico
Nico-Live
Unfortunatly a ton of programs do not adhere to the exact standards they should, and there really isn't a way around it. XP easially lets you grant someone full control, or none, but this dosen't mean every program is going to listen and act the same. The sad realty is to get anything done on a Windows box, you have to sit logged in as an admin. It's ironic that a Microsoft published game is one of the ones giving you pains...
Though, to address your current problem, you could create a new user, use the policy manager to only allow one of the troublesome games to be run, and grant them admin rights. Then use the "Run As" feature of XP to run that program as this new user, from the kids login. Just keep an eye on where the game is saving files, as it could be doing so in the new users home folder somewhere.
Use the secondary logon service. Right click on the game program short-cut, select properties, under the "Shortcut" tab click on advanced, then check the box that says "run with different credentials".
It'll prompt you for the administrator password when you run it.
Use Regmon and Filemon from sysinternals.com to discover which files/keys the program is trying to modify and is failing on. Then adjust the ACLs on those files/keys so that the Gamers group has write access.
One of the conditions for obtaining the "Designed for Windows XP" Logo is that the program must be capable of being run under a Limited user account. If MS's own software isn't capable of this then you ought to report it to them as a bug.
The situation with XP home which only has "Limited" and "Administrator" account types really does not help people adopt more secure working practices.
The situation ought to improve in future but at the moment it does not seem to be something that most developers test against.
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
Try using VMWare.
you can isolate the game in its virtual copy of windows and grant it only limited acces to the real Network/Drives/System.
As of Postgres v6.2, time travel is no longer supported.
Microsoft appear to have a patch for this problem, I don't know if that will fix it for you.
Other ideas include giving "Gamers" full access to the "Program Files" directory in case it's trying to write there rather than your games directory.
If that doesn't work then perhaps mail the CD back and ask for a refund. There is no reason any application, least of all a game should require admin rights for normal operation, and if it does, the software is not fit for the purpose it was sold for.
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
These kinds of problems are most certainly related to file and/or registry permissions. Working at a K-12, I'm often troubleshooting software that won't run as a normal user. I've found the majority of the problems are related to poorly written software trying to add and modify files to the SYSTEMROOT directory (usually c:\windows or c:\winnt). The rest are usually solved by opening up permissions on the applications registry keys under HKLM.
Get yourself a copy of RegMon and FileMon from Sysinternals. You'll need to logon as an Administrator, start up reg or filemon, then do a RunAs on the application to run it as a normal user. You'll probably want to filter the output of reg/filemon to only show activity of the app itself, otherwise you'll be looking at all activity on the system. Look for ACCESS DENIED errors in places where normal users can't usually write. Slowly open up those areas to modify access until you've found a solution.
"Start --> Help --> Search --> Power Users" to get a list of the things Power Users are able to do and what they are restricted from doing.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
One other thing you might consider is the fact that Windows XP initiates the Compatibility Engine on a lot of games. One game I can think of right off the bat that does is The Sims. A user needs to be either in the Power Users or the Administrators group in order to run a game or any other application with this engine included in use.
There are a few things you might consider doing. First would to be to google to figure out how one might add the "lesser" users to be able to use the compatibility engine, or at least to run those particular applications (games) with elevated privledges. Another is to write a simple script to use the "runas" command to automatically run a program as administrator using a cached password (in the registry) to run the game in question and then creating a shortcut to that script on the desktop (or wherever) to run the game.
One other thing you can do is add your kids to the power users group then use the Local Security Settings mmc and right-click on "Software Restriction Policies" and chose "Create New Policies." You then can start creating rules of what directories are accessable on the computer (make sure in the "Enforcement" policy to choose "All users except local administrators", you don't want to lock yourself out). You can refine which folders they are granted or denied access to by right-clicking on the "Additional Rules" folder and choosing a new "hash" rule to specify a particular application itself, or a new "path rule" to specify an application path (which'll include EVERYTHING in all subfolders within that path.)
These are just a few ideas to get you started down the path.
Unique.
A list of system processes, what they are for etc.s pro/pr ocesslibrary/
http://www.liutilities.com/products/wintask
A lot of system services share process space with each other. You will have 3 or more svchost processes. To find out which services are safe to disable.
http://www.blackviper.com/WinXP/servicecfg.htm
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
No, they don't. It says right on that page to "try logging in as an Administrator" before it says to install the fix.
The reason the games need this is because of the CD copy protection; they need to access the drive directly to be able to see whether the bad sectors/whatever hidden data they're looking for are there. You could try cracking the games and seeing if that helps, as I'm pretty sure that's the only they need Admin access - a good site for cracks is GameCopyWorld. I often use them because I'm a lazy bastard who doesn't want to risk ruining his (original!) CDs by switching them around all the time, and I've never had a problem with any of the cracks I've downloaded from there.
One other possible method.. Isn't there a way to have Windows "run as" a different user (ala +s on UNIX)? So you could have it run as some special Admin-priveleged user, while keeping them in the non-Admin account most of the time.
My English teacher once told me that two positives don't make a negative. Two words for her: Yeah, right.