Slashdot Mirror
Windows XP, Games, and Administrator Privileges?
An anonymous reader asks: "I manage my kids' computer, running Windows XP Professional, with an iron fist. They have limited access rights as I do not want them accidentally deleting the wrong file or downloading trojan software. However, software products, particularly games, fight my user management schemes at every turn. Each user on the computer is member of the 'Gamers' group. This group has full access to the games directory, the place I install all of the game software. I did this since games often need to update configuration files or write save files. Despite these changes, I still run into problems. Our latest two games, Age of Mythology and Battlefield 1942, require administrator privileges irrespective of the file privileges. I have not been able to overcome the problem and it seems, based on Googling, that others are in the same boat.
Fellow Slashdot readers, what have you done to overcome this problem?"
In the long term teaching them what they should and shouldn't do will prove to be the best option to achieve this.
1- Dual Boot (WinXp for you + Win98SE for your kids)
2- A ghost image of the win98SE partition
3- Let them play
4- Wait for them to say "Dad it doesn't work anymore !"
5- Restore your ghost backup
6- Goto 3
Seems a bit dub, but it works better and it's less a pain than managing XP user rights.
____
nico
Nico-Live
Unfortunatly a ton of programs do not adhere to the exact standards they should, and there really isn't a way around it. XP easially lets you grant someone full control, or none, but this dosen't mean every program is going to listen and act the same. The sad realty is to get anything done on a Windows box, you have to sit logged in as an admin. It's ironic that a Microsoft published game is one of the ones giving you pains...
Though, to address your current problem, you could create a new user, use the policy manager to only allow one of the troublesome games to be run, and grant them admin rights. Then use the "Run As" feature of XP to run that program as this new user, from the kids login. Just keep an eye on where the game is saving files, as it could be doing so in the new users home folder somewhere.
At lot of games should also be available on an Xbox.
Having one of those will save you the grief of having to maintain a system for gaming
I've a 10 and 8 year old who play Warcraft and Age of Mythology. My fix it to let them do what they want and accept the consequences it the system broke. Sure enough it wouldn't boot after a few months.
Rather than rush to fix it, I spent a week doing nothing but said I "was doing research into how to fix the problem." The 1 week without games was sufficiently traumatic that there's been no problem since.
1000s Warcraft Gold while you sleep
Use the secondary logon service. Right click on the game program short-cut, select properties, under the "Shortcut" tab click on advanced, then check the box that says "run with different credentials".
It'll prompt you for the administrator password when you run it.
Use Regmon and Filemon from sysinternals.com to discover which files/keys the program is trying to modify and is failing on. Then adjust the ACLs on those files/keys so that the Gamers group has write access.
One of the conditions for obtaining the "Designed for Windows XP" Logo is that the program must be capable of being run under a Limited user account. If MS's own software isn't capable of this then you ought to report it to them as a bug.
The situation with XP home which only has "Limited" and "Administrator" account types really does not help people adopt more secure working practices.
The situation ought to improve in future but at the moment it does not seem to be something that most developers test against.
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
Try using VMWare.
you can isolate the game in its virtual copy of windows and grant it only limited acces to the real Network/Drives/System.
As of Postgres v6.2, time travel is no longer supported.
Microsoft appear to have a patch for this problem, I don't know if that will fix it for you.
Other ideas include giving "Gamers" full access to the "Program Files" directory in case it's trying to write there rather than your games directory.
If that doesn't work then perhaps mail the CD back and ask for a refund. There is no reason any application, least of all a game should require admin rights for normal operation, and if it does, the software is not fit for the purpose it was sold for.
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
I've got the same setup for family of mine where they only use internet browsing and mail as multiple users. (They don't even use fast user switching.) And even though they all use restricted accounts, they still seem to be able to corrupt system registry hive files.
;)
My advice is not to even waste your time with this. I'm sure your time is worth so much that you could have afforded another PC, or at the very least Hard drive imaging and restore software.
It's best to let kids loose on a machine, and if they mess it up, you just restore it... it's their (save game) loss.
They will learn about all those vital microsoft tricks like backing up your important data and do not install all that junk.
It's also imporant then to get them each a machine, but since you will not be wasting time admining those machines anymore, I'm sure you will have a lot more time and thus money.
I mean, really, since Win NT 4.0 the graphics drivers have had admin rights... and you are still denying this to your kids!
I think the best admin policy is education of the user. Also keep a system restore handy with software such as Norton Ghost (with all the propper patches already installed to protect against internet worms etc.) as well as good anti-virus software. Believe me, this is the cheaper solution..
If it is truly the kids computer (so you have another one with all your important data on it), then I should let them have full privileges, and let them explore the computer on their own.
How else will they know what a computer can 'really' do, if you just let them have restricted access to a single game directory.
Let them explore, let them familiarize with the computer, they learn from their mistakes: if you do something wrong, like deleting system files, you probably wont try that again.
When my parent bought me (well it was ment to be for the whole family) a 286 computer with dos installed, I knew nothing, and neither did my parents.
so I explored, and I found a 'help' command, and a 'dir' command, and I found different types of files (the ones you can execute, and others)...
So once again:
It's not that bad when something goes wrong, format the disk, and reinstall.
However I would recommend on restrincting access to the internet, so they can't accidently download malware.
Time is the only precious thing I've got left; Don't waste it
These kinds of problems are most certainly related to file and/or registry permissions. Working at a K-12, I'm often troubleshooting software that won't run as a normal user. I've found the majority of the problems are related to poorly written software trying to add and modify files to the SYSTEMROOT directory (usually c:\windows or c:\winnt). The rest are usually solved by opening up permissions on the applications registry keys under HKLM.
Get yourself a copy of RegMon and FileMon from Sysinternals. You'll need to logon as an Administrator, start up reg or filemon, then do a RunAs on the application to run it as a normal user. You'll probably want to filter the output of reg/filemon to only show activity of the app itself, otherwise you'll be looking at all activity on the system. Look for ACCESS DENIED errors in places where normal users can't usually write. Slowly open up those areas to modify access until you've found a solution.
I'm always amazed that in these modern times, with so many bicycles, motorcycles and cars, people still manage to care for and ride such high horses.
"Start --> Help --> Search --> Power Users" to get a list of the things Power Users are able to do and what they are restricted from doing.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
More to the point, stop struggling and realise that windows is by design a system which will fall over itself after a long enough period of time, and you WILL have to reinstall it sometime. So stop trying to delay that moment, and make sure that you can do that easily. The previous suggestion about ghosting the system in a stable state is good, but not the best because you will still have to keep track of what important updates you hadn't done when you made the ghost image.
Probably the best solution would be to keep a CD-RW regularly updated with the entire list of drivers/service packs/updates that you need to install when you reinstall the computer, along with a list of the programs that must be reinstalled before any games (eg Office, any dev tools that you need, etc), and (this will be a shocker) teach your kids to do it!!! Then when the computer falls over, you can tell the kids that it's in part their fault, and that this is a good learning opportunity for them (and it is - you learn more about how a computer functions when rebuilding it from scratch than when using it), and so stick them on there for whatever time it takes and let them do it (under penalty of no gaming if they screw it up and you have to do it yourself, of course).
The result will be kids who know more about PCs than just gaming, who will not need to pester their friends/parents to get their computer(s) set up, and who will be more computer-literate than most of their age group. And don't worry about the task being 'too complicated'. Don't underestimate your kids, they will pick it up in no time, and by the time the next version of Windows comes along they'll probably be the ones giving you tips on how to install your PC.
Daniel
Carpe Diem
Are you a BOFH or not ? Just because they're your kids, they shouldn't go away without a good LART .
-
Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
I understand the sentiment that people think you should just teach them to not do stupid things and give them full access. While that is nice in theory, it is hard to teach children, especially younger children the important lessons without burning through a few computers. Unfortunately, the brighter they are, the more likely they are to break something. On occasion I head home and every time I do I have to fix two machines FILLED with Trojan programs and spyware. I educate, but there is only so much I can do. Kids are stupid and can be tricked, pure and simple. If you have a shared computer that does serious work, then it means constantly fighting the crap that gets on just to keep important things running. If someone could answer this question, I would appreciate so I don't have to constantly be battling to keep these computers working.
The best solution of course is to get them their own computer to use and destroy. This is fine if your kid just wants to beat around the Internet as you can buy a cheap POS computer for pocket change these days. However, if you have a young aspiring gamer it becomes much more difficult, as a gamer needs something with power behind it. Dropping a couple thousand dollars just for a kid to have his own computer no one else uses is a rather expensive proposition.
What I would REALLY like answered is if there is a way on an XP machine to keep Trojans and spyware programs out. Yes, I know adaware and spybot can clean this stuff, but I have found that most of the time it is far too late and the damage is done. Does anyone have any good suggestions for keepings this crap off in the first place?
One other thing you might consider is the fact that Windows XP initiates the Compatibility Engine on a lot of games. One game I can think of right off the bat that does is The Sims. A user needs to be either in the Power Users or the Administrators group in order to run a game or any other application with this engine included in use.
There are a few things you might consider doing. First would to be to google to figure out how one might add the "lesser" users to be able to use the compatibility engine, or at least to run those particular applications (games) with elevated privledges. Another is to write a simple script to use the "runas" command to automatically run a program as administrator using a cached password (in the registry) to run the game in question and then creating a shortcut to that script on the desktop (or wherever) to run the game.
One other thing you can do is add your kids to the power users group then use the Local Security Settings mmc and right-click on "Software Restriction Policies" and chose "Create New Policies." You then can start creating rules of what directories are accessable on the computer (make sure in the "Enforcement" policy to choose "All users except local administrators", you don't want to lock yourself out). You can refine which folders they are granted or denied access to by right-clicking on the "Additional Rules" folder and choosing a new "hash" rule to specify a particular application itself, or a new "path rule" to specify an application path (which'll include EVERYTHING in all subfolders within that path.)
These are just a few ideas to get you started down the path.
Unique.
I have found this to be the case, too. I didn't want my gf's son (an 8 year old) having admin access on my XP machine, but half the damn games required admin access.
This required rightclicking on the game's shortcut, selecting 'run as' and calling me over to type in my admin password... several times a day! )(#@()$*@#()$&@#$@#
Its not that programs want to write to the registry, or system files, or anything else.
It simply seems to be the cd copy protection... most games have various types of cd copy protection (i dunno, daemon tools can emulate most of them when it mounts iso's, but anyway). It seems the games require admin access to perform their little sneaky copy protection checks on the CD...
Personally i think this is a real pain in the damn ass (why do we need the CD in there anyway! The game is already installed FFS) and now we require to give all kids admin access on XP machines just to play games! Its a damn nightmare.
No wonder we hate software manufactureres for all their sneaky copy protection, serial keys, product activation, and now needing admin access to run anything.... *sighs*
I'm glad i bought my titanium powerbook. And last week i bought a used G4 cube. Forget windows....
D.
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
Why is this insightful?
The man wanted to know how to solve a problem. Granted, you give him a few good "alternatives", but that doesn't solve the problem.
It'd be like me saying "My car is old and doesn't run well -- what do I do to ensure it won't leave me stranded?" and you telling me "Ride a bike. It doesn't pollute and it's always ready to roll...."
Karnal
A list of system processes, what they are for etc.s pro/pr ocesslibrary/
http://www.liutilities.com/products/wintask
A lot of system services share process space with each other. You will have 3 or more svchost processes. To find out which services are safe to disable.
http://www.blackviper.com/WinXP/servicecfg.htm
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
Pretty much exactly what I wanted to say.
I in no way got the impression that the submitter of the question tries to use his machine as a substitute for parenting. Or is it now bad to ever let children play games, even for a second?
I got the impression that for once a parent was trying to do the right thing in regards to their computer and their children.
No Comment.
No, they don't. It says right on that page to "try logging in as an Administrator" before it says to install the fix.
The reason the games need this is because of the CD copy protection; they need to access the drive directly to be able to see whether the bad sectors/whatever hidden data they're looking for are there. You could try cracking the games and seeing if that helps, as I'm pretty sure that's the only they need Admin access - a good site for cracks is GameCopyWorld. I often use them because I'm a lazy bastard who doesn't want to risk ruining his (original!) CDs by switching them around all the time, and I've never had a problem with any of the cracks I've downloaded from there.
One other possible method.. Isn't there a way to have Windows "run as" a different user (ala +s on UNIX)? So you could have it run as some special Admin-priveleged user, while keeping them in the non-Admin account most of the time.
My English teacher once told me that two positives don't make a negative. Two words for her: Yeah, right.
Well, sometimes "replace the car" is the right and answer and "fix the car with gaffer tape" is the wrong answer.
PCs are not devices designed or built to be used by children. They are complicated and easily broken. Either educate the children to use the PC properly or find an alternative entertainment for them.
erroneous: look me up in a dictionary
B: So don't let them mess with the inside of the computer until they have enough pocket money stashed up to pay for it themselves (or out of their future pocket money)... Simple enough. Duh.
As for A, similarly: "Sure, you can have it. I'll pay for half of it. You pay for the other half." Blang, two lessons in one - IT literacy AND value of money.
Daniel
Carpe Diem
I only mention this because I've had a lot of problems at work as a result of our server setup guy subscribing to this philosophy. Sure, a 6GB windows partition and a 40 GB data partition for programs sounds nice, but when C fills up you're hosed.