Windows XP, Games, and Administrator Privileges? 201
An anonymous reader asks: "I manage my kids' computer, running Windows XP Professional, with an iron fist. They have limited access rights as I do not want them accidentally deleting the wrong file or downloading trojan software. However, software products, particularly games, fight my user management schemes at every turn. Each user on the computer is member of the 'Gamers' group. This group has full access to the games directory, the place I install all of the game software. I did this since games often need to update configuration files or write save files. Despite these changes, I still run into problems. Our latest two games, Age of Mythology and Battlefield 1942, require administrator privileges irrespective of the file privileges. I have not been able to overcome the problem and it seems, based on Googling, that others are in the same boat.
Fellow Slashdot readers, what have you done to overcome this problem?"
Teach them. (Score:3, Insightful)
Re:Teach them. (Score:1, Insightful)
Re:Teach them. (Score:2)
short answer (Score:5, Informative)
2- A ghost image of the win98SE partition
3- Let them play
4- Wait for them to say "Dad it doesn't work anymore !"
5- Restore your ghost backup
6- Goto 3
Seems a bit dub, but it works better and it's less a pain than managing XP user rights.
Re:short answer (Score:4, Informative)
Re:short answer (Score:2)
Oh, and System Restore isn't bullet proof... it's helped me a few times, and completely failed on others.
Re:short answer (Score:2)
I don't have the experience of seeing 1000's of PC's like you say you have, but I'm guessing you need to cut the tool a little slack as it does seem to work for some peo
Re:short answer (Score:2)
Re:short answer (Score:2)
Re:short answer (Score:2)
Hrm. (Score:1)
If you're still worried about your children mucking up your computer, I totally understand. I've troubleshooted so many computers that were dying of b
Re:Hrm. (Score:5, Insightful)
Probably the best solution would be to keep a CD-RW regularly updated with the entire list of drivers/service packs/updates that you need to install when you reinstall the computer, along with a list of the programs that must be reinstalled before any games (eg Office, any dev tools that you need, etc), and (this will be a shocker) teach your kids to do it!!! Then when the computer falls over, you can tell the kids that it's in part their fault, and that this is a good learning opportunity for them (and it is - you learn more about how a computer functions when rebuilding it from scratch than when using it), and so stick them on there for whatever time it takes and let them do it (under penalty of no gaming if they screw it up and you have to do it yourself, of course).
The result will be kids who know more about PCs than just gaming, who will not need to pester their friends/parents to get their computer(s) set up, and who will be more computer-literate than most of their age group. And don't worry about the task being 'too complicated'. Don't underestimate your kids, they will pick it up in no time, and by the time the next version of Windows comes along they'll probably be the ones giving you tips on how to install your PC.
Daniel
Re:Hrm. (Score:2)
Re:Hrm. (Score:2)
Re:Hrm. (Score:2)
Making things mindlessly routine for the Administrator is dangerous; and the Windows user needs to be taught this. So installation shouldn't be this ass-easy process that it has become. L
Re:Dont Let Them build a computer (Score:4, Interesting)
As for A, similarly: "Sure, you can have it. I'll pay for half of it. You pay for the other half." Blang, two lessons in one - IT literacy AND value of money.
Daniel
But that's his POINT! (Score:2)
EXCEPT that the primary apps he runs... i.e. video GAMES break the MS security model...forcing him to give too much access to his "users" allowing them to run the game, but also to get spyware, ... get it!
Re:OT:Where do I find def'ns for Win's process nam (Score:5, Informative)
http://www.liutilities.com/products/wintask
A lot of system services share process space with each other. You will have 3 or more svchost processes. To find out which services are safe to disable.
http://www.blackviper.com/WinXP/servicecfg.htm
Standards? We don't need standards... (Score:5, Informative)
Though, to address your current problem, you could create a new user, use the policy manager to only allow one of the troublesome games to be run, and grant them admin rights. Then use the "Run As" feature of XP to run that program as this new user, from the kids login. Just keep an eye on where the game is saving files, as it could be doing so in the new users home folder somewhere.
Buy an Xbox (Score:2, Insightful)
Having one of those will save you the grief of having to maintain a system for gaming
Re:Buy an Xbox (Score:2)
Getting an Xbox has solved just about all of the problems I used to have on my PC. Now the computers run like they should, and the games don't crash.
I think his suggestion was right-on.
Re:Buy an Xbox (Score:2)
The games he mentioned should be available on an XBOX.
Also an XBOX will keep on running the newest games for at least 2 years to come (look at the PS2)
Sound investment if you ask me.
At the price of 200$ you get two games included, an decent 3d accelerator costs the same or more
Same problem with my kids - different solution (Score:5, Insightful)
Rather than rush to fix it, I spent a week doing nothing but said I "was doing research into how to fix the problem." The 1 week without games was sufficiently traumatic that there's been no problem since.
Re:Same problem with my kids - different solution (Score:3, Funny)
Re:Same problem with my kids - different solution (Score:5, Interesting)
This is actually what drove me to learn how to do an OS reinstall. As time went on, each time Windows ate itself, my dad would take longer and longer to get around to fixing it. Eventually, I got sick of waiting and did it myself. Within about two months I had him in complete understanding of the beauty of keeping data and OS on seperate drives, and now, many years later, my dad calls me when he wants information on how to do something or advice on new hardware.
Re:Same problem with my kids - different solution (Score:3, Funny)
How many times did you have to hit 'Next'?
OT, but... (Score:3, Insightful)
I only mention this because I've had a lot of problems at work as a result of our server setup guy subscribing to this philosophy. Sure, a 6GB windows partition and a 40 GB data partition for programs sounds nice, but when C fills up you're hosed.
Re:Same problem with my kids - different solution (Score:3, Flamebait)
Were you researching, or just lying to your kids?
If you're going to punish them, at least be up front and tell them so, and not passively, secretly penalize them.
Re:Same problem with my kids - different solution (Score:5, Insightful)
It's all too obvious really.
Here, I'll spell it out for you:
He was giving his children an opportunity to learn the relationship between their actions and subsequent consequences, on their own.
Again, the key word here is: LEARN
Re:Same problem with my kids - different solution (Score:5, Insightful)
Exactly right on.
I agree with the earlier poster, too, who was motivated to learn how to re-build his computer after crashes because, well, no one else had time to do it.
I think that's a great way for kids to learn something practical as well as the moral lessons of actions/consequences, if you want something done you have to do it yourself, etc..
The double edged sword, of course, is that when your sharp kid learns the intricacies of re-installing the OS from scratch, getting the settings right, etc. that they'll be empowered to see the Internet in all its ugliness, too.
So the corollary is that, before you throw the installation CD and manuals and have your kid rebuild the computer, explain plainly the basic fact that much of the world is screwed up in these 23 different ways and that you'll see it all on the Internet.
Arbitrary ages of 18 ought to be replaced by "whatever age someone is able to figure out how to rebuild a computer" IMHO. Yes, there are some people who ought never to be exposed to some stuff no matter how old they are... The age of understanding concepts should be the threshhold for driving, voting, consuming harmful addictive substances, etc. rather than some X years.
Re:Same problem with my kids - different solution (Score:4, Insightful)
It's quite possible to do the exact same punishment while still telling them the truth. In the short term, you might produce more friction, but knowing that they can trust what a parent tells them is priceless.
Re:Same problem with my kids - different solution (Score:2)
They are way too typical- I have tried my damnedest to get them to understand "data goes on this drive/partition, we install programs on this drive..." to no avail. They just want to be ignorant- with my brothers I can just tell them and then when they ask for a reinstall blast a
secondary logon service (Score:5, Informative)
It'll prompt you for the administrator password when you run it.
Re:secondary logon service (Score:1)
Erm? Shome mishtake, shurely?
YAW.
Re:secondary logon service (Score:2, Informative)
1. Kids want to play Warcraft, so they click shortcut.
2. Shortcut has "run with different credentials" checked.
3. Prompt asks for user information.
4. Kids shout" "Daddy!".
5. Dad comes over to computer, works his administrator magic.
6. Game runs with administrator credentials, but the kids don't have it.
The biggest problem is that there's bound to be a lot of shouting for "Daddy!" in that household if they really like the game.
Re:secondary logon service (Score:2)
Re:secondary logon service (Score:3, Informative)
Windows XP does have the means to do this, although it's not particularly well documented. It's essentially the functional equivalent of running a "su -c progname" on a *nix-based system....
Re:secondary logon service (Score:5, Informative)
1) Download (TweakUI) Powertools for WinXP from the Microsoft website.
2) Create an admin login with the rights required to play the game, and use TweakUI to disable that account. No one will be able to actually login as that account.
3) Set up the game to "run with different credentials," as outlinded above.
Re:secondary logon service (Score:2)
Regmon + Filemon (Score:5, Informative)
One of the conditions for obtaining the "Designed for Windows XP" Logo is that the program must be capable of being run under a Limited user account. If MS's own software isn't capable of this then you ought to report it to them as a bug.
The situation with XP home which only has "Limited" and "Administrator" account types really does not help people adopt more secure working practices.
The situation ought to improve in future but at the moment it does not seem to be something that most developers test against.
Re:Regmon + Filemon (Score:1)
"""
Simply run FileMon (filemon.exe). You must have administrator privilege to run FileMon.
"""
In which case, I'm not going to see which ones my g/f's CD burning software barfs on because it won't barf on them? What's the point in that? (under NT4.0)
YAW.
Re:Regmon + Filemon (Score:2)
Re:Regmon + Filemon (Score:2, Informative)
How to run as non admin [develop.com]
There was also a discussion about this on Broadband Reports
Runing as admin [dslreports.com]
VMWare (Score:2, Informative)
you can isolate the game in its virtual copy of windows and grant it only limited acces to the real Network/Drives/System.
Re:VMWare (Score:4, Informative)
Re:VMWare (Score:2)
It is slower then running native.
You can greatly improve the speed of many applications by assigning a raw partition to your VM.
(which allows the VM to directly access the disk without the need to copy data from the host OS.)
The same goes for Networking.
However, I have not tested graphics performance (and I think there might be a problem there)
Re:VMWare (Score:2, Informative)
Re:VMWare (Score:2, Informative)
From a VMware Technical Support guy:
There is no hardware acceleration available with the VMware virtual video card. Hardware provided 3-d acceleration won't work at all, last I checked.
Windows Direct X provides software emulation where hardware acceleration is not available; unfortunately this is *very slow* and some/most 3d games don't even run with software emulated acceleration being the only 3d available.
This is a feature
Patches (Score:5, Informative)
Other ideas include giving "Gamers" full access to the "Program Files" directory in case it's trying to write there rather than your games directory.
If that doesn't work then perhaps mail the CD back and ask for a refund. There is no reason any application, least of all a game should require admin rights for normal operation, and if it does, the software is not fit for the purpose it was sold for.
Run as different user/Crack the games? (Score:5, Informative)
The reason the games need this is because of the CD copy protection; they need to access the drive directly to be able to see whether the bad sectors/whatever hidden data they're looking for are there. You could try cracking the games and seeing if that helps, as I'm pretty sure that's the only they need Admin access - a good site for cracks is GameCopyWorld [gamecopyworld.com]. I often use them because I'm a lazy bastard who doesn't want to risk ruining his (original!) CDs by switching them around all the time, and I've never had a problem with any of the cracks I've downloaded from there.
One other possible method.. Isn't there a way to have Windows "run as" a different user (ala +s on UNIX)? So you could have it run as some special Admin-priveleged user, while keeping them in the non-Admin account most of the time.
Re:Run as different user/Crack the games? (Score:3, Informative)
No, Windows doesn't have setuid executables, but if it did that would be a quick fix to his problem. The "run as different user" feature prompts the user for the target account's password before running. The proper solution would be to give the account access to read those non-filesystem sectors on the CD, but I have no idea what API games use to implement this.
It also may be difficult to reimplement the "run as" feature
Re:Run as different user/Crack the games? (Score:2)
Microsoft Standards (Score:2)
Re:Microsoft Standards (Score:1)
Re:Microsoft Standards (Score:1)
My Advice: Don't even bother. (Score:5, Insightful)
My advice is not to even waste your time with this. I'm sure your time is worth so much that you could have afforded another PC, or at the very least Hard drive imaging and restore software.
It's best to let kids loose on a machine, and if they mess it up, you just restore it... it's their (save game) loss.
They will learn about all those vital microsoft tricks like backing up your important data and do not install all that junk.
It's also imporant then to get them each a machine, but since you will not be wasting time admining those machines anymore, I'm sure you will have a lot more time and thus money.
I mean, really, since Win NT 4.0 the graphics drivers have had admin rights... and you are still denying this to your kids!
I think the best admin policy is education of the user. Also keep a system restore handy with software such as Norton Ghost (with all the propper patches already installed to protect against internet worms etc.) as well as good anti-virus software. Believe me, this is the cheaper solution..
Re:My Advice: Don't even bother. (Score:2)
Re:My Advice: Don't even bother. (Score:2)
The three hours effective time spent on fixing a PC is in actual fact more like 10 hours.
I have an ex-girlfriend with 3 kids aged 6-17 and a sister with 2 kids aged 10 and 16. I still help them all out with their machines.
The problem is that the machine breaks (which is a major crisis!) and I have to rush there from work (when I wanted to work late) and when I'm done, I'm too tired to go back to work.
And it's not just 3 hours if one include all the application and driver re-inst
'kids computer' (Score:4, Insightful)
How else will they know what a computer can 'really' do, if you just let them have restricted access to a single game directory.
Let them explore, let them familiarize with the computer, they learn from their mistakes: if you do something wrong, like deleting system files, you probably wont try that again.
When my parent bought me (well it was ment to be for the whole family) a 286 computer with dos installed, I knew nothing, and neither did my parents.
so I explored, and I found a 'help' command, and a 'dir' command, and I found different types of files (the ones you can execute, and others)...
So once again:
It's not that bad when something goes wrong, format the disk, and reinstall.
However I would recommend on restrincting access to the internet, so they can't accidently download malware.
Re:'kids computer' (Score:2)
Or create a HD image after each installed game (CDs are cheap, so even if you install a game every day it won't be a problem) and use that. And let the kids back up their saved games, so they learn some backup strategies right from the start
Re:'kids computer' (Score:2)
Or better yet, set up a transparent proxy on the net connection to send all net access trhough squid and squidguard. Log all traffic (yes, I know, no freedom for the kid etc...) and set up squidguard to return a detailed error when the kids try accessing anywhere you don't want them to go. Yeah, they may find a way around it, but if they do, congratulate them - they're actually learning something u
Check your ACLs (Score:5, Informative)
These kinds of problems are most certainly related to file and/or registry permissions. Working at a K-12, I'm often troubleshooting software that won't run as a normal user. I've found the majority of the problems are related to poorly written software trying to add and modify files to the SYSTEMROOT directory (usually c:\windows or c:\winnt). The rest are usually solved by opening up permissions on the applications registry keys under HKLM.
Get yourself a copy of RegMon and FileMon from Sysinternals. You'll need to logon as an Administrator, start up reg or filemon, then do a RunAs on the application to run it as a normal user. You'll probably want to filter the output of reg/filemon to only show activity of the app itself, otherwise you'll be looking at all activity on the system. Look for ACCESS DENIED errors in places where normal users can't usually write. Slowly open up those areas to modify access until you've found a solution.
Re:Check your ACLs (Score:3, Interesting)
Sorry for the flamebait, it's just something that crossed my mind reading your comment.
Re:Check your ACLs (Score:2)
Dynamically inherited, fine (ish) grained ACLs. The only trick is figuring out what users need access to, managing the permissions one you know is much easier.
Unix has a.. what.. 30 year history of system/user separation. Windows, games especially, still lives with the (pre-)Win9x mindset that doesn't have (useful) user separation.
Shit, it's b
Power Users (Score:4, Informative)
"Start --> Help --> Search --> Power Users" to get a list of the things Power Users are able to do and what they are restricted from doing.
Re:Power Users (Score:3, Insightful)
ummm... The Power Users group also has too much power to screw the machine up.
Go not unto /. for advice, for you will be told both yea and nay (but have nothing to do with the question)
Or in this case just plain miss the point. We are trying to stop the computer from getting trashed here.
--
Simon
Re:Power Users (Score:2)
The point this guy is making is great! Where do all the worms and spyware and viruses come from? Insecure boxes!!! what is he trying to do? Secure the box...All the kids want it to play some Boxed games, and maybe surf a little web. They have zero need to be using admin accounts for these purposes! That's what we all say, but when the guy says "it doesn't work" we all ridicule him! come on guys!
This is exactly why home users always leave their machines wide
Are you a BOFH? (Score:3, Funny)
Use RunAs (Score:2)
Works fine for me for other games.
No Full Access (Score:3, Interesting)
The best solution of course is to get them their own computer to use and destroy. This is fine if your kid just wants to beat around the Internet as you can buy a cheap POS computer for pocket change these days. However, if you have a young aspiring gamer it becomes much more difficult, as a gamer needs something with power behind it. Dropping a couple thousand dollars just for a kid to have his own computer no one else uses is a rather expensive proposition.
What I would REALLY like answered is if there is a way on an XP machine to keep Trojans and spyware programs out. Yes, I know adaware and spybot can clean this stuff, but I have found that most of the time it is far too late and the damage is done. Does anyone have any good suggestions for keepings this crap off in the first place?
Re:No Full Access (Score:2)
XP and the Compatibility Engine. (Score:4, Informative)
There are a few things you might consider doing. First would to be to google to figure out how one might add the "lesser" users to be able to use the compatibility engine, or at least to run those particular applications (games) with elevated privledges. Another is to write a simple script to use the "runas" command to automatically run a program as administrator using a cached password (in the registry) to run the game in question and then creating a shortcut to that script on the desktop (or wherever) to run the game.
One other thing you can do is add your kids to the power users group then use the Local Security Settings mmc and right-click on "Software Restriction Policies" and chose "Create New Policies." You then can start creating rules of what directories are accessable on the computer (make sure in the "Enforcement" policy to choose "All users except local administrators", you don't want to lock yourself out). You can refine which folders they are granted or denied access to by right-clicking on the "Additional Rules" folder and choosing a new "hash" rule to specify a particular application itself, or a new "path rule" to specify an application path (which'll include EVERYTHING in all subfolders within that path.)
These are just a few ideas to get you started down the path.
The real reason admin access is required... (Score:5, Interesting)
This required rightclicking on the game's shortcut, selecting 'run as' and calling me over to type in my admin password... several times a day! )(#@()$*@#()$&@#$@#
Its not that programs want to write to the registry, or system files, or anything else.
It simply seems to be the cd copy protection... most games have various types of cd copy protection (i dunno, daemon tools can emulate most of them when it mounts iso's, but anyway). It seems the games require admin access to perform their little sneaky copy protection checks on the CD...
Personally i think this is a real pain in the damn ass (why do we need the CD in there anyway! The game is already installed FFS) and now we require to give all kids admin access on XP machines just to play games! Its a damn nightmare.
No wonder we hate software manufactureres for all their sneaky copy protection, serial keys, product activation, and now needing admin access to run anything.... *sighs*
I'm glad i bought my titanium powerbook. And last week i bought a used G4 cube. Forget windows....
D.
Re:The real reason admin access is required... (Score:2)
Second, I never bother with the original game cds. I head over to GameCopyWorld [gamecopyworld.com] and download a no-cd hack/patch. I just hate having to dig through my CD case everytime I want to play a damn game.
Re:The real reason admin access is required... (Score:2)
He has a SNES and N64 and loves playing those games emulated.
Doesn't get into NES much (but i do! I love my old NES games) and he occasionaly plays something on MAME...
Copy protection (Score:2)
"Run as" works in Windows (Score:2)
I like the ideas that have been posted of using drive imaging software to do restores of something thats completely FUBAR. While Norton Ghost works very well, there are Open Source options that are a little more work. There was a
If the hard drive is large enough, a multi boot system is an option. One install le
Re:"Run as" works in Windows (Score:2)
-m
System Restore on Reboot (Score:2)
I know the computers at my lcoal YMCA are a mess. A restore on reboot would be a very good thing for them as well.
Group Policies might help (Score:2)
Run With Different Credentials (Score:2)
If you right click on the application's shortcut, in the "Advanced..." menu you can check to allow it to run under different credentials. Now, when the kids start up their game, they'll get prompted with a user login screen, or choose to run under their own username. This would require you to log them in as an Administrator or similar, but
Try this (Score:2)
1) Make a copy of the admin account and make the password something easy for the kids to remember.
2) Go into the local security policy, add the account to the "Deny Logon locally" entry under "Local Policies/User Rights"
3) Give the password to your kids and teach them how to do the "right click + run as" thing.
This way, they can run the programs when they need to, but they can't log in using that account
I fear you may be out of luck (Score:2)
Newer games are Limited User Access Compatible (Score:2)
In the future check for and insist that all games you purchase are LUA compliant. Let the publisher know this matters to you.
Remember, change starts with us - the consumer.
Game Console Machine.... (Score:2)
so whats the problem? (Score:2)
that's an easy one (Score:2)
Re:that's an easy one (Score:2)
Maybe that's the reason Linux isn't being embraced by that many desktop users-the elitist attitude of preachy geeks.
Your post did little to assist this man at all.
Consider using a virtual machine (Score:2)
Re:Encourage your children in life, not games. (Score:5, Funny)
Re:Encourage your children in life, not games. (Score:2)
Jesus, who the hell threw an Insightful on this crap? Yes, troll, he shouldn't let his kids spend 14 hours a day playing Warcraft 3, and I'm quite sure this isn't what's happening. It's quite possible to enjoy a computer game for the entertainment media that it is, as part of a normal life.
Re:educate / console / play outside (Score:5, Insightful)
The man wanted to know how to solve a problem. Granted, you give him a few good "alternatives", but that doesn't solve the problem.
It'd be like me saying "My car is old and doesn't run well -- what do I do to ensure it won't leave me stranded?" and you telling me "Ride a bike. It doesn't pollute and it's always ready to roll...."
Re:educate / console / play outside (Score:5, Insightful)
I in no way got the impression that the submitter of the question tries to use his machine as a substitute for parenting. Or is it now bad to ever let children play games, even for a second?
I got the impression that for once a parent was trying to do the right thing in regards to their computer and their children.
Re:educate / console / play outside (Score:2)
I was arguing the validity of passing on an opportunity for a child to learn something of tremendous value.
Nothing wrong with consoles, but as a substitute for learning about actions/consequences, in my opinion this is a tragic lost opportunity.
Re:educate / console / play outside (Score:2, Insightful)
PCs are not devices designed or built to be used by children. They are complicated and easily broken. Either educate the children to use the PC properly or find an alternative entertainment for them.
Re:educate / console / play outside (Score:2)
Re:Trusting of Kids (Score:2)
Re:Trusting of Kids (Score:2)
Come on, give the guy a break here, it's a legitimate question.
Re:Trusting of Kids (Score:2)
Heck, I find it impossible to keep spyware off my computer when just I use it!!!! And I follow all the /. rules for safe browsing...well as much as I can still using windows:P
Wrong, Windows doesn't work properly! (Score:2)