How to install software for one user only

Hi all, I'm a Linux user (Ubuntu) but the wife has a Windows 7 laptop. In Linux one can install software as a regular user to his own ~/bin (like Program Files in Windows) and that software cannot affect other users of the computer (they cannot run it, and it cannot mess with the system configuration). How is this done in Windows? The kids have some games that they want to install but I don't really trust the software. So I don't want to install it as Admin because that would let the software pretty much do as it pleases to the system (install malware, for instance). I don't care if the kids' account gets malware, I can just erase their C:\users\kids account and be done with it.

Thanks.

richc46 said:

Welcome
Install in the account of your choice

Do you mean when asked where to install, to simply install to "C:\users\kids\Program Files"? Although that is certainly possible, it still requires Admin privileges to install and the app still has system-wide access.

then give proper permissions
https://www.sevenforums.com/tutorials...rmissions.html

I don't see where I can limit an application's permissions. Say I don't want an app touching the registry or running some service. Is that possible on Windows? Or does every installed app have permissions to do anything it wants? Cheap shot: that would explain all the Windows malware!

Thanks Rich, but I am obviously not explaining myself well.

I don't need to share documents (as the link explains) or applications between users. I need to prevent the application from accessing certain system files. All of them, actually. I want to run the application in a fashion in which the app cannot install malware on the system. On Linux systems this is trivial to do, I assumed that this would be straightforward in Windows as well.

In Linux, each user has certain permissions that he can and cannot do to the system. Running an application as a particular user limits that app to only what the user has permissions to do. The user can even install software to his own home directory without Admin (root) privileges, this severely limits the changes to the system that the software can perform, and pretty much means that if the application installs malware, then other users of the system are not affected. Is there no such facility in Windows?

logicearth said:

Install the application into the Users own personal directory and put the shortcut in there own start menu folder.

How is this done? Clicking on the icon for the downloaded file pops up the password prompt. This is a password-protected non-Admin account. I looked through the context menu, including in the Properties menu, but saw nothing to indicate that the application could be installed without giving Admin access. To be honest, it was some days ago and I don't have the laptop near me at the moment.

Its not that hard. It is only a convention on Windows to install things to "Program Files" but they don't need to be. I do this with a lot of my games that like to write things to their program directories.

As long as the user in question has no adminisrative power and cannot elevate up to an administrative power without aid. (requiring a UAC prompt with a password) Then malware will be isolated to that single account.

Right, thanks.

Thanks. I do try to install the game logged into the "kids" account. There should be no need for this game to directly access hardware, it is manipulated via standard HID (keyboard and mouse) and can use whatever the Windows API presents for making sounds. It looks like it could be written in Flash. However, the game was likely written for Windows XP and may make assumptions that are no longer valid in 7.

There's nothing to google on, the game is a local (Israeli) game and unfortunately people here see malware as a non-issue, everyone is running pirated Windows and pirated Office and such. Most Israeli banks and government services require IE, and there is 0% Mac usage because they cost triple here what they cost in the US and Europe. There are a few Linux users but we all run Windows in a VM to use Israeli websites.

I think I'll just install the game in a VM running XP. I do appreciate the advice and I did learn much from your comments regarding the Admin account in Windows. Thank you very much.

This is an old tread but as I had a similar question and could not find the answer and the tread gave me some clues to sort out the issue, (that this can not be solved by windows itself):

There is no way to install an application without changing the registry, doesn't matter if it is installed on another user account, it will change the registry for the whole system. You cannot insulate the registry from installed software as opposed to linux where installed applications can be completely separated from the kernel (and users are completely apart). That is one of the reasons linux and mac (also unix based) don't tend to cripple the system as years go by and applications are regularly installed and removed, they just leave the OS as it was even if you install doggy software.

That does not happen in Windows, when uninstalled, applications always leave their trace in the registry and throughout the whole filesystem.

That is also why there are so many companies that sell applications that clean the registry and remove installed software better (they say).

What I found out to be some kind of solution was Sandboxie, an insulation software that in a way protects windows from his own weakness.

From their site:

When sandboxed programs create (or modify) objects, such as files, some object must in fact be created. Sandboxie creates these objects out of the way, to protect the system from harmful changes. But these objects must reside somewhere in the system.

Files

Files are created in the sandbox folder. The hierarchy is as follows:
. FileRootPath
. . drive
. . . C
. . . D
. . . Q
. . user
. . . all
. . . current

The FileRootPath setting specifies a path to the root of a particular sandbox. In other words, if FileRootPath specifies the folder C:\MySandbox, then the sub-folders drive and user are created as C:\MySandbox\drive and C:\MySandbox\user, respectively.

Registry

Registry keys are created in a sandboxed registry hive. A registry hive is the Microsoft Windows term for a group of related registry keys that are stored in a single hive file.

Sandboxie creates the hive file in the sandbox folder, as the files RegHive and RegHive.LOG. This hive is mounted (or in other words, loaded into the registry) when a sandboxed program starts. The hive is unmounted when all sandboxed programs end.

The sandboxed hive has the following position and structure within the global struture of the Windows registry.

. HKEY_USERS
. . KeyRootPath
. . . machine
. . . user
. . . . current

The KeyRootPath setting specifies a path to the root of a particular sandbox. If omitted, it defaults to HKEY_USERS\Sandbox_(user name)_(sandbox name). For example, if the user joe is using the sandbox DefaultBox, the default KeyRootPath is HKEY_USERS\Sandbox_joe_DefaultBox.
As sandboxed programs create new registry keys or modify existing keys, Sandboxie redirects these operations to act on paths that lead into the sandbox. If the sandboxed program was trying to create the key HKEY_LOCAL_MACHINE\Software\NewKey, it will be redirected to create instead (KeyRootPath)\machine\Software\NewKey.

So this clever sandboxed Registry Hive seems to answer dotancohen question and point out a solution.

It is not a matter if the shortcut is here or there, or if you can see the application on another user start menu, it is a matter of software tampering the registry and I was surprised to see experienced windows system admins not understanding this as they answered the original question that made the tread.