How to install software for one user only

[dotancohen]

Hi all, I'm a Linux user (Ubuntu) but the wife has a Windows 7 laptop. In Linux one can install software as a regular user to his own ~/bin (like Program Files in Windows) and that software cannot affect other users of the computer (they cannot run it, and it cannot mess with the system configuration). How is this done in Windows? The kids have some games that they want to install but I don't really trust the software. So I don't want to install it as Admin because that would let the software pretty much do as it pleases to the system (install malware, for instance). I don't care if the kids' account gets malware, I can just erase their C:\users\kids account and be done with it.

Thanks.

 

[richc46]

Welcome
Install in the account of your choice, then give proper permissions
http://www.sevenforums.com/tutorials/24232-sharing-permissions.html

 

[dotancohen]

Welcome
Install in the account of your choice

Do you mean when asked where to install, to simply install to "C:\users\kids\Program Files"? Although that is certainly possible, it still requires Admin privileges to install and the app still has system-wide access.

then give proper permissions
http://www.sevenforums.com/tutorials/24232-sharing-permissions.html

I don't see where I can limit an application's permissions. Say I don't want an app touching the registry or running some service. Is that possible on Windows? Or does every installed app have permissions to do anything it wants? Cheap shot: that would explain all the Windows malware!

 

[richc46]

Go to the account that you want to install the program and install from there.
You would install as adminstrator
Then with permissions you can limit usage. I think its all in the tutorial that I posted.

 

[dotancohen]

Thanks Rich, but I am obviously not explaining myself well.

I don't need to share documents (as the link explains) or applications between users. I need to prevent the application from accessing certain system files. All of them, actually. I want to run the application in a fashion in which the app cannot install malware on the system. On Linux systems this is trivial to do, I assumed that this would be straightforward in Windows as well.

In Linux, each user has certain permissions that he can and cannot do to the system. Running an application as a particular user limits that app to only what the user has permissions to do. The user can even install software to his own home directory without Admin (root) privileges, this severely limits the changes to the system that the software can perform, and pretty much means that if the application installs malware, then other users of the system are not affected. Is there no such facility in Windows?

 

[logicearth]

Install the application into the Users own personal directory and put the shortcut in there own start menu folder. Its not that hard. It is only a convention on Windows to install things to "Program Files" but they don't need to be. I do this with a lot of my games that like to write things to their program directories.

As long as the user in question has no adminisrative power and cannot elevate up to an administrative power without aid. (requiring a UAC prompt with a password) Then malware will be isolated to that single account.

 

[dotancohen]

Install the application into the Users own personal directory and put the shortcut in there own start menu folder.

How is this done? Clicking on the icon for the downloaded file pops up the password prompt. This is a password-protected non-Admin account. I looked through the context menu, including in the Properties menu, but saw nothing to indicate that the application could be installed without giving Admin access. To be honest, it was some days ago and I don't have the laptop near me at the moment.

Its not that hard. It is only a convention on Windows to install things to "Program Files" but they don't need to be. I do this with a lot of my games that like to write things to their program directories.

As long as the user in question has no adminisrative power and cannot elevate up to an administrative power without aid. (requiring a UAC prompt with a password) Then malware will be isolated to that single account.

Right, thanks.

 

[MilesAhead]

You should give more detail. Are you logged into the kid's account when you run the installer? What password is requested? If you are already logged into the kid's account it should not request a password unless it's for Administrator account. Therefore the game probably has .ocx or ActiveX components or directly manipulates hardware. I would search on the game and see if it's associated with any hacks or problems.

In Windows Vista and W7 when you create an account in the Administrator group, such as Owner, it's not really equivalent to 'root' in Linux. It's really more equivalent to NT Server "Operators" group. You can install programs, register ActiveX Controls etc,, but you can't delete system files.

See the tutorial about the "real Administrator account" in Windows Seven and how to set it up:

http://www.sevenforums.com/tutorials/507-built-administrator-account-enable-disable.html


It's not unusual for a game to require lots of access to the machine. I'd make backup images of your system though and not just rely on account privilege being sufficient protection. A lot of these hackers can get to the raw HD no matter what account you're on.

Try something like Macrium Reflect
or look here:

Free Hard Disk Backup and Restore, Hard Disk Image and Cloning Utilities (thefreecountry.com)

 

[dotancohen]

Thanks. I do try to install the game logged into the "kids" account. There should be no need for this game to directly access hardware, it is manipulated via standard HID (keyboard and mouse) and can use whatever the Windows API presents for making sounds. It looks like it could be written in Flash. However, the game was likely written for Windows XP and may make assumptions that are no longer valid in 7.

There's nothing to google on, the game is a local (Israeli) game and unfortunately people here see malware as a non-issue, everyone is running pirated Windows and pirated Office and such. Most Israeli banks and government services require IE, and there is 0% Mac usage because they cost triple here what they cost in the US and Europe. There are a few Linux users but we all run Windows in a VM to use Israeli websites.

I think I'll just install the game in a VM running XP. I do appreciate the advice and I did learn much from your comments regarding the Admin account in Windows. Thank you very much.

 

[cromefx]

This is an old tread but as I had a similar question and could not find the answer and the tread gave me some clues to sort out the issue, (that this can not be solved by windows itself):

There is no way to install an application without changing the registry, doesn't matter if it is installed on another user account, it will change the registry for the whole system. You cannot insulate the registry from installed software as opposed to linux where installed applications can be completely separated from the kernel (and users are completely apart). That is one of the reasons linux and mac (also unix based) don't tend to cripple the system as years go by and applications are regularly installed and removed, they just leave the OS as it was even if you install doggy software.

That does not happen in Windows, when uninstalled, applications always leave their trace in the registry and throughout the whole filesystem.

That is also why there are so many companies that sell applications that clean the registry and remove installed software better (they say).

What I found out to be some kind of solution was Sandboxie, an insulation software that in a way protects windows from his own weakness.

From their site:

When sandboxed programs create (or modify) objects, such as files, some object must in fact be created. Sandboxie creates these objects out of the way, to protect the system from harmful changes. But these objects must reside somewhere in the system.

Files

Files are created in the sandbox folder. The hierarchy is as follows:
. FileRootPath
. . drive
. . . C
. . . D
. . . Q
. . user
. . . all
. . . current

The FileRootPath setting specifies a path to the root of a particular sandbox. In other words, if FileRootPath specifies the folder C:\MySandbox, then the sub-folders drive and user are created as C:\MySandbox\drive and C:\MySandbox\user, respectively.

Registry

Registry keys are created in a sandboxed registry hive. A registry hive is the Microsoft Windows term for a group of related registry keys that are stored in a single hive file.

Sandboxie creates the hive file in the sandbox folder, as the files RegHive and RegHive.LOG. This hive is mounted (or in other words, loaded into the registry) when a sandboxed program starts. The hive is unmounted when all sandboxed programs end.

The sandboxed hive has the following position and structure within the global struture of the Windows registry.

. HKEY_USERS
. . KeyRootPath
. . . machine
. . . user
. . . . current

The KeyRootPath setting specifies a path to the root of a particular sandbox. If omitted, it defaults to HKEY_USERS\Sandbox_(user name)_(sandbox name). For example, if the user joe is using the sandbox DefaultBox, the default KeyRootPath is HKEY_USERS\Sandbox_joe_DefaultBox.
As sandboxed programs create new registry keys or modify existing keys, Sandboxie redirects these operations to act on paths that lead into the sandbox. If the sandboxed program was trying to create the key HKEY_LOCAL_MACHINE\Software\NewKey, it will be redirected to create instead (KeyRootPath)\machine\Software\NewKey.

So this clever sandboxed Registry Hive seems to answer dotancohen question and point out a solution.

It is not a matter if the shortcut is here or there, or if you can see the application on another user start menu, it is a matter of software tampering the registry and I was surprised to see experienced windows system admins not understanding this as they answered the original question that made the tread.

 

[Layback Bear]

I'm a non expert but that makes since to me. Let see if I got it right. When a program is installed it effects one registry because Windows 7 only has one registry. The user permission has nothing to with that. User permission allows chosen people to do or not to do things using this program. For it to be any other way each person would have to have their own registry. Person A could load a program in registry A.
Person B could load a program in registry B. Because Windows 7 only has one registry persons A and B have to use one registry to load a program and permission can be given to do that. Now my 3 brain cells are working way to hard.
cromefx let me know if I'm crazy.

 

[dotancohen]

This is an old tread but as I had a similar question and could not find the answer and the tread gave me some clues to sort out the issue, (that this can not be solved by windows itself):

Thank you Cromefx. I will take a look at Sandboxie. I cannot believe that there is no way to install an executable in Windows that does not require Admin access. In fact, even changing the Start menu and desktop shortcuts requires Admin access, and changes them for every user! What is the point of having individual user accounts, then? So that each user can have his own desktop wallpaper?

 

[logicearth]

If the developer makes the application require administrative power that is a problem with the developer not Windows. As for the Start menu and desktop, it would not require administrative power if you use the user specific start menu and desktop.

Specific user start menu: C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu
Global start menu: C:\ProgramData\Microsoft\Windows\Start Menu

Specific user desktop: C:\Users\[username]\Desktop
Global desktop: C:\Users\Public\Desktop

Blaming Windows for your own lack of understanding of the system, is not Windows fault.

If you are having trouble installing software on a standard user account, turn off UAC then try again.