Start Secure-Runner
Click the
Change button in the Administrator account area. A form will appear prompting for name and password of the account which should be used to start the programs from limited users account. This should be account of administrator type, preferably a one you create especially for this purpose.
>> Why I have to enter the password for administrator?
<<
Close the form. In the main window you should now see the name of the administrator account you entered.
Click the
Configure button in the Allowed programs area. Editor of allowed programs will appear.
In the editor click
Browse button to choose a program which limited users should be allowed to start with admin privileges. Then click the
Add Program button.
Now the program can started from limited user account. Add all the programs
you need to the list.
Close the Allowed programs editor when done.
Click the
Configure button in the Service area. Service configuration window appears.
In this window click the
Install button to install the service and then Start button
to start the service (server) which will run in the background and start allowed programs with administrator rights when requested.
If you wish, you can test your configuration by selecting some of the allowed programs in the bottom part of the window and clicking
Test button.
Close the service configuration window.
Click the
Configure button in the Users shortcuts area if you wish to change the shortcuts in users desktop and or start menu so that the selected programs are started with admin rights when the user clicks them. You can also change any shortcut manually as described here.
In the Shortcut editor first select
user name in the box.
Then select the
location of shortcuts you wish to edit (Desktop, Start menu, Quick launch)
In the list below select the shortcut you wish to change (redirect). Click the
Redirect shortcut button.
Important
Security
note
Secure-Runner recognizes allowed programs by their full path (e.g.
C:\Program files\SomeVendor\SomeProgram.exe). Malicious user or program could replace
an allowed program with any other program and then have it executed with administrator rights. Limited users should not be able to overwrite any of the allowed programs. This is automatically true for programs installed in Program Files where limited users have only read
access but if you allow users to run some program located in different place
than the Program Files or Windows folder, make sure you set the access rights for the user or Users group so that they can only read and execute from this folder.
Remarks
Why I have to enter the password for administrator?
Every program which is started in Windows is given a set of rights which define
what the program is allowed to do (for example, if it can write to system
folders on the disk, access computer hardware etc.). However, these rights are
not defined for each program but rather for each person who has user account on
the computer. After all, each program is started by some user (except for
special system programs), so each program receives the rights of the user who
started it.
For example, if you have user account "John" on your computer and this account is of the "Limited user" type, every program started by John has John's limited rights - e.g. it cannot write into system folders. This is problem for some programs which were designed with the assumption that they will run with full access to the computer and if they do not have this access they crash or do not work properly. A way around this is to start such a program as a different user. This is possible in Windows. Any user can start any program with privileges of another user provided he/she knows the name and password of this user. So if John knows the password for Administrator account on the computer, he can start any program as administrator. But assume you do not want John to know the Administrator password, yet you want him to be able to start the program with Administrator rights. This is Secure-Runner's job. It takes responsibility for remembering the password instead of John and providing it to Windows when John needs to start the program. When you enter the name and password for some administrator account on your computer, Secure-Runner saves this password and "auto-fills" it when needed.