Here’s fantastic evidence that running with LUA will save your bacon from adminfoo.net: Proof: LUA Makes You Safer. Look at the results table from a eWeek article where their test labs ran as an Administrator, Power User, and User and “visited a series of less-than-savory Web sites in an effort to install various types of adware and spyware bundlers.” The results are amazing. On Windows XP SP2, the Administrator and Power Users accounts had 16 detected threats. The User had zero! Do you believe all of us clamoring for everyone to run as LUA now?

Some of the comments on yesterday’s post and numerous emails from folks said they had tried LUA, but had all sorts of problems. I apologize for not going into more detail on making the switch. Here are some thoughts on getting started and making the most of it. Of course, go to nonadmin.editme.com for more details and other tips.

  • Don’t simply switch your existing login to a LUA account and expect it to work. It’s best if you start from a fresh install with your main account running as just a User. There’s some nasty juju in Windows when you do the abrupt switch. Also, don’t make the switch two weeks before your application ships. That doesn’t excuse you from testing under a LUA account, though!
  • I started doing the LUA dance long before Aaron Margosis wonderful MakeMeAdmin script. Consequently, I use the actual Administrator account to run things I need to have administrator rights. For me that’s worked great.
  • If you have to debug across accounts, like ASP.NET or Web Services running in IIS, you’ll need to start DEVENV.EXE (VS.NET) in an account that has Administrator privileges. Read up on the RunAs command. You can also right click on the link or program in Explorer and select the Run As… option to be prompted for the account and password.
  • You can also create shortcuts that will automatically prompt you for the account and credentials. Create a shortcut and in the properties, select the Shortcut tab, and click the Advanced button. In the Advanced Properties dialog, check the Run with different credentials check box. Press OK twice to end the two dialogs. When you double click on the link, you’ll be prompted for the account and password to run the link.
  • Set up your Administrator account’s Explorer to launch folder windows in separate processes. (Tools, Folder Options menu, View. Google for the registry setting to do it automatically) That way you can start a command shell as administrator and start Explorer instances from the command line. Everyone remembers how to use a command line, right?
  • In your Administrator account, set the Explorer toolbar background bitmap to a bright red so you know instantly that explorer is a dangerous process. The steps: here. Additionally, set your command window background to a different color to make them look different. If you start both from a shortcut, you can also set a different icon that will show up in ALT+TAB and in the Task Manager. I like stop signs and the pirate skull and crossbones.