August 25, 2000

Window Manager, Brian Livingston

Service Pack 1 for Windows 2000 stops the useful 'Run As' trick from working

MANY OF MY READERS are using Windows 2000, or thinking of upgrading to it. For these pioneers, I wrote in my Aug. 14 column that Windows 2000's recommended new Service Pack 1 has one significant glitch: SP1 disables network and Internet access if you're using a personal firewall product, such as ZoneAlarm or BlackICE, with security set on "High."

(Both firewall companies already have patches that restore their products' full functionality under Windows 2000 with SP1. To get the patches, see or

I've found a new wrinkle when installing SP1. The service pack disables Windows 2000's "Run As" trick with Windows Update. Fortunately, I'll show you how to get it back.

Some of you may be scratching your head, thinking, "What the heck is 'Run As'?"

Although the Run As feature is fully supported by Microsoft, it's a little-known trick that can be useful to a wide variety of Windows 2000 administrators. Let's take a minute to review what this feature does.

Microsoft built Run As -- or secondary logon -- into Windows 2000 to allow you to run your system more securely.

In a nutshell, users who have administrative privileges on a Windows 2000 machine shouldn't be logged on constantly as an administrator. Instead, you should create yourself a user account with more limited privileges. You then log on as administrator only when necessary to run programs that require administrative privileges.

You need these two accounts to protect your system. You might unintentionally run a malicious program that is a "Trojan horse" for a virus or zombie. Or you might visit a Web site that secretly launches a malicious program on your PC. If you're logged on with administrative privileges when either of these happen, the Trojan horse has full access to your PC. It can install software and access files with the same privileges you have as administrator.

But if you're logged on as a user with limited privileges, the Trojan horse will be more restricted. It might even trigger an error message to warn you something is amiss.

There's one problem with the two-user approach: People dislike taking the time to log off as an ordinary user, log back on as administrator, then log off and back on again.

The Run As trick allows you to log on to your Windows 2000 system as an ordinary user, but start at any time a single program with greater administrative privileges.

A good example is the Windows Update feature. This program typically appears on the Windows 2000 Start menu. Under Windows 2000, however, some aspects of Windows Update require administrative privileges.

To access Windows Update while logged on as an ordinary user, hold down the Shift key while right-clicking Windows Update in the Start menu. You should see "Run As ... " on the context menu that appears.

Click this item and you are presented with a dialog box that lets you log on with your administrative name and password. As long as the new program remains open, it runs with your administrative privileges, not the more restricted privileges of the user account.

The installation of Windows 2000 SP1 eliminates your ability to use Run As with Windows Update. Until Microsoft has a service pack to fix the service pack, here's how to work around the problem:

Step 1. Click the Start button, then hold down Shift as you right-click the menu item for Internet Explorer. Click Run As and run IE with administrative privileges.

Step 2. In IE, pull down the Tools menu, then click Windows Update from there.

This work-around suggests the power of Run As. For example, you can create a shortcut to the Computer Management console, then right-click while holding the Shift key to run any utility as an administrator.

For further details on how to use Run As in various scenarios, see

For more information on how SP1 interferes with Run As, see

Reader Andrew Hollister will receive a free copy of Windows 2000 Secrets for being the first to send me a tip I printed.