Active1 year, 6 months ago
The last option that you have to install programs without admin rights is to remove the admin account from your PC. It’s easy to do that and the following are the steps: Download the Windows Password Key app and burn it onto a CD/DVD/USB Flash Drive as shown in the above section.
I use Atlassian SourceTree on Windows, and one thing I like about it is that it doesn't require admin privileges to install or update. I happened to mention this to our ISSO (Information System Security Officer), and he was not a fan. He said that not requiring admin was dangerous because (to paraphrase) 'If it's not asking you for approval, you never know what it's going and changing in the background!'
Now, this person has a tendency to be overly-cautious, so I am skeptical of his assessment. I had always thought that if a program doesn't ask for administrator permissions, it's because it doesn't make deep enough changes to need them. To add to that, our work computers are extremely locked down, so I find it hard to believe that all an installer has to do to get by our security features is to not ask for permission.
So what's the real situation? Can an installer that can run without administrator privileges really be that dangerous?
David KDavid K
14 Answers
Installing something without needing admin privileges is no more dangerous than running a no-install program with standard user permissions. This is also less dangerous than installing something WITH admin privileges (or indeed, running anything with admin permissions).
Running a random program downloaded off the internet, of course, is potentially dangerous - even if it doesn't require admin.
If your ISSO's concern is 'you're running random internet code, and the author of that code makes it easy for you to be lazy about asking me to vet it', then this is quite valid and factual. (you might debate the cost/benefit, but it is valid)
If the concern is 'this installer is more dangerous than other installers or no-install programs because it doesn't escalate its access level', then no, this is factually incorrect.
Ethan KaminskiEthan Kaminski2,77411 gold badge99 silver badges1919 bronze badges
How To Install Winzip Without Admin Rights In Windows 10 Pro
Well, if it doesn't need admin rights, that means that it can only do what a regular user can. Of course, you won't really know what the installer is doing (but do you ever really know?) but you can be assured that it won't be able to do anything that an unprivileged user can't, so I don't see the problem if you trust the source.
JordiJordi
On the windows platform, whether an app installer tiggers UAC (User Account Control) is not up to the app and the app cannot circumvent UAC. If the app install requires to do anything that would require admin, UAC will be triggered. This would include writing to system directories or registry settings that are system wide.
If an app install doesn't trigger UAC, that indicates the app is installing under the non-admin user's profile directory, and only setting registry under the user's own profile. It is certainly possible for a user to install malware, and the malware designed to only mess with that user's files/settings, the damage will not extend system wide.
In the context of ransomware threats, this means ransomware that targets only the user's own files would fly under the UAC radar.
To protect against that and satisfy your ISSO's concerns, your organization would need policy and protective tools to prevent running any app that is not provided by the company and certified. That is incredibly hard to do effectively, and to do that would require a very large investment in staff to certify apps as the business needs demand them.
Obviously, the above is only true if UAC has not been disabled or tampered with. It used to be fairly common for people to disable UAC because it was an annoyance, as apps that really shouldn't need admin would trigger it. For example, it used to be common (and still happens) where running a game requires elevation because the game does and auto-update at each run. These days, apps are better behaved and UAC really should not be disabled.
Updated for clarification following good comments:
It should be mentioned that when logged in as a user with local admin, there are ways of circumventing UAC. For best protection, one should not have admin rights for their everyday account, and create another with admin rights. UAC will prompt for that admin credentials when system wide settings are changed or software installed, but UAC can't be circumvented entirely if UAC is enabled.
Thomas CarlisleThomas Carlisle
One additional threat for program installations that do not require administrator rights is that the installation can be modified by user level code. This allows for silent (no admin access required) updates, which means that the program behavior can change without warning. This also allows an adversary to insert code and tamper with the program silently (no admin access required).
AstroDanAstroDan
If it's not asking you for approval, you never know what it's going and changing in the background!
Wether the installer requires or not admin rights, you don't know what it is doing unless you're tracking/monitoring system changes.
What you know however, is that if it doesn't ask for admin rights, it can't make any change that requires admin right (alter system files, system registry, drivers, etc.).
Is an installer that doesn't require admin rights dangerous?
It could be, but no more that an installer that require admin rights, in fact it's theoretically less dangerous.
But either way, you shouldn't run any installer you can't trust on a sensible environment wether it requires admin rights or not.
Adobe photoshop cs6 full pre cracked. Adobe Photoshop CS6 – tag: Adobe Photoshop CS6 Filehippo, Adobe Photoshop CS6 For PC, Adobe Photoshop CS6 Version 13.0.1.3, Adobe Photoshop CS6 2018, New Adobe Photoshop CS6 2018, Download Adobe Photoshop CS6 2018, Adobe Photoshop CS6 2018 For Windows, Adobe Photoshop CS6 Latest Version| Adobe Photoshop CS6 2018 test is currently just available with Adobe’s download aide (an installer and download manager).
zakinsterzakinster
The application still has to ask for elevation if it needs more privileges, independend of its installer. On the other hand, if an application is maleware, it can run its harmful code in the installer already.
So actually it is the other way round, if neither the installer nor the application ask for elevation, it can do less harm, than if one of them ask for privileges.
When writing an installer, one tries to use as little privileges as necessary. Usually this determines, whether the program can only be installed on a per-user base, or if it can be installed for all users.
So if it is enough to write to the registry branch [HKEY_CURRENT_USER] there is often no need to ask for elevation, when the installer needs privileges to write to [HKEY_LOCAL_MACHINE] or to do other things only an admin should be allowed, it has to ask.
martinstoecklimartinstoeckli4,51911 gold badge2222 silver badges2828 bronze badges
What it means
If an installer doesn't require admin rights, then it is installing software for the current user only, rather than system-wide.
Vga graphics driver for windows 7 32 bit free download. What are the security impacts?
The software you are installing can only run under your own user account, so it has no way of modifying or damaging the system at superuser/admin level and affecting other users or system services. In this regard it is more secure than running a software installer that requires admin rights.
However, that doesn't mean the software itself can't do bad things, like any software, such as spying on you, spamming unwanted network traffic, messing with your files in your account, etc. None of this, however, is specific to the method in which software is installed.
Why system admins may not like it
It gets around any policy they may have around users installing software such as an approval process.
Is their concern justified?
Yes and no. While it isn't any more of a security risk to the system itself than anything you can already do in your user account (such as write scripts, run your own binaries or compile your own software), there are still some reasons IT departments may like to be notified or consulted anyway.
Some IT departments like to keep a record of what software exists on users' computers for the purpose of auditing. If the user installs software without IT knowing about it, then that software can still do nefarious things such as attack computers over a network, send spam, use up lots of resources on the machine, leak confidential documents and so on. So even though it may not be able to risk the system integrity for other users on that system, it still may perform things that are unwanted.
Even well-meaning software may have vulnerabilities which can cause problems if not kept up to date. If an IT department knows about software installed on users' systems it can ensure they get kept up to date.
Summary
What this all boils down to is that there is no inherent security risk in an installer that installs for a single user and doesn't use admin rights. What an IT department may be concerned about is simply the act of installing software without notifying them.
thomasrutterthomasrutter
An installer that does not ask for admin rights is safer than one that does ask, …
Unless, you have admin rights and granted them to the installer.
As an example, I have an installer on my MacBook that is able to install applications in /use/local/bin without asking for my admin password (called ‘brew’ for the curious). The only way that is possible is for brew to have been given admin rights when it was installed. Now MacOS has something called SIP that prevents even admin from making some types of changes. As far as I know, Windows has no equivalent. (But I haven’t used Windows in almost four years.)
That said, even without admin privileges, a program you installed can possibly do nasty things to you. Another answer has mentioned some of those things. But any program can do some of those, not just an installer.
WGroleauWGroleau
A large number of installers can simply be extracted without administrator rights using third-party tools such as universal extractor and don't actually truly require administrator rights. By giving installers access to administrator mode you give them access to every part of your computer, an installer that runs without those rights only has access to the files that don't require administrator rights.
However, it is true that you never know what ANY third-party program does, unless you check for yourself. All you can do is make sure the program comes from a trusted source, doesn't have any known viruses (using an antivirus/virustotal) and lastly you could use something like universal extractor to see what the script does or even use it to extract the files from the installer directly. And obviously, make sure the boss is okay with the programs you're running/installing.
Do keep in mind that not every installer can be extracted in this fashion and that some installers do in fact require administrator rights to install things like drivers or enter things into the registry.
HiddenKnowledgeHiddenKnowledge
To add to the existing answers, there is a flip side disadvantage to an installer which doesn't need admin rights if the software which is installed does need admin rights to run.
If the installer does not use admin rights, the software cannot possibly be installed in the (protected) Program Files folder. By installing locally rather than globally it is possible for a malicious actor to modify the program, or install custom add-ins, from a local rather than administrator account. This could potentially lead to an escalation of privilege if someone then runs that program as an administrator.
The conditions needed to achieve this practically however are very remote. It's more of a theoretical vulnerability rather than a real world one.
niemironiemiro
Your ISSO is just plainly wrong.
First, if I managed to create an installer that doesn't need admin privileges but is actually malware (for example sends all your documents to me), then it is trivial for me to make it ask for admin privileges. I'd really be wondering how asking for admin privileges would make that installer safer.
Not asking for approval doesn't mean the installer can do anything it likes. It can only do things that don't require approval. It can't do these things without approval. The installer with admin rights can do anything on your computer and mess it up completely. The installer without admin rights can do anything in your user directory and mess it up completely - which is less than the installer with admin privileges can do.
Now damage isn't necessarily done by malice, but often by stupidity (aka bugs in the installer). With admin rights, an installer has the ability to mess up your whole computer unintentionally. Without admin rights, that risk is hugely reduced.
(As mentioned earlier, on recent MacOS systems 'admin privileges' and 'root privileges' are not the same at all, which is used to protect the operating system even from code with admin rights).
gnasher729gnasher729
It simply means that it cannot do what an Administrator can do. If some action requires Admin-rights, then the process execution will require Elevation. Since SourceTree isn't asking for elevation, it won't do anything that can harm the system.
For example, it cannot:
- Install a Windows Service
- Start or Stop any service
- Stop any elevated process
- Install Device Driver (signed or not, that's not the point).
- Read/Write protected registry
- Format a drive
- Change disk partition
- Change system time
- Shut down the machine
- Start a system-wide process profiler
- Read protected directory.
- Change boot configuration.
- Change security policy
- . . .
Therefore, it is better and safe that installer (or any program) is not asking for Admin-mode run.
AjayAjay
For completeness: An installer which takes privileges it SHOULD NOT have silently (by one of the methods described in various comments) would indeed not only in bad taste but an added security risk - it could in some cases be instrumentalized by other malware that would otherwise not be capable of downloading an exploit tool like that to the local machine.
Example: Installer is whitelisted with an anti-malware solution by a user that knows the software is not malicious in itself. Actual malware (or a dedicated attacker), who would be stopped from directly using the same vulnerability, could conceivably turn that installer, if still laying around in eg the local downloads folder, into a confused deputy by modifying it or running it in a crafted environment.
rackandbonemanrackandboneman
Atlassian SourceTree can, in a sense, be viewed as a program capable of creating covert channels, that according to the ISO 27001 standard, require mitigation. The argument for this is that it is a Git client capable of pulling in a vast body of source code over https.
bbaassssiieebbaassssiiee
protected by Jeff Ferland♦Feb 1 '18 at 17:32
Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
Would you like to answer one of these unanswered questions instead?
Not the answer you're looking for? Browse other questions tagged windowsinstall or ask your own question.
In so far I'm enjoying the Windows 10 experience. A few tweaks to the GUI and I'm fairly happy with it. What I've been very annoyed about, and I've been hearing this has also been a big issue with Windows 8, has been privileges. For about a month I didn't have any issues. Then, all of a sudden (and I don't think there was an update), just before the new year iTunes started kick back that it wasn't installed properly and there wasn't a procedure entry point in the DLL folder. Thinking it was just the program, I tried to reinstall, but Windows Installer threw a 2503 error code.
After doing some easy searching, it looks like it was a permissions issue. After checking all settings within the Install program, running the install program as admin, unregistering and reregistering with the server, double checking UAC as being off, and checked to make sure my user was part of the admin group the install program still wouldn't work. Finally, I enabled the Admin user and logged into it. No issue. So, obviously is a UAC issue. Just on the off chance that it would work I closed explorer and launched it with admin rights. Windows Install program ran just fine.
Okay, so maybe it was a glitch with iTunes installer. This is a technical preview after all. No. It wasn't just with that program. If I want to install or uninstall ANY PROGRAMS in Windows 10, I HAVE to run Explorer as admin or log into the admin account. It doesn't matter anymore. Windows Installer will always throw a 2053 error. This is THE MOST ANNOYING thing I have run across so far. One simple search of 2053 brings up plenty of results of others who have this issue (more in 8-8.1 than 7, but sometimes in 7).
I can tell you right now. If this kind of an issue doesn't get fixed, or a solution is found, I will NEVER buy Windows 10.