Wednesday, March 11, 2009

suDown brings Unix like sudo to Windows XP

Windows XP by default assigns administrator privilege to the first user account you create after a fresh Windows install, and as most personal computers are single user based they end up running all applications with elevated privileges including viruses and worms. Microsoft decided to solve this by introducing the UAC (User Account Control) to Windows Vista but it turned out to be so aggressive that most users kept it turned off, which brought everything back to square one.

Unix based systems has a better approach. The rule with Unix is that you never use the root (administrator) account for everyday work. A Unix user uses a limited rights user account for everyday tasks, but when the need to make system level changes arise they can quickly change the privilege level of their account to another user or mostly to the root account by using a command called “sudo” - short for superuser do.


suDown is an open source tool for Windows XP that brings the benefits of sudo to the OS. sudown creates a trusted users group called the Sudoers group that has lower privilege but can be temporarily given administrative status. By including your administrator account to the Sudoers group you effectively transforms your original administrator account to a Sudoer account which is still an administrative account but runs in a low privileged environment. Your current account will be automatically added to the group the first time you use the sudo command. Alternatively, you can add or delete user accounts from the sudeoers group through the Computer Management panel in Control Panel.



When the user needs to run a program with administrator privileges, they have to right click on the executable file and choose sudo from the context menu. Once the account password is entered, the sudown client calls the sudown service, which temporarily escalates the user's group permissions to the Administrators' Group, but only for the specific program being run. The password is also cached for 5 minutes making easier to run multiple applications with higher privileges.

This makes using the limited user account in Windows XP much easier. The best part is, you can continue to use your administrator account for everyday work as long as it is a part of the Sudoers group.

And like Unix, sudo can be executed from the command line too. Just precede the file name with “sudo”. Example, C:\>sudo winamp.exe

The difference between suDown and the inbuilt function “Run as” is that with suDown you can run applications under the context of your user account and not
with another one's. This means that the launched application sees your user account's environment, your Desktop, Start menu and Documents. When you install a software through sudo, you remain the owner of the installed files and registry keys and the icons will be placed on your desktop. suDown is a much better application than “Run as”, and is a great way to bring UAC level security to Windows XP.

There another application similar to suDown called sudowin, but I haven’t tried it.

Related: Run applications as non admin in Windows XP to avoid malwares


Post a Comment

Popular Posts