Aaron Margosis is a Microsoft employee who is writing a weblog on running Windows with least privilege on the desktop. If you are having trouble running applications under an account with less privileges than administrator, there are many useful suggestions and tips here.
I’ve long wanted a way to know at a glance whether I am logged in as a member of the all-powerful Administrators group, the slightly less-powerful Power Users group, or as an ordinary User. The more I use RunAs (including with Explorer)and MakeMeAdmin, the more I need to be able to distinguish privilege levels of various apps on my desktop. Someday I might try to come up with a robust way to do this for all windows on my desktop. For now, Ive got PrivBar.
PrivBar is a toolbar for Explorer and Internet Explorer that shows you broadly at what privilege level that particular instance is running….
PrivBar shows you roughly what your privilege level is by checking the current process’ token for membership in Administrators, Power Users, Users, or Guests. The circle on the bar will be red if you are in Administrators, yellow if you are Power User, green otherwise. If you are an admin, the bar’s background will be yellow. Finally, if that instance is running with a restricted token (e.g., by using the RunAs dialog’s “protect my computer” option, which I will describe in detail in a future post), the circle will be green with a red line through it. (For the geeks: PrivBar uses the CheckTokenMembership API, so yes, it properly takes into account disabled or deny-only SIDs.)