I think most everyone would agree that doing day to day activity on your PC as an administrative user is a bad idea. At the same time, knowing why you shouldn’t run as admin hasn’t been enough to motivate me to confront the inevitable problems you run into when using software that assumes administrative privileges. Well a couple of weeks ago, I finally drank the kooliad and removed my logon account from the administrators group on my laptop. A few things have been annoying, but judicious use of “RunAs” and shortcuts have made it a lot less productivity draining as I’d expected.
The worst issue I’ve run into is debugging ASP.NET applications. By default only administrators have the “SeDebugPrivilege” privilege which is required to attach a debugger to a process running under another user’s account (in this case ASPNET). After reading a few articles and talking to some colleagues I experimented with granting that privilege (via local group policy) to local user groups and even my account specifically. No dice.
I happened to stumble onto an article on The Code Project about CLRDebugEnable, a VS.NET addin for just this problem. I decided not to use the addin itself because it relied on some dicy DLL injection stuff that I didn’t quite understand. That said, the article about the addin had a great low level explanation of why .NET 1.1 requires a user to be a member of the administrators group to debug other users’ processes above and beyond the “SeDebugPrivilege” privilege.
A few google searches lead me to Anil John’s post on developing with Visual Studio.NET 2003 as a non-administrator. Following his instructions, I configured the ASP.NET Worker process on my machine to run with my logon accounts credentials. The credentials are encrypted and stored in the registry using the ASPNET_SETREG utility, but I’m still a bit nervous about the fact that domain administrators could potentially unencrypt my credentials. This shouldn’t be an issue with Whidbey, but I’m going to live in Everett land for quite a bit longer.
Next up, removing my local account on my home machine from the administrators group!