I recently got a new PC. Windows 11 Media Player will play music CDs, and certain kinds of video files, but does not do much in the way of editing, and it will not play commercial movie DVDs. I planned to download the free, widely used, widely loved, highly capable VLC media program for my audio and video needs.

But first, as a cautionary measure, I did a quick Internet search on the safety of this program. I was mainly concerned about malware being bundled in with the installation. This does not seem to be a problem if you get it from the source, VideoLAN. This is a benevolent, non-profit enterprise led by volunteers trying to make the world a better place. However, it turns out the notorious China-based Cicada hacking group has utilized VLC to infiltrate computers and suck out sensitive information. This sounded really bad for VLC. Digging a little deeper, though, the story was a more nuanced. The actual hacks occurred when incautious users used VLC to open a contaminated video file that the hackers had sown on the Internet, which then started to do all the bad stuff on the computer.

But what really caught my attention, and has become the subject of this blog post, was VLC‘s response to all the criticisms of it being a vector for hackers. In so many words, they said, “Hey, if users would use a little common sense and not run as Administrators all the time, this would not be an issue. It’s only when they run as administrators and use our program to open infected files that the malware can get a foothold and to do anything really bad to the computer. Lots and lots of other programs out there have the same vulnerabilities that our program does towards opening infected files. If users are going to be stupid enough to run as administrators all the time, don’t blame us.” Or something like that.

That got me concerned about looking into the hazards of routinely running as an administrator. This is something nobody really warned me about. When you get your shiny new PC, and open up your first user account to operate your computer with, it is always an administrator account. That allows you to install and uninstall programs, which of course you need to do. Most of us, dumb and happy, just keep using that same account.

But when I dug into it, it does seem like that is a bad idea. It opens your computer to hacking in a serious way. Two quotes to make that point:

A recent study from security vendor Avecto found that 94% of critical vulnerabilities announced by Microsoft could be mitigated by simply removing administrative rights. These vulnerabilities range from phishing attacks that can hijack the system via applications like Microsoft Word to packets that are specially crafted to hit Windows Server. In most cases, they can be leveraged to remotely execute code and take control of the PC, potentially accessing sensitive data and applications deeper within the network.   ( Joe Kozlowicz at Lunavi blog)

And:

The principle of least privileges is why we do not do our day-to-day computing from an Administrators account. If you are a Standard user, and your account gets hacked, the most an attacker can do is to rifle through your personal files, which is not a worthwhile use of an attacker’s time. If attackers are looking for bank account numbers, credit card information, Social Security Numbers, and the like, they can easily and cheaply find thousands of people’s records on the dark web. They are unlikely to waste their time on your user account. 

But if you’re using an Administrators account that gets hacked … now that’s the grand prize. Now they’ve got an entire computer to work with, and with that computer they can do tremendous damage, not only to your computer – for example, by using it to mine bitcoin, or torrent stolen content – but to other computers too, by using your computer to attack other computers.  (per “A. User” on Microsoft forum).

(My jaw dropped a little at the off-hand remark that “…If attackers are looking for bank account numbers, credit card information, Social Security Numbers, and the like, they can easily and cheaply find thousands of people’s records on the dark web. They are unlikely to waste their time on your user account…,” but we will pass over that for now.)

Interestingly, on that same Microsoft forum there were other complacent users pooh-poohing the notion that running with an Administrator account was hazardous. As I said, dumb and happy.

So, I realized  (hangs head in shame) I was one of that innumerable company of stupid users who routinely run their PCs from an Administrator account. Well, what is the alternative? Besides an Administrator account, the other type of account on a PC is a Standard account. With a Standard account, you can run all your programs and save all your data and do pretty much everything you normally do.

Oh, but you ask, what if I want to install a new program or uninstall an unwanted program? It turns out that is straightforward to do using a Standard account, as long as you know your administrator account password (never lose that password!!). If you do a software installation as a standard user, at some point in the process it will simply ask you for an administrator password, which you can enter to make that one action, and then the process just proceeds along.

If are working as a Standard user, but then you know you’re going to make some unusual system alterations, it is easy enough to don your Superman cape and open up a second, administrator, account on your PC, leaving your working files and programs live in your standard account. Just do the venerable simultaneous CNTL-ALT-DEL, and click on Switch User. You can then click on an Administrator account and do what you need to do, then switch back to the Standard account to keep on going there.

And so, on my new PC, I have set up a second, Standard account, and plan to run routinely from that. I invite others to do likewise. A brief tutorial is below.

APPENDIX: How To Set Up Another, Standard Account on Your PC

This whole process may take about 30 minutes, depending. In Windows 11, go to:

Settings – – Accounts – – Other Users – – Add Account

At this point the system will ask you for the new user’s email address or Microsoft account, which you can give if you want, or you can say you don’t know and keep going. Assign this account a new name and password (this will become the normal password you sign into your PC with, going forward).

It’s similar in Windows 10:

Settings — Accounts – – Family and Other Users – – Add Someone Else to this PC – – I don’t have [Microsoft account] sign-in information – – Add User Without Microsoft Account

At this point you are done. You are ready to use this new account as your normal user log-in, and only unleash the Administrator account on rare occasions.

That was quick. But what I found took more time was re-customizing the settings and bookmarks on my apps like browser (I use Brave for privacy) and Word (I tweak the settings to prevent Word from sending all my keystrokes back to Microsoft), for use within the new account. Apparently, these apps treat each new user as a new user, and come in with the standard settings. Also, I took my working files/documents from my Admin account, copied them to a thumb drive, and then pasted them into the Documents folder of my new Standard account. (There is probably a more clever way to do this, using Public folders on your C: drive).