Edit: Josh Karlin commented to this blog post that the LUA bug has been fixed. Thanks Josh!
Last night I installed Launchy, the open source keystroke launcher for Microsoft Windows (not the Firefox extension with the same name). I had read about this program a few times on the Internet, and decided to give it a try since typing (a part of) the name of an application to start it sounds very handy to me.
So I downloaded the small program, and installed it with Administrator rights. Next I started the program as user "John" a Limited User Account (LUA), since to me that is a sound way to work. First thing I wanted to do was adding my own directories for scanning and after pressing OK was greeted with the following.
At first I misread the warning, and thought I had to create launchy.ini in C:\Documents and Settings\John\, which I did. But this didn't work (of course), and I got the same error again. Then I noticed that Launchy actually wants to create an ini file in C:\Program Files\Launchy\Users\John\, a directory a user with limited rights shouldn't have access to. Shock, horror! What was the author, Josh Karlin, of this program thinking? Especially with a statement like "Launchy is developed to run on XP". Does Josh Karlin develop software with Administrator rights? Doesn't sound very smart to me, to say the least, but that's his decision. But releasing an application that relies on Administrator rights for one of its basic functions sounds clueless to me. Badly written software like this promotes unsecure usage of Windows XP, and indirectly contributes to a lot of malware issues in my opinion. What amazes me even more is that I haven't read about this issue before in the several reviews I read about this program. Do that many people just run everything as Administrator?
Yesterday I looked for a way to contact the author, but couldn't find his email address. I couldn't be bothered to sign up with SourceForge so I decided to write about it in my blog.
The fix for Launchy is extremely simple, instead of attempting to store an ini file in a sub folder of Launchy in the Program Files directory, where it shouldn't be located, the environment variable APPDATA (Application Data, hint!) should be used, which holds the per user folder for Application Data. And guess what launchy.ini is. Yes: application data.
Today I tried the workaround for the Launchy LUA bug I had in mind yesterday. Note that this is a temporary fix until, hopefully, Josh Karlin fixes this issue.
First, login with Administrator rights (I used Windows Logo + L to go to the login screen) and create the Users folder in the Launchy folder (C:\Program Files\Launchy\). Inside the Users folder, create a folder for the user with limited access, in my case John.
Next, select this folder, press the right mouse button, and select Properties entry in the context menu. Select the Security tab in the Properties dialog window and check if the user is in the "Group or user names" list. In my case, "John" wasn't, so I selected the "Add.." button and entered my name in the "Select Users or Groups" dialog window, pressed OK and "John" showed up in the "Group or user names" list.
Note that I allow only one limited user access to the "John" folder, the user "John". You might be tempted to allow all (limited) users access to the Users folder, so Launchy has no problems creating the per user folder and the files in the per user folder. Don't do this for security reasons.
Next, select the right user in the "Group or user names" list. Notice that the title of the dialog window changes accordingly (in my case "John Properties"). Set the following permissions to allow: List Folder Contents, Read, and Write and press the OK button.
Finally log back in as limited user and restart Launchy. The program no longer should complain about not being able to create launchy.ini and if you open your "Users" directory two files should be created: launchy.db and the now well known launchy.ini