The challenge of partial trust

Over the weekend I upgraded a kid's PC from Win98 to XP. I'd been dragging my heels because Win98 was "good enough" for games, IM, and writing school reports, but this installation had long since reached its half-life. Also, I was curious to see what a 98-to-XP upgrade would be like, never having done one. So I fired up the installer and posted the kid on guard to alert me when intervention was required.

He summoned me repeatedly, but in each case the reason was a popup ad, not anything technical. Call me naive, but the frequency and intrusiveness of these ads surprised me. Otherwise, though, the in-place upgrade went smoothly. It really is remarkable that the Win9x kernel can be uprooted, and the NT kernel inserted in its place, with so little disruption.

In order to ensure the maximum half-life for the new system, I made myself administrator and gave a limited account to the kid. Then I set him to work verifying that his games still worked. All of them did except for Age of Empires. The installation report suggested I should reinstall it. I switched to my account, did that, and fired up the game. It worked. Then I switched back to the kid's account and fired up the game. It still failed.

So for now, the kid is the proud owner of administrative privilege. I could milk this for irony by pointing out that Age of Empires is a Microsoft product. But I'd rather take this in a different direction. Partial trust is a hard problem, period, in all operating systems and environments. So hard that we either spend inordinate amounts of time figuring out how to make partial trust work, or we punt and allow more trust than we should. Or both.

In this particular example, had I the time and inclination to solve the problem, I'd probably fire up Sysinternals' Filemon and try to find out which file or directory Age of Empires is failing to read or write. Of course the problem could lie elsewhere -- with API permissions rather than file permissions, for example.

This isn't only a Windows issue. Across the board we need better ways to visualize trust boundaries and diagnose problems arising at these boundaries.

Former URL: