Runas de-elevated user

[jassing]

I have an exe that runs as a UAC admin (aka: elevated)
I need that exe to launch a process as a non-elevated application.

Any ideas?

[Little John]

I have asked this question already some time ago.

[RASHAD]

Hi
Try any one of the next
I myself prefer the Shim tech.

Code: Select all

;**********************************************************
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %1"
;*************  Compatibility Shim  ****************************
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\example\\application.exe"="RunAsInvoker"

[fryquez]

You need a normal user token and pass it to CreateProcessAsUser

Code: Select all

#SAFER_LEVELID_FULLYTRUSTED = $40000
#SAFER_LEVELID_CONSTRAINED  = $10000
#SAFER_LEVELID_NORMALUSER   = $20000
#SAFER_LEVELID_UNTRUSTED    = $01000
#SAFER_SCOPEID_USER         = 2
#SAFER_LEVEL_OPEN           = 1

Procedure RunAsNormalUser(iCommand, iWorkingdir = 0, iShowflag = #SW_NORMAL)
  
  Protected hSafer, hToken, si.STARTUPINFO, pi.PROCESS_INFORMATION, lReturn
  
  If SaferCreateLevel_(#SAFER_SCOPEID_USER,
                       #SAFER_LEVELID_NORMALUSER,
                       #SAFER_LEVEL_OPEN,
                       @hSafer,
                       0)
    
    If SaferComputeTokenFromLevel_(hSafer,
                                   0,
                                   @hToken,
                                   0,
                                   0)
      
      
      si\cb = SizeOf(STARTUPINFO)
      si\dwFlags = #STARTF_USESHOWWINDOW
      si\wShowWindow = iShowflag
      
      lReturn = CreateProcessAsUser_(hToken,
                                     0,
                                     iCommand,
                                     0,
                                     0,
                                     0,
                                     0,
                                     0,
                                     0,
                                     @si,
                                     @pi)
    EndIf
    SaferCloseLevel_(hSafer)
    
  EndIf
  
  ProcedureReturn lReturn
  
EndProcedure

[jassing]

Hi
Try any one of the next
I myself prefer the Shim tech.

Thank you Rashad.
I will play around with it -- the program may need to be "run as" administrator by others, so I'm not sure if that'll be a good way -- but I will try it & see what happens. I'll try the cmd way too. Thanks.

You need a normal user token and pass it to CreateProcessAsUser

Thanks - pb 5.70 beta2 and 5.62 (both x64) didn't like any of the safe* functions.
I tried with a quick "import" but that didn't work too well; will try using prototypes...

[jassing]

You need a normal user token and pass it to CreateProcessAsUser

Using this code

Code: Select all

EnableExplicit
#SAFER_LEVELID_FULLYTRUSTED = $40000
#SAFER_LEVELID_CONSTRAINED  = $10000
#SAFER_LEVELID_NORMALUSER   = $20000
#SAFER_LEVELID_UNTRUSTED    = $01000
#SAFER_SCOPEID_USER         = 2
#SAFER_LEVEL_OPEN           = 1

;Import "Advapi32.lib"
;  SaferCreateLevel(dwScopeID,dwLevelID,OpenFlags,*pLevelHandle,lpReserved)
;  SaferComputeTokenFromLevel( *levelHandle.SAFER_LEVEL_HANDLE , inAccessToken, outAccessToken, dwFlags, lpReserved)
;  SaferCloseLevel(hSafer)
;EndImport

Prototype ptSaferCreateLevel(dwScopeID,dwLevelID,OpenFlags,*pLevelHandle,lpReserved)
Prototype ptSaferComputeTokenFromLevel( *levelHandle, inaccessToken, outAccessToken, dwFlags, lpReserved)
Prototype ptSaferCloseLevel( hSafer )

Procedure RunAsNormalUser(iCommand, iWorkingdir = 0, iShowflag = #SW_NORMAL)
  
  Protected hSafer, hToken, si.STARTUPINFO, pi.PROCESS_INFORMATION, lReturn
  Protected hAdvapi32
  Protected SaferCreateLevel_.ptSaferCreateLevel
  Protected SaferComputeTokenFromLevel_.ptSaferCreateLevel
  Protected SaferCloseLevel_.ptSaferCloseLevel
  
  hAdvapi32 = OpenLibrary(#PB_Any,"advapi32.dll")
  If hAdvapi32
    SaferCreateLevel_ = GetFunction(hAdvapi32,"SaferCreateLevel")
    SaferComputeTokenFromLevel_ = GetFunction(hAdvapi32,"SaferComputeTokenFromLevel")
    SaferCloseLevel_ = GetFunction(hAdvapi32,"SaferCloseLevel")  
  EndIf
  
  If SaferCreateLevel_(#SAFER_SCOPEID_USER,
                       #SAFER_LEVELID_NORMALUSER,
                       #SAFER_LEVEL_OPEN,
                       @hSafer,
                       0)
    
    If SaferComputeTokenFromLevel_(hSafer,
                                   0,
                                   @hToken,
                                   0,
                                   0)
      
      si\cb = SizeOf(STARTUPINFO)
      si\dwFlags = #STARTF_USESHOWWINDOW
      si\wShowWindow = iShowflag
      
      lReturn = CreateProcessAsUser_(hToken,
                                     0,
                                     iCommand,
                                     0,
                                     0,
                                     0,
                                     0,
                                     0,
                                     0,
                                     @si,
                                     @pi)
    EndIf
    SaferCloseLevel_(hSafer)    
  EndIf
  
  If IsLibrary(hAdvapi32)
    CloseLibrary(hAdvapi32)
  EndIf
  
  ProcedureReturn lReturn  
EndProcedure

RunProgram("c:\windows\system32\cmd.exe")
RunAsNormalUser(@"c:\windows\system32\cmd.exe")

When the program is run "as administrator", Both cmd's are created also elevated

**BUT** if I run my test program; it is launched w/o elevation. Curious, but I think it may work!!!

[jassing]

Code: Select all

cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %1"

When I run that from an elevated command prompt (in a batch file) the program is run with elevated rights.

Code: Select all

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\temp\\isuseradmin.exe"="RunAsInvoker"

Regardless if I ran my elevated user test or elevated cmd then ran it; if run from an elevated app, it too was elevated.

[fryquez]

Hmm, yes the new process is flagged as elevated and high integrity, but have the rights of a normal user.

It would look better with logon token obtained by WinStationQueryInformationW, but it requires system rights.

Maybe stealing explorer.exe token is an alternative: https://www.purebasic.fr/german/viewtop ... 85#p311385

[jassing]

Hmm, yes the new process is flagged as elevated and high integrity, but have the rights of a normal user.

It would look better with logon token obtained by WinStationQueryInformationW, but it requires system rights.

Maybe stealing explorer.exe token is an alternative: https://www.purebasic.fr/german/viewtop ... 85#p311385

Thanks.
What was curious is that I ran cmd.exe, both came up as "Administrator" -- and when I ran the elevated tester, they both showed elevated; but when I ran the elevated tester directly it worked. Clearly, more testing is needed.

Thanks for the link -- gives me more to look at.

-j

[RASHAD]

Hi
I suggest to have 3 programs
1 st. one (Main) works like an Invisible watch dog that starts your Main program and keep looking ( compile in User mode )

2 nd. one is your main and it should be compiled with admin rights
(compile using Admin mode)

3 rd. one should be compiled normally
(compile in user mode)

When you want to run the normal one just send a flag to the watch dog to run it

I made a test and it works fine with me

[jassing]

Great idea! Simple, I like it! thanks.