Windows/UAC - Launch another program not as administrator?

[jassing]

does anyone have a way to run a program from an elevated user (ie: program "run as" administrator) ?
If you use runprogram() or shellexecute_(); it inherits the elevation, what I need is for the new program to not run as administrator despite being launched from an elevated program...

[RASHAD]

Hi jassing
Run as Invoker
See which one will suit you
And I think NirSoft has some tool to do it

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker]
@="Run without privilege elevation"

[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker\command]
@="cmd /min /C \"set __COMPAT_LAYER=RUNASINVOKER && start \"\" \"%1\"\"

;************************************************************************
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %1"
;******************************  Compatibility Shim  ******************************************
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\example\\application.exe"="RunAsInvoker"

[jassing]

Thank you, Rashad - Using compatibility layer in a batch file doesn't actually do much - it does not "de-elevate" (I've tried it)

Code: Select all

v$ = #CRLF$+GetEnvironmentVariable("__COMPAT_LAYER")
If IsUserAnAdmin_()
  MessageRequester("test","admin"+v$)
Else
  MessageRequester("test","user"+v$)
EndIf

Compile to exe.

Then run it using the compat_layer from an "as administrator" exe - it's still 'admin' and the compat layer is set....

[RASHAD]

Just tested NirSoft utility with your example compiled as Admin
It worked as expected
No admin

[jassing]

Just tested NirSoft utility with your example compiled as Admin
It worked as expected
No admin

I'll have a look at nirsoft -- sorry, I was focused on the compat layer...

[BarryG]

Is there a way to do this without a third-party tool like the one from NirSoft? It's not professional to rely on someone else's tool for your product.

My scenario: I'm logged in as a standard user, but run my exe with admin rights (I enter the UAC password). My app then needs to launch another exe as standard, but currently can't because the launched app inherits admin rights (as Jassing noted).

[JHPJHP]

Hi BarryG,

Is there a way to do this without a third-party tool like the one from NirSoft?

Yes, but it requires compiling a separate executable...

AFAIK there isn't a way to de-elevate a process, but you can duplicate the token of an existing process and use it to run an executable without elevation.

[BarryG]

AFAIK there isn't a way to de-elevate a process

Microsoft's Raymond Chen says it's not possible from an elevated process -> https://devblogs.microsoft.com/oldnewth ... 0/?p=94735

So I don't know how NirSoft is doing it. (Having said that, I didn't try it with my scenario; I'm just going by the comments above).

[JHPJHP]

Hi BarryG,

Since you didn't mention it, I'm guessing the solution I offered didn't interest you; my previous post has been updated.

So I don't know how NirSoft is doing it.

Unfortunately, if you're referring to the command-line tool RunWithoutElevation, it cannot de-elevate a process executed from one with elevation.

The result is the same as described by Raymond Chen in the article you referenced: Is RunAsInvoker a secret, even higher UAC setting?
• Simple manifest override using compatibility options set from a command shell: What does '__COMPAT_LAYER' actually do?
• In PureBasic terms, it overrides the Compiler Option "Request Administrator mode" before the application is executed.

[BarryG]

Since you didn't mention it, I'm guessing the solution I offered didn't interest you; my previous post has been updated.

No, it's not like that. I read everything but don't always test or do any suggestions at the time; and then sometimes I just post further musings about it. Probably a bad idea, in hindsight. Don't take it the wrong way.

I just took at look at your "RunExeAsSYSTEM" source but even though I ran it elevated and then ran another exe with the SYSTEM option, it doesn't show SYSTEM in Task Manager for it? I'm probably using it wrong, though.

[JHPJHP]

Hi BarryG.

From the image you posted I'm able to determine that it's not a recent version of the program.
• While Run Executable as SYSTEM uses some of the same scripts, it's not what I was referring to.
• I've created an include file that does exactly what you're requesting, initiated from a single Procedure call.
• As was previously mentioned, a separate compiled executable is part of the package; executable script included.

Sent you a PM with the following link: RunProcess.zip
➤ Each example can do what you're requesting:
• RPaU.pb: Run Process as User (current logged-in user account).
• SICP.pb: Start Interactive Client Process (requires a username and password to an existing user account).

Each example opens two command prompt windows:
1. Display User, Group and Privilege information for SYSTEM.
• Elevated process executing a program as SYSTEM.
2. Display User, Group and Privilege information for a user account.
• Elevated process executing a program in a non-elevated process.

The first Procedure call is not needed, it's only there to demonstrate an elevated process to SYSTEM.

[ChrisR]

I have an old version of RunExeAsSYSTEM from February 2023, compiled in 64 bit, it seems to work well here win 10 x64

[ChrisR]

Why not do it the other way around?
Run as User initially, then run a 2nd process of the same program as Admin.
Then the 2 processes have to communicate with each other...

Code: Select all

Procedure RunAsAdmin(ProgramName$, Parameters$ = "", WorkingDirectory$ = "")
  Protected shExecInfo.SHELLEXECUTEINFO
  
  With shExecInfo
    \cbSize = SizeOf(SHELLEXECUTEINFO)
    \lpVerb = @"runas"
    \lpFile = @ProgramName$
    \lpParameters = @Parameters$
    \lpDirectory = @WorkingDirectory$
    \nShow = #SW_NORMAL
  EndWith
  
  ProcedureReturn ShellExecuteEx_(shExecInfo)
EndProcedure

If Not IsUserAnAdmin_()
  If Not RunAsAdmin(ProgramFilename())
    End
  EndIf
EndIf

If IsUserAnAdmin_()
  MessageRequester("Information", "ProcessID: " + Str(GetCurrentProcessId_()) + " Run as Admin")
Else
  MessageRequester("Information", "ProcessID: " + Str(GetCurrentProcessId_()) + " Run as User")
EndIf

[JHPJHP]

Hi ChrisR,

Thank you for confirming the older version of Run Executable as SYSTEM is working as it should. It supports my concern that the security settings BarryG has set may not be compatible with the code I provided. That's not to say that either thing is wrong, just that they don't work together. Sometimes you need to limit security, and Microsoft justifiably doesn't allow user accounts with lower security, access to elevated privileges.

Your second post is smart out-of-the-box thinking, something that has helped make IceDesign GUI Designer a success.

BarryG can determine if it's a viable solution, but in all the times where my program required elevated privileges but still needed access to a local user account, this would not have worked. Take for instance a Windows service where the process runs as SYSTEM but required access to a local user account.

[BarryG]

@JHPJHP: I'll do more testing tonight. (Got your PM, too).