Page 1 of 2
Windows/UAC - Launch another program not as administrator?
Posted: Mon May 15, 2023 4:44 am
by jassing
does anyone have a way to run a program from an elevated user (ie: program "run as" administrator) ?
If you use runprogram() or shellexecute_(); it inherits the elevation, what I need is for the new program to not run as administrator despite being launched from an elevated program...
Re: Windows/UAC - Launch another program not as administrator?
Posted: Mon May 15, 2023 6:43 am
by RASHAD
Hi jassing
Run as Invoker
See which one will suit you
And I think NirSoft has some tool to do it
Code: Select all
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker]
@="Run without privilege elevation"
[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker\command]
@="cmd /min /C \"set __COMPAT_LAYER=RUNASINVOKER && start \"\" \"%1\"\"
;************************************************************************
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %1"
;****************************** Compatibility Shim ******************************************
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\example\\application.exe"="RunAsInvoker"
Re: Windows/UAC - Launch another program not as administrator?
Posted: Mon May 15, 2023 7:04 am
by jassing
Thank you, Rashad - Using compatibility layer in a batch file doesn't actually do much - it does not "de-elevate" (I've tried it)
Code: Select all
v$ = #CRLF$+GetEnvironmentVariable("__COMPAT_LAYER")
If IsUserAnAdmin_()
MessageRequester("test","admin"+v$)
Else
MessageRequester("test","user"+v$)
EndIf
Compile to exe.
Then run it using the compat_layer from an "as administrator" exe - it's still 'admin' and the compat layer is set....
Re: Windows/UAC - Launch another program not as administrator?
Posted: Mon May 15, 2023 7:55 am
by RASHAD
Just tested NirSoft utility with your example compiled as Admin
It worked as expected
No admin
Re: Windows/UAC - Launch another program not as administrator?
Posted: Mon May 15, 2023 8:04 am
by jassing
RASHAD wrote: Mon May 15, 2023 7:55 am
Just tested NirSoft utility with your example compiled as Admin
It worked as expected
No admin
I'll have a look at nirsoft -- sorry, I was focused on the compat layer...
Re: Windows/UAC - Launch another program not as administrator?
Posted: Tue Oct 15, 2024 1:15 pm
by BarryG
Is there a way to do this without a third-party tool like the one from NirSoft? It's not professional to rely on someone else's tool for your product.
My scenario: I'm logged in as a standard user, but run my exe with admin rights (I enter the UAC password). My app then needs to launch another exe as standard, but currently can't because the launched app inherits admin rights (as Jassing noted).
Re: Windows/UAC - Launch another program not as administrator?
Posted: Tue Oct 15, 2024 2:25 pm
by JHPJHP
Hi BarryG,
BarryG wrote:Is there a way to do this without a third-party tool like the one from NirSoft?
Yes, but it requires compiling a separate executable...
AFAIK there isn't a way to de-elevate a process, but you can duplicate the token of an existing process and use it to run an executable without elevation.
Re: Windows/UAC - Launch another program not as administrator?
Posted: Tue Oct 15, 2024 10:09 pm
by BarryG
JHPJHP wrote: Tue Oct 15, 2024 2:25 pmAFAIK there isn't a way to de-elevate a process
Microsoft's Raymond Chen says it's not possible from an elevated process ->
https://devblogs.microsoft.com/oldnewth ... 0/?p=94735
So I don't know how NirSoft is doing it. (Having said that, I didn't try it with my scenario; I'm just going by the comments above).
Re: Windows/UAC - Launch another program not as administrator?
Posted: Tue Oct 15, 2024 10:57 pm
by JHPJHP
Hi BarryG,
Since you didn't mention it, I'm guessing the solution I offered didn't interest you; my previous post has been updated.
BarryG wrote:So I don't know how NirSoft is doing it.
Unfortunately, if you're referring to the command-line tool
RunWithoutElevation, it cannot de-elevate a process executed from one with elevation.
The result is the same as described by
Raymond Chen in the article you referenced:
Is RunAsInvoker a secret, even higher UAC setting?
• Simple manifest override using compatibility options set from a command shell:
What does '__COMPAT_LAYER' actually do?
• In PureBasic terms, it overrides the Compiler Option "Request Administrator mode"
before the application is executed.
Re: Windows/UAC - Launch another program not as administrator?
Posted: Wed Oct 16, 2024 9:10 am
by BarryG
JHPJHP wrote: Tue Oct 15, 2024 10:57 pmSince you didn't mention it, I'm guessing the solution I offered didn't interest you; my previous post has been updated.
No, it's not like that. I read everything but don't always test or do any suggestions at the time; and then sometimes I just post further musings about it. Probably a bad idea, in hindsight. Don't take it the wrong way.
I just took at look at your "RunExeAsSYSTEM" source but even though I ran it elevated and then ran another exe with the SYSTEM option, it doesn't show SYSTEM in Task Manager for it? I'm probably using it wrong, though.
Re: Windows/UAC - Launch another program not as administrator?
Posted: Wed Oct 16, 2024 11:29 pm
by JHPJHP
Hi BarryG.
From the image you posted I'm able to determine that it's not a recent version of the program.
• While Run Executable as SYSTEM uses some of the same scripts, it's not what I was referring to.
• I've created an include file that does exactly what you're requesting, initiated from a single Procedure call.
• As was previously mentioned, a separate compiled executable is part of the package; executable script included.
Sent you a PM with the following link: RunProcess.zip
➤ Each example can do what you're requesting:
• RPaU.pb: Run Process as User (current logged-in user account).
• SICP.pb: Start Interactive Client Process (requires a username and password to an existing user account).
Each example opens two command prompt windows:
1. Display User, Group and Privilege information for SYSTEM.
• Elevated process executing a program as SYSTEM.
2. Display User, Group and Privilege information for a user account.
• Elevated process executing a program in a non-elevated process.
The first Procedure call is not needed, it's only there to demonstrate an elevated process to SYSTEM.
Re: Windows/UAC - Launch another program not as administrator?
Posted: Thu Oct 17, 2024 3:16 pm
by ChrisR
I have an old version of RunExeAsSYSTEM from February 2023, compiled in 64 bit, it seems to work well here win 10 x64
Re: Windows/UAC - Launch another program not as administrator?
Posted: Thu Oct 17, 2024 3:22 pm
by ChrisR
Why not do it the other way around?
Run as User initially, then run a 2nd process of the same program as Admin.
Then the 2 processes have to communicate with each other...
Code: Select all
Procedure RunAsAdmin(ProgramName$, Parameters$ = "", WorkingDirectory$ = "")
Protected shExecInfo.SHELLEXECUTEINFO
With shExecInfo
\cbSize = SizeOf(SHELLEXECUTEINFO)
\lpVerb = @"runas"
\lpFile = @ProgramName$
\lpParameters = @Parameters$
\lpDirectory = @WorkingDirectory$
\nShow = #SW_NORMAL
EndWith
ProcedureReturn ShellExecuteEx_(shExecInfo)
EndProcedure
If Not IsUserAnAdmin_()
If Not RunAsAdmin(ProgramFilename())
End
EndIf
EndIf
If IsUserAnAdmin_()
MessageRequester("Information", "ProcessID: " + Str(GetCurrentProcessId_()) + " Run as Admin")
Else
MessageRequester("Information", "ProcessID: " + Str(GetCurrentProcessId_()) + " Run as User")
EndIf
Re: Windows/UAC - Launch another program not as administrator?
Posted: Thu Oct 17, 2024 5:03 pm
by JHPJHP
Hi ChrisR,
Thank you for confirming the older version of
Run Executable as SYSTEM is working as it should. It supports my concern that the security settings
BarryG has set may not be compatible with the code I provided. That's not to say that either thing is wrong, just that they don't work together. Sometimes you need to limit security, and Microsoft justifiably doesn't allow user accounts with lower security, access to elevated privileges.
Your second post is smart out-of-the-box thinking, something that has helped make
IceDesign GUI Designer a success.
BarryG can determine if it's a viable solution, but in all the times where my program required elevated privileges but still needed access to a local user account, this would not have worked. Take for instance a Windows service where the process runs as SYSTEM but required access to a local user account.
Re: Windows/UAC - Launch another program not as administrator?
Posted: Thu Oct 17, 2024 10:04 pm
by BarryG
@JHPJHP: I'll do more testing tonight. (Got your PM, too).