Start process as limited user from elevated script

StackOverflow https://stackoverflow.com/questions/15473015

Question

I have an elevated console running some bat files. Having this console running in elevated mode is mandatory for it to be able to perform some tasks like managing network shares, etc without asking for permissions. But sometimes the scripts also have to launch some applications which are not desired to run elevated. So we want our elevated bats to start come application in non-elevated mode. Is there any built-in way to do this on Windows? Processes were started with DOS command START up to the date.

By the way, the machine is a Windows 7 Ultimate Edition x64.

I know this isue is already discussed programatically in many questions (this collects many of them), but our requirements are bat scripts running on cmd, and any standalone executable that may help in our tasks, like nircmd, 7z, etc.

Clarification: we already have a scheduled task which starts the console elevated, and elevating the console is not the issue os this answer.

Was it helpful?

Solution

The built-in Windows way: START RUNAS ... allows you to run a process as limited user. Here's an example:

runas /trustlevel:0x20000 cmd.exe

Anyway, there are some internal differences between the execution permissions on a process executed that way and another started from the UI with UAC enabled (explorer.exe via normal user interaction, I mean, execution from file browser or from start menu).

  • On the process started via runas (right) we miss some permissions disabled: Process Explorer screenshot showing execution permissions differences
  • On the process started via runas (right) Administrators have some permisions set over the process: Process Explorer screenshot showing differences on user permissions over the processes

The Third-Party application way: we can achieve our goal using PSExec, a standalone executable we can find on PSTools from Windows Sysinternals. Here's an example:

psexec -l -d cmd.exe

I've looked very deep into the issue and I've noticed no difference in any of the running permissions or security flags.

From the Microsoft Technet blogs:

PsExec use the CreateRestrictedToken API to create a security context, called a token, that’s a stripped-down version of its own, removing administrative privileges and group membership. After generating a token that looks like one that Windows assigns to standard users Process Explorer calls CreateProcessAsUser to launch the target process with the new token.

These are the best conslussions I've managed to get after many hours of research; anyone who can provide further details will be welcome.

OTHER TIPS

Really not my area of expertise, but would START RUNAS ... or perhaps AT fit the bill?

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top