Run a program with limited rights

Share interesting information or links related to portable apps here.
Post Reply
Message
Author
User avatar
webfork
Posts: 9261
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Run a program with limited rights

#1 Post by webfork » Thu Jan 30, 2020 7:16 pm

Short version: Why would I want to run a program different than usual? Because most people have their setup to run everything as admin, which isn't always necessary. Why give programs more controls than they require?

Long version: Running with limited rights means restrictions on a given program and (ideally) the damage it can do if malicious. This is not the same as a sandbox (e.g. Sandboxie), which is more secure, but also more complex. It's important here on TPFC to determine whether or not a program requires admin rights on a given computer (e.g. Veracrypt), to help users who may not have admin access (for work, school, or secured computers).

Other uses for running in limited mode:
  • Suppress UAC prompts for programs that request, but don't really need admin (those that need it won't function)
  • Encourage developers to avoid resource overreach, meaning some programs really don't need admin capability
Ghacks has an article discussing more about the advantages, but I couldn't get the highlighted program to work.

To run in limited mode:

I recommend the suggestions over at TechSupportAlert, which includes:
  1. PsExec (PsExec.exe -l -d) -- Part of the PSTools collection.
  2. Process Explorer:

    Image
Does anyone else have any recommendations? I'd love to see a simple drag-and-drop program to run something with restricted status.

vevy
Posts: 266
Joined: Tue Sep 10, 2019 11:17 am

Re: Run a program with limited rights

#2 Post by vevy » Thu Jan 30, 2020 9:14 pm

You could try this (also, see the comments):
https://www.ghacks.net/2019/10/17/run-w ... tedrights/

Also, maybe use the Task Scheduler UAC skip trick but the other way around? Looks like a hassle though (if it would even work).

Also, this could help:
https://autohotkey.com/board/topic/7281 ... ntry522235
I do NOT have other accounts.

billon
Posts: 757
Joined: Sat Jun 23, 2012 4:28 pm

Re: Run a program with limited rights

#3 Post by billon » Thu Jan 30, 2020 9:22 pm


User avatar
webfork
Posts: 9261
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Run a program with limited rights

#4 Post by webfork » Fri Jan 31, 2020 6:49 am

vevy wrote:
Thu Jan 30, 2020 9:14 pm
You could try this (also, see the comments):
https://www.ghacks.net/2019/10/17/run-w ... tedrights/
I did (that link is above in the Ghacks bit) and unfortunately that program didn't work for me. I also tried the cmd /C mentioned in comments. I haven't tested DropMyRights but have my fears about Win10 functionality in a 14 yr old program.
vevy wrote:
Thu Jan 30, 2020 9:14 pm
Also, this could help: https://autohotkey.com/board/topic/7281 ... ntry522235
I'll check that out, thanks.
billon wrote:
Thu Jan 30, 2020 9:22 pm
AdvancedRun?
It's a good suggestion and, looking throught he help file, you should be able to select "Run As..." Current User - Without UAC Elevation" and have it behave as a non-admin program. Unfortunately, that doesn't look to be the case as I was able to run VeraCrypt and mount containers, functions that require admin.

Still a good suggestion. Might need to reach out to Nirsoft, as this program has a lot of other great features as well (including CLI options).

lautrepay
Posts: 711
Joined: Sat Mar 26, 2011 2:31 am

Re: Run a program with limited rights

#5 Post by lautrepay » Fri Jan 31, 2020 8:51 am

Code: Select all

runas /trustlevel:0x20000 "YourCommandHere"
You can list available trust levels by running

Code: Select all

runas /showtrustlevels

User avatar
webfork
Posts: 9261
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Run a program with limited rights

#6 Post by webfork » Fri Jan 31, 2020 10:58 am

lautrepay wrote:
Fri Jan 31, 2020 8:51 am

Code: Select all

runas /trustlevel:0x20000 "YourCommandHere"
You can list available trust levels by running

Code: Select all

runas /showtrustlevels
So I set it up as a batch file (test.bat):

Image (click to zoom in)

Result:
Image

It worked! Thanks!

---

EDIT: More detail on the Windows runas command.

User avatar
webfork
Posts: 9261
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Run a program with limited rights

#7 Post by webfork » Fri Jan 31, 2020 11:03 am

I did some more digging on the forums and found another solution to this problem from the sordum team: RunAsTool. Unfortunately this seems to require an encrypted admin account to even start, so it's not functional on my system.

lautrepay
Posts: 711
Joined: Sat Mar 26, 2011 2:31 am

Re: Run a program with limited rights

#8 Post by lautrepay » Fri Jan 31, 2020 3:01 pm

webfork wrote:
Fri Jan 31, 2020 10:58 am
It worked! Thanks!
You're welcome

User avatar
Midas
Posts: 5343
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Run a program with limited rights

#9 Post by Midas » Sat Feb 01, 2020 2:16 pm

@lautrepay: great tip! :sunglasses:

And thanks to webfork for the prompt testing. :thumbsup:

A couple of alternatives that may be relevant here:

- Conemu csudo (https://conemu.github.io/en/csudo.html)
- Elevate (http://code.kliu.org/misc/elevate/)
- Gsudo (https://github.com/gerardog/gsudo)
- Sudowin (https://sourceforge.net/projects/sudowin/)

FYI, there's also a Gibson Research page devoted to DropMyRights at https://www.grc.com/sn/notes-176.htm.

vevy
Posts: 266
Joined: Tue Sep 10, 2019 11:17 am

Re: Run a program with limited rights

#10 Post by vevy » Fri Feb 07, 2020 7:59 pm

I do NOT have other accounts.

User avatar
webfork
Posts: 9261
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Run a program with limited rights

#11 Post by webfork » Fri Jun 05, 2020 6:59 pm

Quick follow-up here:

So I tested Notepad++ inside a limited process using the runas /trustlevel:0x20000 "YourCommandHere" method on a work computer. On one device, it meant I couldn’t save any files to a folder on my desktop.  I tested my Autover backup/versioning program but the main window wouldn’t appear nor an icon in the system tray.

I was hoping that "limited user" just meant the same permissions as a non-admin e.g. can't make changes to system folders and other \User folders, and forces the program to remain in userspace (prevents any UAC prompts for admin access). This looked like a way to basically take all the teeth out of a program, maybe workable for testing, text transformation that happens on the clipboard, or any viewer program.

I got a mixed result when I ran a second test on my home machine and notepad saved files just fine, so it looks like Limited User controls might vary depending on your security settings.

Anyway, I'll try to work this into future freeware portability testing and post back here if something useful comes up.

Post Reply