Page 1 of 1
Run a program with limited rights [resolved]
Posted: Thu Jan 30, 2020 7:16 pm
by webfork
Short version: Why would I want to run a program different than usual? Because most people have their setup to run everything as admin, which isn't always necessary. Why give programs more controls than they require?
Long version: Running with limited rights means restrictions on a given program and (ideally) the damage it can do if malicious. This is not the same as a sandbox (e.g.
Sandboxie), which is more secure, but also more complex. It's important here on TPFC to determine whether or not a program requires admin rights on a given computer (e.g. Veracrypt), to help users who may not have admin access (for work, school, or secured computers).
Other uses for running in limited mode:
- Suppress UAC prompts for programs that request, but don't really need admin (those that need it won't function)
- Encourage developers to avoid resource overreach, meaning some programs really don't need admin capability
Ghacks has an article discussing more about
the advantages, but I couldn't get the highlighted program to work.
To run in limited mode:
I recommend the suggestions over at
TechSupportAlert, which includes:
- PsExec (PsExec.exe -l -d) -- Part of the PSTools collection.
- Process Explorer:
Does anyone else have any recommendations? I'd love to see a simple drag-and-drop program to run something with restricted status.
Re: Run a program with limited rights
Posted: Thu Jan 30, 2020 9:14 pm
by vevy
You could try this (also, see the comments):
https://www.ghacks.net/2019/10/17/run-w ... tedrights/
Also, maybe use the Task Scheduler UAC skip trick but the other way around? Looks like a hassle though (if it would even work).
Also, this could help:
https://autohotkey.com/board/topic/7281 ... ntry522235
Re: Run a program with limited rights
Posted: Thu Jan 30, 2020 9:22 pm
by billon
Re: Run a program with limited rights
Posted: Fri Jan 31, 2020 6:49 am
by webfork
I did (that link is above in the Ghacks bit) and unfortunately that program didn't work for me. I also tried the cmd /C mentioned in comments. I haven't tested DropMyRights but have my fears about Win10 functionality in a 14 yr old program.
I'll check that out, thanks.
It's a good suggestion and, looking throught he help file, you should be able to select "Run As..." Current User - Without UAC Elevation" and have it behave as a non-admin program. Unfortunately, that doesn't look to be the case as I was able to run VeraCrypt and mount containers, functions that require admin.
Still a good suggestion. Might need to reach out to Nirsoft, as this program has a lot of other great features as well (including CLI options).
Re: Run a program with limited rights
Posted: Fri Jan 31, 2020 8:51 am
by lautrepay
Code: Select all
runas /trustlevel:0x20000 "YourCommandHere"
You can list available trust levels by running
Re: Run a program with limited rights
Posted: Fri Jan 31, 2020 10:58 am
by webfork
lautrepay wrote: ↑Fri Jan 31, 2020 8:51 am
Code: Select all
runas /trustlevel:0x20000 "YourCommandHere"
You can list available trust levels by running
So I set it up as a batch file (test.bat):
(click to zoom in)
Result:
It worked! Thanks!
---
EDIT: More detail on the Windows
runas command.
Re: Run a program with limited rights
Posted: Fri Jan 31, 2020 11:03 am
by webfork
I did some more digging on the forums and found another solution to this problem from the sordum team:
RunAsTool. Unfortunately this seems to require an encrypted admin account to even start, so it's not functional on my system.
Re: Run a program with limited rights
Posted: Fri Jan 31, 2020 3:01 pm
by lautrepay
webfork wrote: ↑Fri Jan 31, 2020 10:58 am
It worked! Thanks!
You're welcome
Re: Run a program with limited rights
Posted: Sat Feb 01, 2020 2:16 pm
by Midas
@
lautrepay: great tip!
And thanks to
webfork for the prompt testing.
A couple of alternatives that may be relevant here:
-
Conemu csudo (
https://conemu.github.io/en/csudo.html)
-
Elevate (
http://code.kliu.org/misc/elevate/)
-
Gsudo (
https://github.com/gerardog/gsudo)
-
Sudowin (
https://sourceforge.net/projects/sudowin/)
FYI, there's also a Gibson Research page devoted to
DropMyRights at
https://www.grc.com/sn/notes-176.htm.
Re: Run a program with limited rights
Posted: Fri Feb 07, 2020 7:59 pm
by vevy
Re: Run a program with limited rights
Posted: Fri Jun 05, 2020 6:59 pm
by webfork
Quick follow-up here:
So I tested Notepad++ inside a limited process using the runas /trustlevel:0x20000 "YourCommandHere" method on a work computer. On one device, it meant I couldn’t save any files to a folder on my desktop. I tested my Autover backup/versioning program but the main window wouldn’t appear nor an icon in the system tray.
I was hoping that "limited user" just meant the same permissions as a non-admin e.g. can't make changes to system folders and other \User folders, and forces the program to remain in userspace (prevents any UAC prompts for admin access). This looked like a way to basically take all the teeth out of a program, maybe workable for testing, text transformation that happens on the clipboard, or any viewer program.
I got a mixed result when I ran a second test on my home machine and notepad saved files just fine, so it looks like Limited User controls might vary depending on your security settings.
Anyway, I'll try to work this into future freeware portability testing and post back here if something useful comes up.
Re: Run a program with limited rights [resolved]
Posted: Tue Jun 07, 2022 5:46 am
by webfork
I found something approaching a graphical interface option for a limited process launch option using
Lautrepay's solution with
Sordum's PowerRun.
The RunAs file location on Win10 is:
And the launch text in the image above is:
Code: Select all
/trustlevel:0x20000 "C:\Temp\MonitorOff\MonitorOff_x64.exe"
Just swap out the file location and it'll work easily.
You can also generate a batch of limited launch triggers by modifying
PowerRun.ini:
Code: Select all
1=C:\Windows\SysWOW64\runas.exe|C:\Temp\MonitorOff\|/trustlevel:0x20000 "C:\Temp\MonitorOff\MonitorOff_x64.exe"