Run un-elevated command from an elevated prompt?

Question

Is it possible to run a command without elevated privileges from batch file that was run with elevated privileges?

Answer 1

I've tried explorer <full path to command to execute> and it works.

My idea was: Somewhen before I've tried to run explorer elevated from and elevated prompt without success. Also when I tried to create a shortcut to explorer, the Run As Admin was grayed.

I thought here is the time to turn explorer's behavior to a benefit.

Answer 2

I found two ways of doing this:

First one requires Nirsoft's RunFromProcess.exe program. Assuming the process explorer.exe is not running elevated, this will work:

runfromprocess explorer.exe cmd.exe /k pushd %temp%

or

runfromprocess explorer.exe "C:\full path\to\bat\file.bat

A better way to do it is to use the program DeElevate.exe from Stardock:

DeElevate.exe "C:\full path\to\bat\file.bat" ["parameters"]

or

DeElevate.exe  "C:\full path\to\program.exe" ["parameters"]

for example, this will work:

DeElevate.exe cmd.exe "/k pushd %temp%"

You can found the program DeElevate.exe as part of the Groupy application:

http://storage.stardock.com/files/current/Groupy-sd-setup.exe

after installing it (preferably in a sandbox or in a virtual machine) you will only need the files DeElevate64.exe, DeElevator64.dll from the directory "C:\Program Files (x86)\Stardock\Groupy\" if your system is 64 bits or the files DeElevate.exe, DeElevator.dll from "C:\Program Files\Stardock\Groupy\" if your system is 32 bits.

Answer 3

This seems to work.

runas /trustlevel:0x20000 <program>

(elevation privilege can be tested in a batch file like this)

I got the hint from runas /? where it says

/showtrustlevels  displays the trust levels that can be used as arguments 
                   to /trustlevel.
/trustlevel       <Level> should be one of levels enumerated 
                   in /showtrustlevels.

runas /showtrustlevels outputs

The following trust levels are available on your system:
0x20000 (Basic User)

I haven't any deeper understanding but it seems to do the job.

---

Welp, turns out that this is causing issues, at least for me.
My purpose involved launching Chrome but all pages crash and fail to load.
Another issue is I can't drag-n-drop items to and from applications launched this way and the normal way.

---

Task Scheduler is another way. It doesn't cause above mentioned issues. Although you have to create specific tasks in advance.

Answer 4

There is another tool that is even more simple and (theoretically!) compatible with Windows XP/2000 too. Another advantage is, unlike DeElevate it works for both x32 and x64 architecure.

Download: RunAsCurrentUser-2.0.3.1.exe by BigFix
Usage: RunAsCurrentUser-2.0.3.1.exe [--w] [--q] <cmd-to-run>

Like other tools it uses the information from explorer.exe to get the token for logged-on user as credentials and therefore it needs elevated rights. If it would be invoked unelevated, nothing happens or another Explorer window is opened only. The same goes for Windows prior Vista as the explorer.exe token was not available there yet, but RunAsCurrentUser-2.0.3.1.exe at least would not throuh any error in this case.

An alternative is NirSoft's AdvancedRun.exe with parameters /RunAs 5 /RunAsProcessName "explorer.exe" (please see full usage on their website https://www.nirsoft.net/utils/advanced_run.html. Their main advantage is that their switch /WaitProcess 1 waits until child process terminated, where all other mentioned tools will not.

Forget about runas /trustlevel:0x20000 <program>, Microsoft screwed up in recent versions of Windows 10/11 - so it would only work if the architecture is added as param (but sometimes it refuse even then). It was a great trick before but now its almost worthless - the bug is known for several years now but MS never fixed that.

At last a few important reminders about that trick:

• like I mentioned earlier, it needs Windows Vista or higher to work, plus elevated rights
• de-elevate is nothing malicious as the process's permissions will be reduced to 0x20000 aka medium-integrity-level but some antivirus software or SOAR (security orchestration, automation and response) modules may detect this behaviour aanyway: They watch the spawned program as user session you didn't entered credentials for and assume a trojan. So, be careful when using it at work.
• it will NOT prevent the UAC from appearing again, if the apps manifest or compaptibility settings contain a flag like RUNASADMIN. If you search for a solution for that you should consider using the trick with set __COMPAT_LAYER=RunAsInvoker or NirSoft's "AdvancedRun" with the param /RunAs 5 as it force to run without elevation for the endurance and range of thar process (this would not leave any permanent changes to your environment variables at all).
• as it uses actual user's explorer.exe to do that, it's so called "Un-Elevation" is limited by the account rights you logged on with. In other words: if you logged on as the "Administrator" (high-integrity-level by default with no UAC), it cannot bring you to medium-integrity-level, so the spawned app continue to use high ones. The same goes for guest accounts (till Windows 7) where it results in low-integrity-level and never reach the state of medium.
• Concluding these facts, we should better call this tweak "RunAs-Undo" instead of "Un/DeElevation" as it level down to the exact state before UAC aka runas.exe used for the interactive logged on session. You cannot say it always UnElevate you cause this rule does not apply for special windows account types and cannot bypass the compatibility/manifest for the target app.

Answer 5

The only way that works for me without using any third party software is by using task scheduler.

1. Create a new task for running the command.
2. Do not to tick "Run with highest privileges".
3. Specify your command in the actions tab
4. Then from the elevated command prompt, execute: schtasks /Run /TN YourTaskName