unelevate possibility?

Jun 3, 2008
137
4
Temecula, CA
If I'm running a tcc window that is elevated with full admin privileges, and want to execute a command that's "unelevated" (doesn't have the full admin privileges), how might I do that? I know how START /ELEVATED can run a command at the elevated level from an unelevated window, but I'd like to do the opposite. Is this possible?

Environment: Windows 10, TCC v16.03. (Yeah, I know, it's quite old...)
 

samintz

Scott Mintz
May 20, 2008
1,516
19
Solon, OH, USA
You could use the RUNAS command with the /trustlevel switch.
Code:
RUNAS /trustlevel:<TrustLevel> program

RUNAS /showtrustlevels

RUNAS /trustlevel:0x20000 cmd.exe
 
  • Like
Reactions: MickeyF
Jun 3, 2008
137
4
Temecula, CA
You could use the RUNAS command with the /trustlevel switch.
Code:
RUNAS /trustlevel:<TrustLevel> program

RUNAS /showtrustlevels

RUNAS /trustlevel:0x20000 cmd.exe
Thank you, Scott, that does seem to solve the problem. Since I'm not really very familiar with the windows security trustlevels, I executed the command from an elevated tcc window and a non-elevated one. Both returned only that 0x20000 value. Is that expected?
 
May 20, 2008
11,642
111
Syracuse, NY, USA
Hmmm! I tried RUNAS with trustlevel 0x20000 from an elevated TCC and in the new process _ELEVATED was 1.

1631222189673.png
 
Jun 3, 2008
137
4
Temecula, CA
That environment variable is great! I didn't find it in the TCC documentation. I guess I just didn't look in the right way, because it's definitely there. Well that eliminates using a 'net session' hack.

net session >nul 2>&1
if %errorLevel% == 0 (
rem Administrative permissions confirmed.
) else (
rem Administrative permissions not present.
)


Well, Vince, I get a different result (where the top tcc box is elevated):

View attachment 3469
 
Jun 3, 2008
137
4
Temecula, CA
Thanks, Charles, but I'm not looking to write C# (or is it C++) code. Just keeping within the BTM code line. And I do understand the complications that the referenced author is talking about.

(It's been a long time since I needed to come back to this group, but it's nice to see a bunch of the long-time [notice I didn't call any of us old-timers] still using this great tool and contributing!)
 

Charles Dye

Super Moderator
Staff member
May 20, 2008
4,521
96
Albuquerque, NM
prospero.unm.edu
Thanks, Charles, but I'm not looking to write C# (or is it C++) code. Just keeping within the BTM code line. And I do understand the complications that the referenced author is talking about.

No, that would not be useful in a batch file. I threw it out there mostly in case anybody was thinking about adding this feature via a plugin.
 
May 20, 2008
11,642
111
Syracuse, NY, USA
Well, Vince, I get a different result (where the top tcc box is elevated):
I'm glad it's working for you.

Are you an ordinary user (i.e, not a member of the admin group)? Maybe that's the difference between your result and mine. I am a member of the admin group (but I don't get anything elevated by default because of UAC).
 
Sep 9, 2021
2
2
Hi.

You can use gsudo to elevate or unelevate from the command line.
To unelevate use `gsudo -i Medium {command} [args]` like 'gsudo -i Medium notepad'

github.com/gerardog/gsudo
 
  • Like
Reactions: MickeyF
Jun 3, 2008
137
4
Temecula, CA
I'm glad it's working for you.

Are you an ordinary user (i.e, not a member of the admin group)? Maybe that's the difference between your result and mine. I am a member of the admin group (but I don't get anything elevated by default because of UAC).
My account is a domain account that is a member of the Administrators group.

I normally start up TCC from a shortcut that has the Run As Administrator property set, so that's how it has its elevated status. I am trying to have this TCC window also execute a command while not being elevated. That's what started all of this. It seems that the runas may do what I need, but I've yet to test it.
 
Jun 3, 2008
137
4
Temecula, CA
Hi.

You can use gsudo to elevate or unelevate from the command line.
To unelevate use `gsudo -i Medium {command} [args]` like 'gsudo -i Medium notepad'

github.com/gerardog/gsudo
Thank you for the tip. So does the 'Medium' setting equate to what would happen if one just starts up tcc from explorer, without any RunAs setting?
 
Sep 9, 2021
2
2
> Thank you for the tip. So does the 'Medium' setting equate to what would happen if one just starts up tcc from explorer, without any RunAs setting?

Yes, -i allows to specify an integrity level, as defined by Windows UIPI. When UAC is enabled, all normal (non-elevated) processes run as medium integrity, while elevated processes run as High. With this argument gsudo ensures no admin rights are given to the child process.
 
  • Like
Reactions: MickeyF
May 20, 2008
11,642
111
Syracuse, NY, USA
Charles, did you ever look at that code ... build it? It's way over my head (a lot of COM) but, after getting all the code (from three of Raymond Chen's blogs) I built it.

Later, Raymond Chen gave a much simpler way ... all Win32 API functions and 30 lines (nicely formatted). You can find it here.

It simply uses CreateProcess, passing it some extra info (with the EXTENDED_STARTUPINFO_PRESENT flag) ... namely a handle to the process you want to be the parent (the code uses the process of the desktop window).

It works.

1638937597329.png
 

Charles Dye

Super Moderator
Staff member
May 20, 2008
4,521
96
Albuquerque, NM
prospero.unm.edu
Charles, did you ever look at that code ... build it? It's way over my head (a lot of COM) but, after getting all the code (from three of Raymond Chen's blogs) I built it.

Later, Raymond Chen gave a much simpler way ... all Win32 API functions and 30 lines (nicely formatted). You can find it here.

No, I've never used the method I cited. The one you point out looks far simpler. Thanks for the corrective!
 
FWIW, I use this to start TCC.EXE unelevated from an elevated TCC.EXE;
Code:
c:\program files\jpsoft\tcmd28>echo %username%
Joe Caverly

c:\program files\jpsoft\tcmd28>runas /savecred /user:"%username%" "tcc.exe"
Attempting to start tcc.exe as user "DESKTOP-H2JFFTF\Joe Caverly" ...

The new TCC.EXE window launches unelevated.

Note well that you must enter your password the first time doing this, but not afterwords.

Joe
 
Aug 23, 2010
669
9
Another option is available in Cygwin: cygutils-extra package offers a cygdrop utility

Code:
# cygdrop --help
cygdrop is part of cygutils version 1.4.16
cygdrop was originally authored by Christian Franke
  Execute COMMAND with a restricted access token

Usage: cygdrop [OPTIONS] COMMAND [ARG ...]

Group options
  -l        Disable local administrator group [default]
            (same as '-g S-1-5-32-544').
  -d        Disable domain administrator group [default]
            (same as '-g S-1-5-21-.\*-512').
  -g GROUP  Disable group(s) GROUP.
  -G GROUP  Disable all groups except group(s) GROUP.
  -r GROUP  Add group(s) GROUP to restricted SIDs.

Privilege options
  -m        Delete most privileges [default]
            (same as '-P SeChangeNotifyPrivilege').
  -p PRIV   Delete privilege PRIV.
  -P PRIV   Delete all privileges except privilege PRIV.

General options
  --help,-h Print this help.
  --usage   Display brief usage information.
  --version Display version information.
  --license Display licensing information.
  -v        Verbose output, lists groups and privileges changed.
            Repeat to list all groups and privileges.

If no group or privilege option is specified, '-l -d -m' is the default.
Options with GROUP and PRIV parameter may be specified more than once.
GROUP may be specified as a SID, a regular expression matching SIDs
(must start with 'S-'), a numeric group id, or a group name.
PRIV name match is not case sensitive, prefix 'Se' and suffix 'Privilege'
may be omitted.