Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

unelevate possibility?

Jun
137
3
If I'm running a tcc window that is elevated with full admin privileges, and want to execute a command that's "unelevated" (doesn't have the full admin privileges), how might I do that? I know how START /ELEVATED can run a command at the elevated level from an unelevated window, but I'd like to do the opposite. Is this possible?

Environment: Windows 10, TCC v16.03. (Yeah, I know, it's quite old...)
 
You could use the RUNAS command with the /trustlevel switch.
Code:
RUNAS /trustlevel:<TrustLevel> program

RUNAS /showtrustlevels

RUNAS /trustlevel:0x20000 cmd.exe
 
You could use the RUNAS command with the /trustlevel switch.
Code:
RUNAS /trustlevel:<TrustLevel> program

RUNAS /showtrustlevels

RUNAS /trustlevel:0x20000 cmd.exe
Thank you, Scott, that does seem to solve the problem. Since I'm not really very familiar with the windows security trustlevels, I executed the command from an elevated tcc window and a non-elevated one. Both returned only that 0x20000 value. Is that expected?
 
Hmmm! I tried RUNAS with trustlevel 0x20000 from an elevated TCC and in the new process _ELEVATED was 1.

1631222189673.png
 
That environment variable is great! I didn't find it in the TCC documentation. I guess I just didn't look in the right way, because it's definitely there. Well that eliminates using a 'net session' hack.

net session >nul 2>&1
if %errorLevel% == 0 (
rem Administrative permissions confirmed.
) else (
rem Administrative permissions not present.
)


Well, Vince, I get a different result (where the top tcc box is elevated):

View attachment 3469
 
Thanks, Charles, but I'm not looking to write C# (or is it C++) code. Just keeping within the BTM code line. And I do understand the complications that the referenced author is talking about.

(It's been a long time since I needed to come back to this group, but it's nice to see a bunch of the long-time [notice I didn't call any of us old-timers] still using this great tool and contributing!)
 
Thanks, Charles, but I'm not looking to write C# (or is it C++) code. Just keeping within the BTM code line. And I do understand the complications that the referenced author is talking about.

No, that would not be useful in a batch file. I threw it out there mostly in case anybody was thinking about adding this feature via a plugin.
 
Well, Vince, I get a different result (where the top tcc box is elevated):
I'm glad it's working for you.

Are you an ordinary user (i.e, not a member of the admin group)? Maybe that's the difference between your result and mine. I am a member of the admin group (but I don't get anything elevated by default because of UAC).
 
Hi.

You can use gsudo to elevate or unelevate from the command line.
To unelevate use `gsudo -i Medium {command} [args]` like 'gsudo -i Medium notepad'

github.com/gerardog/gsudo
 
I'm glad it's working for you.

Are you an ordinary user (i.e, not a member of the admin group)? Maybe that's the difference between your result and mine. I am a member of the admin group (but I don't get anything elevated by default because of UAC).
My account is a domain account that is a member of the Administrators group.

I normally start up TCC from a shortcut that has the Run As Administrator property set, so that's how it has its elevated status. I am trying to have this TCC window also execute a command while not being elevated. That's what started all of this. It seems that the runas may do what I need, but I've yet to test it.
 
Hi.

You can use gsudo to elevate or unelevate from the command line.
To unelevate use `gsudo -i Medium {command} [args]` like 'gsudo -i Medium notepad'

github.com/gerardog/gsudo
Thank you for the tip. So does the 'Medium' setting equate to what would happen if one just starts up tcc from explorer, without any RunAs setting?
 
> Thank you for the tip. So does the 'Medium' setting equate to what would happen if one just starts up tcc from explorer, without any RunAs setting?

Yes, -i allows to specify an integrity level, as defined by Windows UIPI. When UAC is enabled, all normal (non-elevated) processes run as medium integrity, while elevated processes run as High. With this argument gsudo ensures no admin rights are given to the child process.
 
Charles, did you ever look at that code ... build it? It's way over my head (a lot of COM) but, after getting all the code (from three of Raymond Chen's blogs) I built it.

Later, Raymond Chen gave a much simpler way ... all Win32 API functions and 30 lines (nicely formatted). You can find it here.

It simply uses CreateProcess, passing it some extra info (with the EXTENDED_STARTUPINFO_PRESENT flag) ... namely a handle to the process you want to be the parent (the code uses the process of the desktop window).

It works.

1638937597329.png
 
Charles, did you ever look at that code ... build it? It's way over my head (a lot of COM) but, after getting all the code (from three of Raymond Chen's blogs) I built it.

Later, Raymond Chen gave a much simpler way ... all Win32 API functions and 30 lines (nicely formatted). You can find it here.

No, I've never used the method I cited. The one you point out looks far simpler. Thanks for the corrective!
 
I've been using the gsudo -i Medium tcc.exe method without issue. But that does look like an elegant solution.
 
FWIW, I use this to start TCC.EXE unelevated from an elevated TCC.EXE;
Code:
c:\program files\jpsoft\tcmd28>echo %username%
Joe Caverly

c:\program files\jpsoft\tcmd28>runas /savecred /user:"%username%" "tcc.exe"
Attempting to start tcc.exe as user "DESKTOP-H2JFFTF\Joe Caverly" ...

The new TCC.EXE window launches unelevated.

Note well that you must enter your password the first time doing this, but not afterwords.

Joe
 
Another option is available in Cygwin: cygutils-extra package offers a cygdrop utility

Code:
# cygdrop --help
cygdrop is part of cygutils version 1.4.16
cygdrop was originally authored by Christian Franke
  Execute COMMAND with a restricted access token

Usage: cygdrop [OPTIONS] COMMAND [ARG ...]

Group options
  -l        Disable local administrator group [default]
            (same as '-g S-1-5-32-544').
  -d        Disable domain administrator group [default]
            (same as '-g S-1-5-21-.\*-512').
  -g GROUP  Disable group(s) GROUP.
  -G GROUP  Disable all groups except group(s) GROUP.
  -r GROUP  Add group(s) GROUP to restricted SIDs.

Privilege options
  -m        Delete most privileges [default]
            (same as '-P SeChangeNotifyPrivilege').
  -p PRIV   Delete privilege PRIV.
  -P PRIV   Delete all privileges except privilege PRIV.

General options
  --help,-h Print this help.
  --usage   Display brief usage information.
  --version Display version information.
  --license Display licensing information.
  -v        Verbose output, lists groups and privileges changed.
            Repeat to list all groups and privileges.

If no group or privilege option is specified, '-l -d -m' is the default.
Options with GROUP and PRIV parameter may be specified more than once.
GROUP may be specified as a SID, a regular expression matching SIDs
(must start with 'S-'), a numeric group id, or a group name.
PRIV name match is not case sensitive, prefix 'Se' and suffix 'Privilege'
may be omitted.
 
Back
Top