Run apps with there own rights

[iG0R]

Hi.
Is there a way to run applications with their own permissions, rather than inherited ones, when launching from TC?

[ghisler(Author)]

Windows only supports launching apps with elevated rights (as administrator), or under a different user name.
For the first, you can use a button with a single asterisk in front of the path+name (must use full path):
*c:\windows\system32\notepad.exe
For the second, use a button with two asterisks in front of path+name:
**c:\windows\system32\notepad.exe

[iG0R]

Thanks for the reply.
And what is the way to launch an app not with using a button, but explicitly from the TC panel?
Why did such a question arise - when I open, e.g. any pdf file from TC, a pdf reader is launched and inherits elevated rights from TC, which is completely undesirable.

[Dalai]

Why did such a question arise - when I open, e.g. any pdf file from TC, a pdf reader is launched and inherits elevated rights from TC, which is completely undesirable.

Then don't run TC as administrator. Only launch TC as admin when necessary. Or have more than one instance running, only one of which as administrator where you only execute tasks that require elevation.

It isn't possible to remove elevation from a process once it's been acquired.

Regards
Dalai

[iG0R]

2Dalai
I just hoped that something might have changed in this matter over the past 20 years.

[Horst.Epp]

which is completely undesirable.

That's the reason for never running a file manager with enhanced rights.
There is no real need for normal work.

Btw. why it should there be any change on this topic for the last 20 years.
Today, it's even more dangerous than it was a long time ago.

You can define a button which starts an elevated TC instance from a normal TC process.

Code: Select all

TOTALCMD#BAR#DATA
*%COMMANDER_EXE%  /N /P /A  /i="%COMMANDER_INI%"
%Z%X %P%N* %T%M*
%COMMANDER_PATH%\TCMADM64.EXE
Open New TC as Admin

0
-1

[Fla$her]

And what is the way to launch an app not with using a button, but explicitly from the TC panel?

Using internal associations:

runas /trustlevel:0x20000 "%COMMANDER_PATH%\Plugins\wlx\slister\SumatraPDF.exe" "%1"

%COMMANDER_PATH%\Utils\PsExec.exe -d -l "%COMMANDER_PATH%\Plugins\wlx\slister\SumatraPDF.exe" "%1"

%COMMANDER_PATH%\Utils\PsExec.exe -d -l rundll32.exe shell32.dll,ShellExec_RunDLL "%1"

There are also outdated StripMyRights and DropMyRights. I don't know how suitable they are now for modern Windows versions.

There is no real need for normal work.

And I always run TC with elevated rights, because I often have to manage the registry, services, processes and drivers, including using wfx plugins.

[iG0R]

2Fla$her
Thank you very much!
Considering the security situation, your advice is the best for me, since I regularly do the same thing as you - manage the registry, services, disk file systems using wfx plugins, etc. And it's quite annoying to receive warning messages, switch and interrupt thought process to access areas of the operating system that require administrator rights if TC is running with low privileges.

2Horst.Epp

You can define a button which starts an elevated TC instance from a normal TC process.

Thanks for the advice, but, IMHO, such an approach is too cumbersome. It turns out that in order to open, for example, a pdf file, instead of simply double-clicking on the file or just pressing Enter, you will need to load a new instance of TC and open the file from there, and then, after finishing viewing, close TC.
This is like an analogy with a locked desk drawer - when you need to view a certain document that is inside it, it doesn't matter if it's a "dangerous" or "safe" document, you have to take out the key, open the drawer, open the document, keeping the drawer itself open, while reading the document, then you need to put it back and lock the drawer. Meanwhile, Fla$her suggests keeping each "dangerous" document in a drawer without a lock, but in a file that separates this document from everything else and can be viewed simply by knowing how to open this file.

[karlchen]

Is there a way to run applications with their own permissions, rather than inherited ones, when launching from TC?

This is a misconception.
Applications themselves do not have any permissions of their own.
Permissions to perform certain operations are tied to users and their permissions

In case you launch Total Commander with elevated privileges ("As Administrator"), then each process spawned by Total Commander inherits the same elevated privileges. This is by Windows design and not specific to Total Commander.

So you create the problem, which you complain about, yourself by running Total Commander "as administrator".

As has been suggested adapt your habit to
+ launching Total Commander non-elevated by default.
+ launching another Total Commander "as administrator" only in the rare cases, where elevated privileges are really needed.

This approach is not cumbersome and too inconvenient at all. It is a matter of getting used to it.
By the way, on Linux systems this approach is the default way of working. You start unelevated and only elevate your privileges (provided you have been granted the right to do so) in those cases, where it is required.

Again:
Applications do not have their own rights. Users have. Processes run with user permissions. Child processes inherit these permissions.
In case a user has got full administrator rights, then all processes launched by this user will have full administrator rights as well.

[iG0R]

2karlchen
Thanks a lot for clarification.
I thought that if not all, then the majority of forum participants use commonly accepted and established phrases to facilitate communication. That's why I used the expression "apps with their own rights". And if you Google "https://www.google.com/search?q=apps+with+elevation+rights", it turns out that a whopping 108 million search results are somehow related to this query. Therefore, I hope you will agree that this phrase can be considered a commonly accepted expression carrying the following meaning: "applications that have been given elevated privileges (by the one who launched them)". That was the context in which I applied it in my post.
One more note, I use Windows and, IMHO, it is more user friendly than Linux, so I use TC, not command line, and Notepad++, not Vim. And because of this, I want a little more convenience in other aspects, in particular in running apps without having to launch another copy of the same TC with different privileges.

[karlchen]

Hello,iGOR.

How should your Total Commander, which you seem to launch "as administrtor" all the time, know which applications that you launch from inside Total Commander should be started
+ with elevated privileges as well, because you need to do something "as administrator"
or
+ without elevated privileges, because the intended operation does not require to be done "as administrator"?

Karl

[iG0R]

Hello, Karl.

How should your Total Commander, which you seem to launch "as administrtor" all the time, know which applications that you launch from inside Total Commander should be started

The very essence of my post was to ask members of the forum how I could make it possible for me to run this or that file with the necessary rights and at the same time I would not need to do any unnecessary and routine work, and all the cares would be taken by the TC's "automation". Because I believe that computerization is what computerization is for and is meant to eliminate routine from life.
And Fla$her helped me a lot to understand what I need to do to solve my problem. As it turned out, we have the same working style, so this topic was close to him and he already solved it for himself. He also had no objections to the wording of my request, as he only paid attention to the essence of my question.

Kind regards,
Igor.

[Hacker]

iG0R,

"apps with their own rights"

This is neither a common nor an established phrase. "Own rights" does not mean anything, since apps don't have any rights on their own, as karlchen correctly noted.

if you Google "https://www.google.com/search?q=apps+with+elevation+rights", it turns out that a whopping 108 million search results are somehow related to this query. Therefore, I hope you will agree that this phrase can be considered a commonly accepted expression carrying the following meaning: "applications that have been given elevated privileges (by the one who launched them)".

"Apps with elevated rights" makes sense. "Apps with elevation rights" is ambigous - it could mean "apps that can launch other apps elevated". However, these are completely unrelated to "apps with their own rights". Try googling "apps with their own rights" and see what you find.

He also had no objections to the wording of my request, as he only paid attention to the essence of my question.

He provided a solution despite the unclear wording. That does not mean people who are trying to understand your problem first are not trying to help you.

Roman

[iG0R]

He provided a solution despite the unclear wording. That does not mean people who are trying to understand your problem first are not trying to help you.

Hello, Roman.

Please point out where I mentioned or implied between the lines that "the people who are trying to understand your problem in the first place are not trying to help you."
Yes, my wording was unclear and to a certain extent wrong, but I was understood and helped. For which I am very grateful.
Did I mention somewhere that Karl made a mistake in describing the principles of inheritance and privilege acquisition? Specifically, what he described in detail, I tried to fit into my first compressed sentence, which is why such a statement came out and why there was such confusion in the expression.
What is the purpose of continuing the discussion after the answer was given that fully met the expectations of the post author, especially since the author did not accuse or imply in any way that the participants of the discussion were saying something wrong and not trying to help?

Igor.

[Hacker]

iG0R,

Please point out where I mentioned or implied between the lines that "the people who are trying to understand your problem in the first place are not trying to help you."

Here:

He also had no objections to the wording of my request, as he only paid attention to the essence of my question.

This sounds like "why do you care how I worded my request, exact words aren't important, pay attention to the essence instead of squabbling about definitions, see, Fla$her managed to do that, why can't you".

What is the purpose of continuing the discussion after the answer was given that fully met the expectations of the post author

The author is not forced to continue the discussion. We are happy he was helped. I am only commenting on something which could be perceived negatively (perhaps perceived as such by misunderstanding), see above. That is all.

Roman