Run apps with there own rights

[iG0R]

Roman,

I have no words...

Igor.

[Fla$her]

As it turned out, we have the same working style, so this topic was close to him and he already solved it for himself.

I gave a recommendation, but this doesn't mean that I use it myself. I am not afraid of opening pdf files in any mode. If necessary, I use a hotkey that launches a file with restricted rights via vbs. I would not open files in this way by Enter, because it takes extra time to start, especially since I open many files through ***cm_List "%1". Believe me, this theme is definitely not enough to compare our styles.

He also had no objections to the wording of my request, as he only paid attention to the essence of my question.

I paid attention to both, just didn't focus on the error, because here it is unnecessary demagoguery.
In your second post, it became clear that you need lowed/limited rights, not your own.
As for the system associations, I would try the bottom three commands with "%1" without using the console to run in the context of an active session. Write about the results.

[iG0R]

2Fla$her

Thank you so much!
Everything works, except for the "runas" command and some oddities when using system associations.

1st oddity.
Regarding "runas" command - no matter what argument is placed after the program name, this argument is completely ignored, i.e., for example, when executing the following command

Code: Select all

runas /trustlevel:0x20000 ""f:\SumatraPDF (Reader DjVu ePub etc)\SumatraPDF-prerel-64-13.6.5876-portable.exe" "%1""

nothing happens. But if the argument "%1" is removed, then SumatraPDF simply starts without opening the document.
I double-checked in the console, substituting the file instead of the argument, for example:

Code: Select all

runas /trustlevel:0x20000 ""f:\SumatraPDF (Reader DjVu ePub etc)\SumatraPDF-prerel-64-13.6.5876-portable.exe" "f:\Temp\To be or not to be.pdf""

in this case, the command in the console is executed and gives the same result as if "runas" was run without any arguments.

2nd oddity.
It already concerns opening using system associations.
To open a pdf, I have FoxitPhantomPDF installed by default in my system with registration. If I open any pdf document, whether it's through TC or File Explorer, FoxitPhantomPDF simply opens with the document and its interface already configured for me.
But if I open a pdf document using any of the following commands:

Code: Select all

"f:\PsTools (Windows tools)\PSTools-30.03.2023\PsExec64.exe" -d -l rundll32.exe shell32.dll,ShellExec_RunDLL "%1"
"f:\PsTools (Windows tools)\PSTools-30.03.2023\PsExec64.exe" -d -l rundll32.exe shell32.dll,ShellExec_RunDLLA "%1"
"f:\PsTools (Windows tools)\PSTools-30.03.2023\PsExec64.exe" -d -l rundll32.exe url.dll, OpenURL  "%1"
"f:\PsTools (Windows tools)\PSTools-30.03.2023\PsExec64.exe" -d -l rundll32.exe url.dll, FileProtocolHandler "%1"

Then FoxitPhantomPDF launches, but it tells me that it is not registered, the trial period has passed and an activation code is required. The first few times I did this, I entered the activation code and then it would boot with the document, but all the settings were reset to default. Then I got tired of entering the activation code every time I opened the document and when I just closed the window with this message without entering the code, it loaded as if activated, but all the settings inside were also reset to default.

3rd oddity.
The strangest and most important.
After opening the document using internal associations, readers behaved as if they were actually launched with reduced privileges. It was easy to verify this by checking how programs with reduced rights worked with the document. Previously, when I opened the document through TC and it inherited admin rights from it, no external program with reduced rights could copy or paste anything from/into this document. But this time everything worked as it should - copying and pasting were possible.

But the strange thing is that when checking through Task Manager -> Details -> Elevated, it turns out that external programs, as they were with the value "No", remained the same, but SumatraPDF or FoxitPhantomPDF with a document opened in them, with which these external programs finally managed to work, it turns out that as they had the value Elevated = "Yes" previously, they still remained with the same value "Yes".
And here is the question of what to believe - the system, which claims that SumatraPDF and FoxitPhantomPDF are still opened with elevated privileges, or the fact that programs with reduced rights can work with them.

[white]

1st oddity.
Regarding "runas" command - no matter what argument is placed after the program name, this argument is completely ignored, i.e., for example, when executing the following command

Code: Select all

runas /trustlevel:0x20000 ""f:\SumatraPDF (Reader DjVu ePub etc)\SumatraPDF-prerel-64-13.6.5876-portable.exe" "%1""

If you run "runas /?" at the Windows Command prompt, you will see this among the examples:

Code: Select all

> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

So, nested quotes need to be escaped.

[Horst.Epp]

2iG0R
Using Runas gives a complete other set of installed default programs.

[iG0R]

2white
Thank you so much!
I saw this example and for some reason I thought that there would be enough external quotes that would escape, but it was necessary to escape as in regular expressions.
In this form

Code: Select all

runas /trustlevel:0x20000 "\"f:\SumatraPDF (Reader DjVu ePub etc)\SumatraPDF-prerel-64-13.6.5876-portable.exe\" \"%1\""

it worked as expected - the reader with the document started, but, again, its Elevated status is still set to "Yes".



2 Horst.Epp
Thanks a lot!
Maybe you can give me a hint, is there any way to use the set of installed default programs that the system uses when opening files in standard conditions?

[Horst.Epp]

2 Horst.Epp
Thanks a lot!
Maybe you can give me a hint, is there any way to use the set of installed default programs that the system uses when opening files in standard conditions?

Some application setups allow installing for all users.
You can also just make the association with an enhanced user
or install the apps from it.

[Fla$her]

2iG0R
You're welcome.

But if I open a pdf document using any of the following commands:

Actually, when specifying commands by link, I did not mention the interaction with PsExec. On the contrary, I wrote "without using the console".

Then FoxitPhantomPDF launches, but it tells me that it is not registered, the trial period has passed and an activation code is required.

Is it installed only for the current user or all?

But this time everything worked as it should - copying and pasting were possible.

From programs that are not running from TC?

And here is the question of what to believe - the system, which claims that SumatraPDF and FoxitPhantomPDF are still opened with elevated privileges, or the fact that programs with reduced rights can work with them.

Perhaps the task manager is checking the inherited rights from the parent process, so it shows the wrong status.

[iG0R]

2Horst.Epp

Thank you. So, using programs from a normal set will not work.
And how does it happen then, when programs are launched from Explorer, which only has user privileges, do they specifically belong to the standard used set?


2Fla$her

Actually, when specifying commands by link, I did not mention the interaction with PsExec. On the contrary, I wrote "without using the console".

Yes, I saw that, but I had already decided to try everything when I had a strange situation with the privilege level in TaskManager.

Is it installed only for the current user or all?

That's the strangeness of it, yes, only for one user - me.
That's why I couldn't understand where such behavior came from.

From programs that are not running from TC?

Yes, there are 2 programs that run at startup, and TC has nothing to do with their loading - one is the QTranslate translator and the other is a floating panel with handy tools called SnipDo (similar to MacOS's PopClip).

Perhaps the task manager is checking the inherited rights from the parent process, so it shows the wrong status.

Is there anything more reliable than Task Manager that accurately shows the privilege level?

[Fla$her]

Yes, I saw that, but I had already decided to try everything

I asked to talk about the results (are there any differences) without PsExec.

That's the strangeness of it, yes, only for one user - me.

This is not strange, because there is interaction with different registry hives (HKLM/HKCU/HKU\<SID>) when searching for registration and settings.

Is there anything more reliable than Task Manager that accurately shows the privilege level?

I can't say for sure, but you can try the "Elevation" column in ProcessHacker.

one is the QTranslate translator and the other is a floating panel with handy tools called SnipDo

But they don't edit any documents except their configs, but you wrote:

no external program with reduced rights could copy or paste anything from/into this document.

[iG0R]

Fla$her

But they don't edit any documents except their configs, but you wrote:

The way QTranslate and SnipDo work is as follows: After selecting a text, their pop-up icon (QTranslate) and panel (SnipDo) appear next to it, which, when clicked, certain actions are performed.
If the program has higher rights, their pop-up icon and panel will never appear, therefore, no actions that these QTranslator and SnipDo perform can be carried out.
Earlier, when a pdf document was opened from TC in the usual way with inheriting TC admin rights, the icon and panel of these programs did not appear.
Now, when the document is opened using internal associations (with or without using the console), this problem no longer exists - both the icon and the panel appear and all actions are performed.

I can't say for sure, but you can try the "Elevation" column in ProcessHacker.

Process Hacker, Process Explorer (SysInternals), Process Lasso - non of them correctly display the rights in this case.

[Fla$her]

2iG0R
I was not asking about the principle of how programs work, but about what concerns editing. The presence of text in the clipboard and inserting it somewhere by Ctrl+V have nothing to do with the insertion of these programs into some third-party document that you wrote about.
As for the issues with programs access to the interface, I prefer launching them using the Autorun plugin or a scheduler with the necessary rights.

[white]

Process Hacker, Process Explorer (SysInternals), Process Lasso - non of them correctly display the rights in this case.

Yes, they do. The program is run as administrator, but in restricted mode, also known as "Limited User Mode" or "Restricted Token Mode".

To illustrate do this:

• Open a Windows command prompt window as Administrator
• Execute

  Code: Select all

  runas /trustlevel:0x20000 cmd

  If you are using Windows 11, execute this instead:

  Code: Select all

  runas /machine:amd64 /trustlevel:0x20000 cmd

The title bar of the new Command prompt window says:

Administrator: cmd (running as <machine\user> with restricted privileges)

For more info, see:

• https://stackoverflow.com/questions/20218076/batch-file-drop-elevated-privileges-run-a-command-as-original-user
• https://techcommunity.microsoft.com/t5/windows-blog-archive/running-as-limited-user-the-easy-way/ba-p/723506

[iG0R]

2Fla$her
The clipboard by Ctrl+V always worked with any permissions and any programs. Specifically, the functionality of their interface was required when working with documents opened through TC. However, there was little use of simple Ctrl+V for these programs, it was easier to work without them.

[iG0R]

2white

Thank you so much for the clarification.
I'm not using Windows 11, still on Windows 10.
Are there programs under Windows 10 that would show program rights in the same way as Windows 11?