Starting Progs from within TC w/o Admin rights

brahman · Post by *brahman » 2017-02-14, 13:14 UTC

Hi,

when I start programs from within TC (buttonbar or click on program name), they always start elevated, even though I use the DropMyRights utility to start them.

Is there a way to adjust TC, so that I can start TC as administrator, but still the programs started from within TC do not necessarily have admin rights?

MVV · Post by *MVV » 2017-02-14, 13:28 UTC

Currently you can't start non-elevated programs from TC directly. But it is strange that special tools like mentioned DropMyRights don't work for you, it shouldn't be a TC fault.

brahman · Post by *brahman » 2017-02-14, 16:06 UTC

Yes I was quite flabergasted myself.

But I tried the same DropMyRights shortcut with TC and from Explorer, and Task Manager showed the first as elevated and the second not.

Tried it with several programs under different conditions and always get the same result.

MVV · Post by *MVV » 2017-02-14, 17:54 UTC

Do you know that Explorer itself is NOT elevated?

Are you sure that DropMyRights is able to drop ELEVATION or it does drop some other rights?

brahman · Post by *brahman » 2017-02-14, 18:42 UTC

Yes it drops elevation, I have tried it with and without DMR outside of TC and I can see the difference in Task Manager "elevated" column.

Dalai · Post by *Dalai » 2017-02-14, 20:07 UTC

Try this: Start CMD elevated by right-clicking and selecting "Run As Administrator". Inside of CMD, enter the command to launch some program via DropMyRights, e.g.

Code: Select all

"C:\Program Files\DropMyRights\DropMyRights.exe" C:\Windows\system32\notepad.exe

Now check whether or not the newly started program is elevated. It doesn't work for me. Although launching TC this way doesn't show the ^ in front of the user name, Process Hacker shows the process as fully elevated. This is regardless of the parameter: C and N do the same thing; I even get an error (that the process couldn't be launched) when using DropMyRights' U parameter.

I think there's a reason why MS stopped providing this program: it doesn't work properly (on newer versions of Windows).

Regards
Dalai

brahman · Post by *brahman » 2017-02-14, 20:07 UTC

That I cannot use DropMyRights to drop the rights is a real problem.

Does anybody have any idea how to solve it?

MVV · Post by *MVV » 2017-02-14, 20:14 UTC

As a quick find, PsExec.exe with -l option is able to start limited processes, you may want to try it.

brahman · Post by *brahman » 2017-02-14, 21:46 UTC

PsExec has the same limitations as DropMyRights.

Both work fine outside TC, but cannot limit processes started from an elevated TC.

MVV · Post by *MVV » 2017-02-15, 07:03 UTC

I've checked in Process Hacker and it seems that pxexec'ed process has the same security tokens that non-elevatedo one has.

And it is interesting that psexec'ed TC still shows username in title but doesn't show a cap, and it can't e.g. create subfolders in Windows directory while elevated one can.

So it seems that these tools are able to drop process permissions but can't drop elevation flag...

lezerogan2 · Post by *lezerogan2 » 2017-02-15, 10:01 UTC

I created a file, <any_name>.bat with one line
runas /trustlevel:0x20000 ""%1""

i created a buttonbar:
TOTALCMD#BAR#DATA
C:\util\any_name.bat
%P%N
-1

It worked for me.

brahman · Post by *brahman » 2017-02-15, 10:26 UTC

@lezerogan2

Thanks.

What is the -1 doing and where does it go?

@MVV

So you are saying DMR and psexec work in dropping elevation, the flag simply isn't set, that's why process hacker and task manager show wrong elevation level?

lezerogan2 · Post by *lezerogan2 » 2017-02-15, 10:41 UTC

to brahman: ignore the -1, try create a buttonbar where the Command refer to the any_name.bat and the Parameters are %P%N.
Then when standing on any exe in TC, press this buttonbar. I hope it will work for you.

MVV · Post by *MVV » 2017-02-15, 16:10 UTC

brahman wrote:What is the -1 doing and where does it go?

Text from TOTALCMD#BAR#DATA to -1 is a copy of buttonbar button, you can copy this text to clipboard and do Paste in buttonbar context menu (you can also copy buttonbar buttons, and TC will put similar text to clipboard).

brahman wrote:So you are saying DMR and psexec work in dropping elevation, the flag simply isn't set, that's why process hacker and task manager show wrong elevation level?

Yes, it seems that these tools work, you can try it yourself: start e.g. notepad and try to save in Windows dir, it shouldn't work if process is not elevated.
But it is interesting is there a tool or a way to start process with dropped rights without elevation flag...

brahman · Post by *brahman » 2017-02-15, 21:53 UTC

MVV wrote:start e.g. notepad and try to save in Windows dir, it shouldn't work if process is not elevated.

Yes, same here. Elevation flag is not set correctly, though rights have been dropped.