Launch a No Elevated Process from an Elevated Process in an easy way (Win32 API)

dinkumoil

@donho

I found another link which seems to be more promising than the link above.

The algorithm there retrieves the access token of the desktop shell process. The non-elevated process gets started with this token. The article mentions some caveats but I guess they are not really relevant.

Meta Chuh

@donho

i’ve just tried this out:
you can relaunch np++ using runas in the command line without the need of specifying the invokers user name.
it should work in wingup too.

if you want to simulate and cross check it for a quick test:

open cmd.exe with right click > run as administrator

cross check:
if you now run C:\Program Files (x86)\Notepad++\notepad++.exefrom there, you will of see [Administrator] in the np++ bar as expected

possible solution:
execute runas /trustlevel:0x20000 "C:\Program Files (x86)\Notepad++\notepad++.exe"
and admin mode will be off.
you should now have the files and folder permissions of the current user 👍

dinkumoil

@Meta-Chuh , @donho

I’ve tried the runas method on my Windows 7 x64 machine. I’ve noticed a slight difference from the normal case that Notepad++ gets started via e.g. a desktop link.

In Windows Taskmanager I have activated the column UAC virtualization. When Notepad++ gets started via a desktop link the value of this column is Deactivated. When Notepad++ gets started via the runas command the column has no value, it is empty. But when I tick the option Show processes of all users the value changes to Not allowed. If I tick this option before starting Notepad++ the value is immediatly Not allowed.

I don’t know anything about the implications of this difference and I don’t know the difference between UAC virtualization deactivated and UAC virtualization not allowed, but there is a difference. Before adopting the runas method further investigations should take place.

donho

@dinkumoil
Indeed.

@Meta-Chuh said:

possible solution:
execute runas /trustlevel:0x20000 “C:\Program Files (x86)\Notepad++\notepad++.exe”

Just tried this method and seems Admin mode is OFF.
However, drag & drop a file into edit zone (which is the original motivation to run Notepad++ under user level) is forbidden just like Admin mode is ON.

I will continue to search the alternative way.

donho

@dinkumoil said:

Oh, and I forgot to mention, there is the old Plugin Manager, the devs of it had to solve the same problem. Maybe have a look at their code.

gpup.exe is launched without elevation, then it spawns itself (another instance) with the privileges rights to download & unzip and quit. The instance without elevation then relaunches Notepad++ without elevation.

It’s full of hack, but I guess I have no choice :(

dinkumoil

@donho said:

It’s full of hack, but I guess I have no choice :(

Well, I would call it “skillful use of officially documented features”. In contrast, the methods suggested in the MSDN blog entries I’ve posted a link to would have been real dirty hacks.

Meta Chuh

@donho

please try this from an elevated cmd or gup exec line:

schtasks /create /tn "Notepad++ Update Reload" /tr "C:\Program Files\Notepad++\notepad++.exe" /sc once /st 23:59 /f && schtasks /run /tn "Notepad++ Update Reload" && schtasks /delete /TN "Notepad++ Update Reload" /f

i remembered i had the same problem ages ago and solved it using the scheduled tasks
this will create run once and delete one that uses the current user regardless of the elevation level of the parent task

i’ve just tried it and drag and drop works, also @dinkumoil the uac in the task manager should be correct

dinkumoil

@Meta-Chuh

Yes, I remember. That was the way I suppressed UAC dialogs e.g. when starting elevated console windows around 10 years ago when I switched to Windows 7. It was the “I’m the admin, why should I been asked for approving admin tasks?”-attitude.

But to use that from within an EXE - hmm, seems crude to me…

Meta Chuh

@dinkumoil

this is just to get things going right now.
it’s to quickly test if using the task scheduler works 100% for all cases.

if it does, we can create an ITaskService object unsing eg taskschd.h instead of a command line.

if you have another working solution that is testable right now, don’t complain, try it, share it

SinghRajenM

@donho
Have looks at article by Raymond Chen.

We already have a solution in place, but unfortunately that solution is in nsis. Look here. The idea is: Run a exe in explorer context.

MS link: https://msdn.microsoft.com/library/dd940355
MS sample: https://github.com/pauldotknopf/WindowsSDK7-Samples/tree/master/winui/shell/appplatform/ExecInExplorer

Hope this will help you.

SinghRajenM

Also below can be used as simplest solution -

ShellExecute(nullptr, L"open", L"explorer.exe", L"C:\\Program Files\\Notepad++\\Notepad++.exe", nullptr, NULL);

SinghRajenM

@donho

@donho said:

@dinkumoil
Indeed.

@Meta-Chuh said:

possible solution:
execute runas /trustlevel:0x20000 “C:\Program Files (x86)\Notepad++\notepad++.exe”

Just tried this method and seems Admin mode is OFF.
However, drag & drop a file into edit zone (which is the original motivation to run Notepad++ under user level) is forbidden just like Admin mode is ON.

I will continue to search the alternative way.

Considering this scenario in mind, npp installer launches npp instance with same integrity level as explorer. Same is applicable here and drag n drop works fine using below method. So I feel, this should suit your requirement.

ShellExecute(nullptr, L"open", L"explorer.exe", L"C:\\Program Files\\Notepad++\\Notepad++.exe", nullptr, NULL);

donho

@SinghRajenM said:

Also below can be used as simplest solution -

ShellExecute(nullptr, L"open", L"explorer.exe", L"C:\\Program Files\\Notepad++\\Notepad++.exe", nullptr, NULL);

Thank you for the info.
I do remember the solution you provide in NSIS and did try the line above - only explorer launched.

dinkumoil

@donho

The last parameter has to be 1 = SW_SHOWNORMAL

SinghRajenM

@donho said:

@SinghRajenM said:

Also below can be used as simplest solution -

ShellExecute(nullptr, L"open", L"explorer.exe", L"C:\\Program Files\\Notepad++\\Notepad++.exe", nullptr, NULL);

Thank you for the info.
I do remember the solution you provide in NSIS and did try the line above - only explorer launched.

Interesting. It is working fine to me.

[Edit]:
@dinkumoil, nice catch. I’m using SW_SHOW

Meta Chuh

@SinghRajenM

thx, very cool and easy just to execute via explorer.exe, iv’e just tried it.

i didn’t know that explorer.exe does not pass the elevation level to a spawn.

so simple and perfect 👍

SinghRajenM

@Meta-Chuh Again it depends upon how explorer.exe is executed. In most of the cases explorer is not elevated unless user explicitly do so.

So if explorer is also elevated, then new exe also will be elevated yet. But it is expected in this case, because both will be at same integrity level which allows drag n drop.

https://paste.pics/e25eda50315a622bfda372343fd9b722

donho

@SinghRajenM
It seems your method doesn’t work only for me.
I test it in notepad++ with NO elevation, the following code launch calc well:

		case IDM_FILE_NEW:
		{
			//fileNew();
			ShellExecute(nullptr, L"open", L"calc.exe", nullptr, nullptr, SW_SHOW);
	
		}
		break;

However, the following code launch only explorer:

		case IDM_FILE_NEW:
		{
			//fileNew();
			ShellExecute(nullptr, L"open", L"explorer.exe", L"calc.exe", nullptr, SW_SHOW);
	
		}
		break;

What am I missing?

rinku singh

but i don’t know that code
dism++ heve a method
toolkit > god mode
run program without right checking

dinkumoil

@donho

You have to provide the fully qualified path to Calc.exe/Notepad++.exe.