20

I have a batch file that starts with elevated privileges (my installer spawns it), but at a certain point I need to run a command as the original user who started my installer (i.e. drop from the elevated privileges).

Is it possible to do so?

sashoalm
  • 75,001
  • 122
  • 434
  • 781

2 Answers2

25

You can run a command with restricted privileges with:

runas /trustlevel:0x20000 "YourCommandHere"

You should provide the absolute path to your command including any arguments in double quotes as an argument to runas.

If you would like to run more than one command with restricted privileges, you can put them in a separate batch file and run it with:

runas /trustlevel:0x20000 "cmd /C PathToYourBatchFile"

Anyway, this will open a new console with restricted privileges. You also have to use this syntax whenever you wish to run with restricted privileges an internal command (like copy, del, etc.) as these are provided by the command line interpreter and do not have an associated path.

Note that 0x20000 is the trust level of standard users. You can list other available trust levels by running

runas /showtrustlevels
GOTO 0
  • 42,323
  • 22
  • 125
  • 158
  • Hm, this seems to have a slightly different behavior than I expected. Running cmd.exe normally, the titlebar shows only `C:\Windows\System32\cmd.exe`, running it with elevated privileges, it shows `Administrator: C:\Windows\System32\cmd.exe`, starting it with `runas /trustlevel:0x20000 cmd.exe`, it shows `Administrator: cmd (running as sashoalm-PC\sashoalm with restricted privileges)`. As you can see, it is not the same as running it normally, in the sense of 'run as original user', do you have an idea what the differences could be? – sashoalm Nov 26 '13 at 13:55
  • @sashoalm the new console is still associated with the Administrator account, but it runs with the privileges of a standard user (even if your user account has administrator privileges). To run as your original user, have a look at the other options of `runas`. – GOTO 0 Nov 26 '13 at 14:05
  • Process explorer lists both processes as having user name `sashoalm-PC\sashoalm`. My user account is the administrator account. So if the user name is the same, and the privileges are the same, why is cmd's titlebar reporting a difference? – sashoalm Nov 26 '13 at 14:16
  • Well, Windows allows the same user to run different applications with different levels of trustworthy. This is explained here: http://msdn.microsoft.com/en-us/library/bb625957.aspx – GOTO 0 Nov 26 '13 at 14:33
  • Somehow this does not work for me. I get `RUNAS ERROR: Unable to run - cmd 1168: Element not found.` Even when I give the full path to cmd, it would show the same error. It works when using `/user:`, however I have to enter the PW then. – Joerg S May 04 '21 at 07:00
  • Actually I found the issue: Was just a typo... had `0x2000` instead of `0x20000` – Joerg S May 04 '21 at 10:46
  • As of Windows 11, you have to use the /machine argument as well, e.g., `runas /machine:amd64 /trustlevel:0x20000 cmd` or you will get error 87. However, this is almost a moot point, because /trustlevel doesn't do what it is supposed to anyway, and never has: although it does disable the administrators group, the integrity level of the new process is improperly set to "high" instead of "medium". – Harry Johnston Oct 18 '22 at 07:56
6

  1. It's still a privileged program (though restricted) in Task Manager by using this command:

    runas /trustlevel:0x20000 <cmd>

  2. You can try the other way, which will make it unprivileged in Task Manager:

    runas /savecred /user:%username% <cmd>

    You still need to enter the password once but not every time.

  3. Use explorer.exe to launch the program:

    explorer.exe <cmd>

    explorer.exe won't accept arguments for cmd, but you can create a temp script file and lauch it by explorer.exe if arguments are necessary.

Wai Ha Lee
  • 8,598
  • 83
  • 57
  • 92
vincez
  • 61
  • 1
  • 2