1

I have an application that requires elevated rights (it is something like a custom installer). From within this application, I use ShellExecute() to show a PDF file. It seems as if the Adobe Reader is started with the same rights as the calling application. I would like the Adobe Reader however to be started with standard user rights and not elevated.

Is there some way I can do that? (It would be in Delphi, but for this problem the language probably doesn't matter).

David Heffernan
  • 572,264
  • 40
  • 974
  • 1,389
Markus Erlacher
  • 97
  • 1
  • 3
  • 6
  • See http://stackoverflow.com/a/6419772/203458 - while it's not an answer to that question (despite being accepted) it is the answer to yours – Kate Gregory Jun 17 '13 at 20:11

2 Answers2

0

There's no really straightforward way to do this unfortunately.

One way you can do it is with Task Scheduler - you use the ITaskService interface to schedule a task to run immediately, using the non-elevated credentials of the currently logged in user.

Jonathan Potter
  • 33,927
  • 4
  • 52
  • 68
0

What you are trying to achieve cannot be done very easily and is not supported. However, it is possible using a modicum of hacking. Aaron Margosis wrote an article describing one technique.

To quote the pertinent section, you will need to carry out these steps:

  1. Enable the SeIncreaseQuotaPrivilege in your current token
  2. Get an HWND representing the desktop shell (GetShellWindow)
  3. Get the Process ID (PID) of the process associated with that window (GetWindowThreadProcessId)
  4. Open that process (OpenProcess)
  5. Get the access token from that process (OpenProcessToken)
  6. Make a primary token with that token (DuplicateTokenEx)
  7. Start the new process with that primary token (CreateProcessWithTokenW)

The article contains a download link for some demo C++ source from which it should be simple enough to translate to Delphi.

David Heffernan
  • 572,264
  • 40
  • 974
  • 1,389
  • There is a simplier way - `CreateRestrictedToken()` and `CreateProcessAsUser()`. See http://msdn.microsoft.com/en-us/library/windows/desktop/aa379316.aspx for more details. – Remy Lebeau Jun 17 '13 at 22:08
  • @Remy Not sure that is simpler. You have to hard code which privs to remove. – David Heffernan Jun 18 '13 at 06:18
  • only if you want to, or you can specify the `DISABLE_MAX_PRIVILEGE` flag to disable most privileges. – Remy Lebeau Jun 18 '13 at 15:58
  • In any case, it looks like `CreateProcessWithTokenW()` is the way to go: http://blogs.msdn.com/b/winsdk/archive/2013/06/18/launching-a-process-as-a-normal-user-from-an-elevated-user.aspx – Remy Lebeau Jun 18 '13 at 16:06
  • [How can I launch an unelevated process from my elevated process and vice versa?](https://blogs.msdn.microsoft.com/oldnewthing/20131118-00/?p=2643) – Remy Lebeau May 02 '18 at 17:25