15

Maybe there is a way to do it with Start-Process cmdlet that I cannot find? The other related Q/A's I found on StackOverflow such as this, this and this all give a solution to do this with a custom C# code. My question is specifically, is there any straightforward way to do this in PowerShell? i.e. you are in an elevated PS console and want to run a process as non-admin.

Community
  • 1
  • 1
orad
  • 12,746
  • 18
  • 69
  • 107
  • That's unusually advanced functionality, PowerShell may not be an appropriate choice. – Harry Johnston Apr 11 '15 at 04:35
  • 1
    Related: https://stackoverflow.com/questions/20218076/batch-file-drop-elevated-privileges-run-a-command-as-original-user – CJBS May 16 '19 at 23:17

4 Answers4

16

You can specify the TrustLevel with runas.exe, effectively running "restricted"

runas /trustlevel:0x20000 "powershell.exe -command 'whoami /groups |clip'"

You should see in the output from whoami that the Administrators group in your token is marked as "Used for Deny only"

enter image description here

Mathias R. Jessen
  • 106,010
  • 8
  • 112
  • 163
  • `0x20000` leaves the account's "High Mandatory Level" label enabled. With `0x1000` only "Everyone", "Users", and "Authenticated Users" are enabled. `/showtrustlevels` doesn't even list this level. Is this documented anywhere? It isn't mentioned in the following article, which does mention `0x20000`: [New ACLs Improve Security in Windows Vista](https://technet.microsoft.com/en-us/magazine/2007.06.acl.aspx). – Eryk Sun Apr 11 '15 at 09:40
  • @eryksun my mistake, trustlevel != integrity level. From the article: "As a point of interest, trustlevel 0x20000 gives you a token with the normal set of SIDs but stripped privileges" – Mathias R. Jessen Apr 11 '15 at 11:19
  • I read the article. I was asking about `0x1000`, which as I mentioned sets all groups to deny (including the integrity label) except for the groups "Everyone", "Users", and "Authenticated Users". I only found this by experimenting. It doesn't appear to be documented anywhere. – Eryk Sun Apr 11 '15 at 11:44
  • Interesting, I get a `The application was unable to start correctly (0xc0000142)` whenever I try to launch anything with `/trustlevel:0x1000` on Windows 7 SP1, no matter the trustlevel of the calling process. What version of Windows did you succeed with this on? – Mathias R. Jessen Apr 11 '15 at 11:49
  • I'm using Windows 7, but my shell is running in session 0. It won't work on an interactive desktop. – Eryk Sun Apr 11 '15 at 13:07
4

When you dig into this problem, as mentioned by the linked tasks, there is no way to run a UAC "non" elevated process from a elevated process. Since this is exactly what I required and the runas solution didn't work for me I converted the code workaround supplied by Microsoft to use a scheduled task to Start a "non" elevated process.

Example of running powershell.exe as a "non" elevated process from a elevated powershell prompt:

$apppath = "powershell.exe"
$taskname = "Launch $apppath"
$action = New-ScheduledTaskAction -Execute $apppath
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date)
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName $taskname | Out-Null
Start-ScheduledTask -TaskName $taskname
Start-Sleep -s 1
Unregister-ScheduledTask -TaskName $taskname -Confirm:$false

The above powershell commands only work on Windows Server 2012 / Windows 8 and greater only.

Or you can use the SCHTASKS.EXE application instead to cover most versions of windows:

$apppath = "powershell.exe"
$taskname = "Launch $apppath"
schtasks /create /SC ONCE /ST 23:59 /TN $taskname /TR $apppath
schtasks /run /tn $taskname
Start-Sleep -s 1
schtasks /delete /tn $taskname /F
Vimes
  • 7,886
  • 14
  • 52
  • 83
Shane Powell
  • 12,040
  • 2
  • 45
  • 53
  • This approach is apparently more thorough (doesn't interfere with my screenshot app's shortcuts, when the new window has focus). – Vimes Apr 04 '17 at 15:41
  • To run task on battery power, I added a Register-ScheduledTask argument: `-Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries)` – Vimes Sep 15 '17 at 16:48
0

Another, limited, way: Make Windows Explorer launch it for you

PS C:\> explorer.exe "C:\windows\system32\cmd.exe"

Just use the full path and extension. But it does NOT accept parameters.

I tried creating a batch file. But explorer refuses to launch .BAT or .CMD.

Gerardo Grignoli
  • 11,090
  • 6
  • 50
  • 54
-6

in start-process exist switch runas like

start-process powershell -verb runAs

but still uac check you if in your system uac on you should first bypass uac there are many way exist for bypass uac but all ways doesn't work in all windows like windows 8 if you write script for run process then compile to exe you can use program like runasadmin for run as admin your exe in system but still not work in windows 8

old boy
  • 1
  • 2
  • 3
    This appears to be the exact opposite of the question's desired answer. Per the Help for `Start-Process` "The RunAs verb starts the process with permissions of a member of the Administrators group on the computer. This is the same as starting Windows PowerShell with the "Run as administrator" option." – Booga Roo Apr 10 '15 at 23:53