0

I'm trying to test a batch file that should test for administrator privileges, but I have the weird problem that I can't run it without administrator privileges.

net session >nul 2>&1
if %errorLevel% == 0 (
    rem do whatever...

Sure, I can just create another user account and run it from there, but that's a bit much effort just for one little test.

The script example above may not exactly be what I wanted because I need a general solution, for example to test if an installer can run without admin rights.

Is there an easier way? A command line argument for running something without administrator privileges maybe?

BTW, I disabled UAC if that makes any difference.

Compo
  • 30,301
  • 4
  • 20
  • 32
Fabian Röling
  • 871
  • 1
  • 9
  • 26
  • …and you figured that not providing the batch file or your method of running it was the best way to get a solution, did you? – Compo Apr 18 '17 at 18:18
  • 1
    Sounds like you have either disabled UAC or are logged in to the built-in Administrator account. You can create a user account fairly quickly and easily using `net user testaccount password /add` and test your batch file using `runas /user:testaccount cmd`. – Harry Johnston Apr 18 '17 at 21:11
  • The script is net session >nul 2>&1 \n if %errorLevel% == 0 ( But I wanted a general solution also. For example to test if an installer can run without admin rights. – Fabian Röling Apr 19 '17 at 05:37
  • Yes, I disabled UAC, that's true. I'll try your commands in ~12 hours, @Harry Johnston. – Fabian Röling Apr 19 '17 at 05:38
  • @Compo Thank you for your change, that's exactly how I would word it. – Fabian Röling Apr 19 '17 at 11:44
  • Thank you, @HarryJohnston, that works, too. It's not really the solution I asked for, but it avoids the hassle of creating a new account through the system settings and switching accounts. – Fabian Röling Apr 19 '17 at 18:38

1 Answers1

3

You can try with 

runas /trustlevel:0x20000 "cmd.exe /c ....."

use runas /showtrustlevels to see the available levels

MC ND
  • 65,671
  • 6
  • 67
  • 106
  • 2
    Be aware that this generates a non-standard token, one with [unusual properties](http://stackoverflow.com/a/30970434/886887). Probably not the best context for testing. – Harry Johnston Apr 18 '17 at 21:08
  • @HarryJohnston, Thank you, I didn't saw it. I tried in windows 10 from the restricted console and while `whoami /all` reports group membership, it also reports the only active right is `SeChangeNotifyPrivilege`. File system operations and usual admin operations were restricted. Probably (?) , for a *"little test"* as indicated it is enough. – MC ND Apr 18 '17 at 21:36
  • I've now confirmed that the same issue occurs when using `runas` in Windows 10. You can see it via `whoami /groups`, the last line is usually the mandatory label and if it says "High Mandatory Level" you still have some elevated rights - specifically, you can interact with elevated GUI applications in ways that are normally forbidden to non-elevated processes. I think that's it, though, and it probably isn't relevant to what the OP is doing. – Harry Johnston Apr 21 '17 at 01:15