_RunWithReducedPrivileges

[Ascend4nt]

_RunWithReducedPrivileges

An odd thing about Vista+ O/S's is that, once you run a process in elevated privileges mode, you can't run other processes in lower-privileged modes.

Why, you ask, would that be important?

Sometimes you want - or need - to limit the privileges of a process:

• A very common scenario for me is drag-and-drop.

  Windows' Explorer does NOT allow this to occur between lower privileged processes (like Explorer itself!) and other processes. This is very frustrating for users in programs that take advantage of that.

• There's also some problems using certain SendMessage commands from other unelevated processes.
• Setting the state or properties of windows that have an elevated privilege may not work either from other unelevated processes..
• An install or setup program that needs to launch the installed program will more often than not want to run that program on a lower privilege level (for some of the reasons mentioned above)

So, after some looking around I found a way of running processes under a lower privilege mode.Check Elmue's comment 'Here the cleaned and bugfixed code' on this CodeProject page to see where my code was ported from:

'Creating a process with Medium Integration Level from the process with High Integration Level in Vista'

The usage is straightforward for this one: use it like Run/RunWait, but with the command-line as the 2nd parameter. [i.e. _RunWithReducedPrivileges(@ComSpec,' /k title Non-Admin prompt') ]

Anyway, hope this helps someone out!

Ascend4nt's AutoIT Code License agreement:

While I provide this source code freely, if you do use the code in your projects, all I ask is that:

• If you provide source, keep the header as I have put it, OR, if you expand it, then at least acknowledge me as the original author, and any other authors I credit
• If the program is released, acknowledge me in your credits (it doesn't have to state which functions came from me, though again if the source is provided - see #1)
• The source on it's own (as opposed to part of a project) can not be posted unless a link to the page(s) where the code were retrieved from is provided and a message stating that the latest updates will be available on the page(s) linked to.
• Pieces of the code can however be discussed on the threads where Ascend4nt has posted the code without worrying about further linking.

Download the ZIP from my site

Edited September 14, 2011 by Ascend4nt

[martin]

Although I have found links to this thread and I think many people use this, I am surprised there have been no replies here before now.

Thanks a lot for this Ascendant.

 

As you say, it is useful for installers which I prefer to write myself. An installer needs Admin privileges but that means that it will not write to the correct HKCU registry area, and if it starts the application, which is a natural thing someone installing will want to do, then the registry settings written by the installed program will be not to the user HKCU but to the Admin's HKCU and so be 'missing' the next time the program is started normally. Also, any files created by the program, and folders created by the program will be denied access the next time the program is run unless the data is written to somewhere like public documents. SInce many, including me, would expect that data could be stored in ProgramData, then running the installed program from the installer will result in access to data and folders being denied in future instances.

_RunWithReducedPrivileges solves all these problems and makes it relatively easy to produce a fully featured installer.