Sign in to follow this  
Followers 0
Ascend4nt

_ShellExecuteWithReducedPrivileges

1 post in this topic

#1 ·  Posted (edited)

_ShellExecuteWithReducedPrivileges

An odd thing about Vista+ O/S's is that, once you run a process in elevated privileges mode, you can't run other processes in lower-privileged modes.

Why, you ask, would that be important?

Sometimes you want - or need - to limit the privileges of a process:

  • A very common scenario for me is drag-and-drop.

    Windows' Explorer does NOT allow this to occur between lower privileged processes (like Explorer itself!) and other processes. This is very frustrating for users in programs that take advantage of that.

  • There's also some problems using certain SendMessage commands from other unelevated processes.
  • Setting the state or properties of windows that have an elevated privilege may not work either from other unelevated processes.
  • An install or setup program that needs to launch the installed program will more often than not want to run that program on a lower privilege level (for some of the reasons mentioned above)
So, after some looking around I found two ways of running processes under a lower privilege mode. One is using CreateProcessWithTokenW (see ), and the other is using COM objects - specifically Windows Explorer's SHELL object to ShellExecute a command/program. This can be used just like AutoIt's built-in ShellExecute() function, but of course the program that runs will be at a reduced IL (integrity level).

The code is based on Brandon @ BrandonLive's article here:

'Getting the shell to run an application for you - Part 2:How | BrandonLive'

The usage is straightforward for this one: use it like ShellExecute. The $bWait parameter is only there in case ShellExecuteWait() will be called for either non-elevated processes or pre-Vista O/S's. Example:

_ShellExecuteWithReducedPrivileges(@ComSpec,' /k title Non-Elevated prompt (via Shell.ShellExecute)')

Anyway, hope this helps someone out!

Ascend4nt's AutoIT Code License agreement:

While I provide this source code freely, if you do use the code in your projects, all I ask is that:

  • If you provide source, keep the header as I have put it, OR, if you expand it, then at least acknowledge me as the original author, and any other authors I credit
  • If the program is released, acknowledge me in your credits (it doesn't have to state which functions came from me, though again if the source is provided - see #1)
  • The source on it's own (as opposed to part of a project) can not be posted unless a link to the page(s) where the code were retrieved from is provided and a message stating that the latest updates will be available on the page(s) linked to.
  • Pieces of the code can however be discussed on the threads where Ascend4nt has posted the code without worrying about further linking.

Download the ZIP from my Site

Edited by Ascend4nt
1 person likes this

Share this post


Link to post
Share on other sites



Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • tcurran
      By tcurran
      Here's a short UDF that will, at least in most cases, detect whether a window can be copied from or pasted to programmatically--for example, by Send()ing ctl-c, ctl-v. This is often disabled when programs (like your AutoIt script) run at a lower UAC integrity level than the application they are trying to operate on.
      #include <WinAPI.au3> Func _WindowIsPasteable($handle) ;accepts window handle; returns true or false whether a window will accept Ctl-C, Ctl-V Local $bCanPaste = True Local $hTestWindowPID = 0 Local $hTestWindowTID = _WinAPI_GetWindowThreadProcessId($handle, $hTestWindowPID) _WinAPI_AttachThreadInput(_WinAPI_GetCurrentThreadId(), $hTestWindowTID, True);attach to window we want to paste into $bCanPaste = _WinAPI_GetFocus() ;Test whether window is paste-able--returns False if it is not _WinAPI_AttachThreadInput(_WinAPI_GetCurrentThreadId, $hTestWindowTID, False);detach from window thread Return $bCanPaste EndFunc Pass it a window handle; it returns true or false whether a window will accept programmatic pasting. The function may not work on the CMD window, since it handles the clipboard uniquely.
      This function works by attaching to the program thread of the window whose handle it receives, then attempting to perform a GetFocus on that thread. In most cases, the attempt will fail if the window will not accept programmatic copy-paste.
    • zetaimmersion
      By zetaimmersion
      Hi all. 
      I am trying to do 2 things but i cannot seem to get any traction on how to read/implement this idea.
      Premise: PowerPoint file in C\temp\presentation.pptx that contains on the first slide 2 entries as "<one>" and "<two>" which need to be replaced with "user1" and "user2", then a silent Outlook send mail containing the file with a predefined body and subject.
      I narrowed it down to COM objects as the Office does not like intrusive open AutoIt functions. I installed OLE/COM Object Viewer to understand how to create the commands but i am still stuck. So far i am trying to user water's code but i suck
      COM object i was originally trying to modify
      Dim $oPPT, $oPres $oPPT = ObjCreate("PowerPoint.Application") $oPPT.Visible = True $oPres = $oPPT.Presentations.Read Water's code below (0.1% modified)
      #include <File.au3> #include "PowerPoint.au3" #include <misc.au3> Global $sFile = "C:\temp\presentation.pptx" Global $sString2Search = "<username>", $sString2Replace = "Password", $iReplaceOnce = 1, $sFullLogFile = "C:\temp\pptxlog.txt" _ProcessPpt($sFile) Func _ProcessPpt($sFile) $oApp = _PPT_PowerPointApp() Local $bChange = False Local $oInterface = $oApp.Presentations Local $oPresentation = $oInterface.Open($sFile, False, False, False) If @error Then _FileWriteLog($sFullLogFile, "E Error " & @error & " opening File " & $sFile) Return SetError(1, 0, 0) EndIf ;it does not even open my file and from here not sure how to read the text and replace it EndFunc ;==>_ProcessPpt  
    • YellowLab
      By YellowLab
      I am having a very unique, but repeatable problem with ImageMagick COM interface. Here are the applicable lines of code:
      $oIM=ObjCreate("ImageMagickObject.MagickImage.1")
      and then later on...
      $oIM.Convert(String($arFileList[$nFileIndex])&'[0]',"-alpha", "remove",@TempDir&"\temp.jpg")
      the array points to a pdf file with the "convert" command converting the first page of the pdf to a jpg with any alpha layer removed.
      Every time, without fail, the first time I run the script on a freshly booted machine it crashes on the $oIM.Convert command. It does this if it isn't compiled and says there is an error executing the command on the object. If compiled, i get an error that autoit has stopped responding. Anytime I run the script, compiled or not, after this initial crash everything works perfectly fine.
      I am totally at a loss as to why this is occurring and how to correct it.
    • Javik
      By Javik
      Is there a way to read data directly from the Windows Component Object Model (COM) interface?
      I am trying to make a really simple disk space reporter tool for accounts on an Active Directory domain, to read the disk quota limit for the logged on user's home directory, and report how much disk space they are currently using.
      ,
      MSDN:  IDiskQuotaUser interface
      https://msdn.microsoft.com/en-us/library/windows/desktop/aa365033(v=vs.85).aspx
      GetQuotaLimit
      GetQuotaUsed
       
       
    • WoodGrain
      By WoodGrain
      Hi All,
      I've coded the small script below, but it can't seem to get the instance of Windows Media player as it keeps going to @error, I've not used com objects before so any assistance would be appreciate. I already have WMP open and minimised. I retrieved "WMPlayerApp" from the AutoIT info tool, I've included a copy below.
      I'm using these sources:
      https://msdn.microsoft.com/en-us/library/dd564085.aspx
      https://msdn.microsoft.com/en-us/library/dd564018.aspx
      $oWMP = ObjGet("", "WMPlayerApp") If @error Then MsgBox(0, "Can't get WMP", "Couldn't connect to the WMP instance") Exit EndIf $wmpPlayState = $oWMP.playState MsgBox(0, "Play State", $wmpPlayState) $wmpSongName = $oWMP.currentMedia.name MsgBox(0, "Play State", $wmpSongName) I've also seen references to the below, but I want to get an existing open WMP:
      ObjCreate("wmplayer.OCX") and have looked at the WMP.udf but can't see how it will do either of the functions I've coded above.