unelevate possibility?

Jun 3, 2008
132
3
Temecula, CA
If I'm running a tcc window that is elevated with full admin privileges, and want to execute a command that's "unelevated" (doesn't have the full admin privileges), how might I do that? I know how START /ELEVATED can run a command at the elevated level from an unelevated window, but I'd like to do the opposite. Is this possible?

Environment: Windows 10, TCC v16.03. (Yeah, I know, it's quite old...)
 

samintz

Scott Mintz
May 20, 2008
1,511
18
Solon, OH, USA
You could use the RUNAS command with the /trustlevel switch.
Code:
RUNAS /trustlevel:<TrustLevel> program

RUNAS /showtrustlevels

RUNAS /trustlevel:0x20000 cmd.exe
 
  • Like
Reactions: MickeyF
Jun 3, 2008
132
3
Temecula, CA
You could use the RUNAS command with the /trustlevel switch.
Code:
RUNAS /trustlevel:<TrustLevel> program

RUNAS /showtrustlevels

RUNAS /trustlevel:0x20000 cmd.exe
Thank you, Scott, that does seem to solve the problem. Since I'm not really very familiar with the windows security trustlevels, I executed the command from an elevated tcc window and a non-elevated one. Both returned only that 0x20000 value. Is that expected?
 
May 20, 2008
11,529
102
Syracuse, NY, USA
Hmmm! I tried RUNAS with trustlevel 0x20000 from an elevated TCC and in the new process _ELEVATED was 1.

1631222189673.png
 
Jun 3, 2008
132
3
Temecula, CA
That environment variable is great! I didn't find it in the TCC documentation. I guess I just didn't look in the right way, because it's definitely there. Well that eliminates using a 'net session' hack.

net session >nul 2>&1
if %errorLevel% == 0 (
rem Administrative permissions confirmed.
) else (
rem Administrative permissions not present.
)


Well, Vince, I get a different result (where the top tcc box is elevated):

View attachment 3469
 
Jun 3, 2008
132
3
Temecula, CA
Thanks, Charles, but I'm not looking to write C# (or is it C++) code. Just keeping within the BTM code line. And I do understand the complications that the referenced author is talking about.

(It's been a long time since I needed to come back to this group, but it's nice to see a bunch of the long-time [notice I didn't call any of us old-timers] still using this great tool and contributing!)
 

Charles Dye

Super Moderator
Staff member
May 20, 2008
4,491
90
Albuquerque, NM
prospero.unm.edu
Thanks, Charles, but I'm not looking to write C# (or is it C++) code. Just keeping within the BTM code line. And I do understand the complications that the referenced author is talking about.

No, that would not be useful in a batch file. I threw it out there mostly in case anybody was thinking about adding this feature via a plugin.
 
May 20, 2008
11,529
102
Syracuse, NY, USA
Well, Vince, I get a different result (where the top tcc box is elevated):
I'm glad it's working for you.

Are you an ordinary user (i.e, not a member of the admin group)? Maybe that's the difference between your result and mine. I am a member of the admin group (but I don't get anything elevated by default because of UAC).
 
Sep 9, 2021
2
1
Hi.

You can use gsudo to elevate or unelevate from the command line.
To unelevate use `gsudo -i Medium {command} [args]` like 'gsudo -i Medium notepad'

github.com/gerardog/gsudo
 
Jun 3, 2008
132
3
Temecula, CA
I'm glad it's working for you.

Are you an ordinary user (i.e, not a member of the admin group)? Maybe that's the difference between your result and mine. I am a member of the admin group (but I don't get anything elevated by default because of UAC).
My account is a domain account that is a member of the Administrators group.

I normally start up TCC from a shortcut that has the Run As Administrator property set, so that's how it has its elevated status. I am trying to have this TCC window also execute a command while not being elevated. That's what started all of this. It seems that the runas may do what I need, but I've yet to test it.
 
Jun 3, 2008
132
3
Temecula, CA
Hi.

You can use gsudo to elevate or unelevate from the command line.
To unelevate use `gsudo -i Medium {command} [args]` like 'gsudo -i Medium notepad'

github.com/gerardog/gsudo
Thank you for the tip. So does the 'Medium' setting equate to what would happen if one just starts up tcc from explorer, without any RunAs setting?
 
Sep 9, 2021
2
1
> Thank you for the tip. So does the 'Medium' setting equate to what would happen if one just starts up tcc from explorer, without any RunAs setting?

Yes, -i allows to specify an integrity level, as defined by Windows UIPI. When UAC is enabled, all normal (non-elevated) processes run as medium integrity, while elevated processes run as High. With this argument gsudo ensures no admin rights are given to the child process.
 
  • Like
Reactions: MickeyF