12Ghosts™ RunAsStdUser

Run programs non-elevated after your setup

Evaluation is free.

What does it do for me?

Start programs at the end of your setup un-elevated. Setup programs usually run with full administrator rights (elevated) to be able to write to Program Files. Programs started from setup would also run elevated. This is not a good idea, since it is YOUR program that undermines the security of the system.

This tool starts a program with the (low) rights of the currently logged on user, un-elevated. You can pass a program path and command line parameters.

Does not depend on Windows task scheduler to be running, and does not depend on explorer.exe to be running un-elevated.

Does not show a dialog box or anything else on the screen. Does not leave tracks behind, no temp files, no registry keys.

How we did it

This program creates its own service. The service starts the application un-elevated in the context of the currently logged-on user. All profile settings are available (including the users' desktop).

Just use our program in your installation! All you need to do is call 12runas.exe with the application path as parameter. No API, no parameters. For example:

ShellExecute(NULL, NULL, "<path>\12runas.exe", "<path to your program> <optional params>", NULL, SW_SHOWNORMAL);

See C/C++ sample code here.

What we don't do

Bootstraping

Start a pre-setup program, non-elevated, then start the real setup program but keep the first program running. When the real setup has finished, the first, non-elevated module starts the application.

May NOT work if the first program is re-named to something with "setup" in the name. Also, the heuristics of Windows, that determine which program needs elevation, may come to the wrong conclusion, so the first program is elevated automatically. Doesn't work either if the user starts the first program with "Run as Administrator".

Inject a DLL into Explorer

Hook the message proc of explorer.exe. A DLL is loaded into Explorer, which hopefully (!) is not elevated. Send a message to Explorer, intercept that in the DLL, then start the application.

May NOT work if Explorer is elevated. Usually it is not, however, it may be started elevated - even without the user being aware of it. For example, if TaskMgr is set to "Show processes for all users" it actually runs elevated. If a user doesn't shut down his computer but only sends it to sleep, this could have been running in elevated mode for weeks. Eventually, Explorer crashes so you call up TaskMgr and run explorer.exe from File -> New Task (Run). Since TaskMgr is elevated, so is explorer.exe. This certainly is not what you want!

Use Windows Task Scheduler

Create a new task programmatically. Task Scheduler then starts the application.

May NOT work if Task Scheduler is not installed. Also, you may need to support different versions of Task Scheduler on different Windows versions.

Get the LUA token of the currently logged on user

Great idea, just doesn't work because the Least-Privilege User Account (LUA) token is not passed to the elevated program.

Conclusion

The only viable solution we have found is to write a service, figure out how to pass parameters to the service, successfully impersonate the currently logged on user, and get it all up and running. You may just use our well-tested tool. Licensing is simple and absolutely affordable.

FAQ

Which files do I need to include in my setup?

Only 12runas.exe and 12srvc.exe.

How do I use 12-RunAs?

Just start 12runas.exe with the path to your program as the parameter. (Sample code).

C++ Code:

ShellExecute(NULL, NULL, "<path>\12runas.exe", "<path to your program>", NULL, SW_SHOWNORMAL);

VB Code:

ID = Shell("""<path>\12runas.exe"" <path to your program>", , True, 100000)

How do I send parameters to the started program?

Enclose the path in double-quotation marks and add any parameters after the path. (Sample code).

ShellExecute(NULL, NULL, "<path>\12runas.exe", "\"<path to your program>\" <parameters>", NULL, SW_SHOWNORMAL);

Can I start more than one program?

If you are going to start more programs, you can speed things up. Tell 12-RunAs to keep its service running with the parameter /keeprunas. Otherwise the service is stopped and deleted after the call (so that no tracks are left behind). Make sure to add /keeprunas before the quoted path and other parameters. (Sample code).

ShellExecute(NULL, NULL, "<path>\12runas.exe", "/keeprunas \"<path to your program>\"", NULL, SW_SHOWNORMAL);

How do I stop 12-RunAsStdUser if I had used /keeprun?

Start 12-RunAs with the parameter /stoprunas. (Sample code).

ShellExecute(NULL, NULL, "<path>\12runas.exe", "/stoprunas", NULL, SW_SHOWNORMAL);

What if my program is not elevated?

If 12-RunAs is started non-elevated it launches the program directly, also un-elevated.

Does the 12Ghosts setup and 12-SetupSFX use this, too?

Yep, you bet. 12Ghosts setup does exactly the same. 12-SetupSFX has/will have an option to include 12-RunAs.