12Ghosts Inc.

12Ghosts Power Tools for Windows

Security   SysTools   Automation   Files & More
       
  Wash  Shredder  StartupGuard     
         
Tweak  Quick  NotePad       
         
      Sync  ShowTime  Timer       
       
Backup  Replace  FileDate       
       
SetupSFX  Silencer  RunAsStdUser  ChooseColor   
 

12Ghosts RunAsStdUser

Run programs non-elevated after your setup

Evaluation is free.

Include this with your installation!

 

What does it do for me?

Start programs at the end of your setup un-elevated. Setup programs usually run with full administrator rights (elevated) to be able to write to Program Files. Programs started from setup would also run elevated. This is not a good idea, since it is your program that undermines the security of the system.

This tool starts a program with the (low) rights of the currently logged on user, un-elevated. You can pass a program path and command line parameters.

Does not depend on Windows task scheduler to be running, and does not depend on explorer.exe to be running un-elevated.

Does not show a dialog box or anything else on the screen. Does not leave tracks behind, no temp files, no registry keys. All profile settings are available (including the users' desktop).

 

Here's the Deal

Just use our program in your installation! Licensing is simple and very affordable !

All you need to do is call 12runas.exe with your application path as the parameter. No API, no libs, no headers. Example:

12runas.exe <path>\yourprogram.exe

Don't let the user run your program with full admin rights, inadvertantly! Apply this simple solution to save your users from trouble!

See C/C++ sample code here.

 

What we don't do

Bootstraping

Start a pre-setup program, non-elevated, then start the real setup program but keep the first program running. When the real setup has finished, the first, non-elevated module starts the application.

May NOT work if the first program is re-named to something with "setup" in the name. Also, the heuristics of Windows, that determine which program needs elevation, may come to the wrong conclusion, so the first program is elevated automatically. Doesn't work either if the user starts the first program with "Run as Administrator".

Inject a DLL into Explorer

Hook the message proc of explorer.exe. A DLL is loaded into Explorer, which hopefully (!) is not elevated. Send a message to Explorer, intercept that in the DLL, then start the application.

May NOT work if Explorer is elevated. Usually it is not, however, it may be started elevated - even without the user being aware of it. For example, if TaskMgr is set to "Show processes for all users" it actually runs elevated. If a user doesn't shut down his computer but only sends it to sleep, this could have been running in elevated mode for weeks. Eventually, Explorer crashes so you call up TaskMgr and run explorer.exe from File -> New Task (Run). Since TaskMgr is elevated, so is explorer.exe. This certainly is not what you want!

Use Windows Task Scheduler

Create a new task programmatically. Task Scheduler then starts the application.

May NOT work if Task Scheduler is not installed. Also, you may need to support different versions of Task Scheduler on different Windows versions.

Get the LUA token of the currently logged on user

Great idea, just doesn't work because the Least-Privilege User Account (LUA) token is not passed to the elevated program.

Conclusion

The only viable solution we have found is to write a service, figure out how to pass parameters to the service, successfully impersonate the currently logged on user, and get it all up and running. You may just use this well-tested tool, 12-RunAs. Simple and very affordable licensing!

 

FAQ

Which files do I need to include in my setup?

Only 12runas.exe and 12srvc.exe.

How do I use 12-RunAs?

Just start 12runas.exe with the path to your program as the parameter. (Sample code).

C++ Code:

ShellExecute(NULL, NULL, "<path>\12runas.exe", "<path to your program>", NULL, SW_SHOWNORMAL);

VB Code:

ID = Shell("""<path>\12runas.exe"" <path to your program>", , True, 100000)
How do I send parameters to the started program?

Enclose the path in double-quotation marks and add any parameters after the path. (Sample code).

ShellExecute(NULL, NULL, "<path>\12runas.exe", "\"<path to your program>\" <parameters>", NULL, SW_SHOWNORMAL);
Can I start more than one program?

If you are going to start more programs, you can speed things up. Tell 12-RunAs to keep its service running with the parameter /keeprunas. Otherwise the service is stopped and deleted after the call (so that no tracks are left behind). Make sure to add  /keeprunas before the quoted path and other parameters. (Sample code).

ShellExecute(NULL, NULL, "<path>\12runas.exe", "/keeprunas \"<path to your program>\"", NULL, SW_SHOWNORMAL);
How do I stop 12-RunAsStdUser if I had used /keeprun?

Start 12-RunAs with the parameter /stoprunas. (Sample code).

ShellExecute(NULL, NULL, "<path>\12runas.exe", "/stoprunas", NULL, SW_SHOWNORMAL);
What if my program is not elevated?

If 12-RunAs is started non-elevated it launches the program directly, also un-elevated.

Does the 12Ghosts setup and 12-SetupSFX use this, too?

Yep, you bet. 12Ghosts setup does exactly the same. 12-SetupSFX has/will have an option to include 12-RunAs.

 

 

 

 

Search:

 

 

 

 

 

 

 

 

12Ghosts Power Tools for Windows®

Copyright © 1993-2014 12Ghosts Inc. All rights reserved.