Author Topic: Run Windows programs without admin rights using RunWithRestrictedRights  (Read 185 times)

Online javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35125
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Ever downloaded a new program and wondered if it's safe to run? I'm with you. One of the best options to deal with it is to run the program in a sandboxed environment, e.g. using the free Sandboxie, or virtual machine as it limits program access considerably.

I always wonder why an application requests elevated privileges; while it is clear for some programs, e.g. a security program or program that manages Windows features, it is not clear for others. Programs that trigger UAC prompts may not launch at all if you deny it.



What if we could force it to? That's what RunWithRestrictedRights is all about. This is a commandline tool that uses the Windows Integrity Mechanism to restrict permissions for other applications to ensure that they don't harm your computer. It is better than the PSExec tool.

When I tried to run it the first time it gave me an error which read "a required privilege is not held by the client". Fortunately the developer has mentioned what to do to resolve this. You'll need two permissions for your account. RunWithRestrictedRights requires these to manage other programs.

   1. Adjust memory quotas for a process

   2. Replace a process level token.

Microsoft has some documentation explaining the permissions. You can add the permissions from the Control Panel > Administrative Tools > Local Security Policy > User Rights Assignment. Just ensure that the "Groups" box is enabled. If not, do it manually and add the "Administrators" group to the policies. You will need to restart the computer for these changes to be applied.

Note: I only had to do this with the 2nd permission on my computer.

How to use RunWithRestrictedRights

   1. Start the command prompt with Administrator rights. This step is absolutely crucial.

   2. Next, you will need to type the following command like this: C:\RunWithRestrictedRights.exe "application"

You will need to specify the location of the folder that contains the RunWithRestrictedRights.exe. For me, it is in the H:\Downloads\ folder. You can place it wherever you want to. Replace the word "application" with the name of the program that you want to open. For e.g. Notepad, MSPaint, etc.

So the command should look like this: H:\Downloads\RunWithRestrictedRights.exe notepad. You could add the program's path as an environmental variable as well to make this more convenient.



If done correctly, the restricted program should open. You will also see a new message on the command prompt screen which reads Application "notepad" started at Medium Integrity with PID aaaa.

where aaaa = 4 digit number representing the process ID.

Let's try this with an application that is not part of the operating system and requires UAC, e.g. Kingston's SSD Manager. I used  C:\Windows\system32>H:\Downloads\RunWithRestrictedRights.exe "C:\Program Files (x86)\Kingston_SSD_Manager\KSM.exe" for this.



The application opened with limited rights and more importantly, there was no UAC pop-up. You can do the same to run other programs. But if they depend on system-level resources they may not function as intended.

How do we verify that it is running with restrictions? The developer recommends using Process Explorer for this. You can do that with other process manager applications too. Just view the properties tab, and look for the flags as shown in the screenshot BUILTIN\Administrators, Mandatory Label and Local account and member of the Administrators group.



But wait, there's more. RunWithRestrictedRights supports a few arguments. You can use them in the following syntax: RunWithRestrictedRights.exe <application> -argument

The -w argument will launch the restricted program immediately but won'T return to the Command window until the program is closed. For e.g. H:\Downloads\RunWithRestrictedRights.exe "notepad" -w

Want to run programs in Low Integrity? Use the -l argument. -P takes permissions granted by the Power Users group, -d <sid> denies SID permissions, and -v can be used for verbose output.

That's all there is to it, it's a fairly simple application that provides a lot of security.

RunWithRestrictedRights is a portable application. It works with Windows 7 and above (though the official page says it works on Windows XP as well). The application also supports Windows Server 2003 and newer. The program is made by Core Technologies, who also developed Service Trigger Editor which we reviewed recently.

The program has some uses; you could use it to run programs with fewer rights on the system provided that they don't need them for functionality. There is, unfortunately, no way of telling until you run it to find out.

With that said, it is usually a good idea to use a normal user account for day to day activity and an admin account only when necessary. Microsoft revealed in 2017 that users could mitigate 94% of critical Windows vulnerabilities when using non-admin accounts.

source