从升级脚本启动作为受限用户的进程 [英] Start process as limited user from elevated script

问题描述

我有一个提升的控制台运行一些bat文件。使此控制台在提升模式下运行是强制的，它能够执行一些任务，例如管理网络共享等，而不需要权限。但是有时候脚本还必须启动一些不想运行的应用程序。所以我们希望我们的高架蝙蝠开始应用在非高架模式。在Windows上有没有任何内置的方法来做到这一点？

顺便说一下，这台机器是Windows 7 Ultimate Edition x64。

我知道这个isue已经在许多问题中进行了程序化讨论（，一个独立的可执行文件，可从Windows Sysinternals的PSTools找到。以下是一个示例：

  psexec -l -d cmd.exe 
  

我看了很深的问题，我注意到在任何正在运行的权限或安全标志没有区别。

从 Microsoft Technet博客：

PsExec使用 CreateRestrictedToken API 创建安全上下文，称为令牌，这是一个自己的删除版本，删除管理权限和组成员资格。生成一个看起来像Windows分配给标准用户的令牌后，Process Explorer调用CreateProcessAsUser以使用新令牌启动目标进程。

这些是我设法得到经过许多小时的研究的最好的结果;欢迎任何可提供进一步详情的人士。

I have an elevated console running some bat files. Having this console running in elevated mode is mandatory for it to be able to perform some tasks like managing network shares, etc without asking for permissions. But sometimes the scripts also have to launch some applications which are not desired to run elevated. So we want our elevated bats to start come application in non-elevated mode. Is there any built-in way to do this on Windows? Processes were started with DOS command START up to the date.

By the way, the machine is a Windows 7 Ultimate Edition x64.

I know this isue is already discussed programatically in many questions (this collects many of them), but our requirements are bat scripts running on cmd, and any standalone executable that may help in our tasks, like nircmd, 7z, etc.

Clarification: we already have a scheduled task which starts the console elevated, and elevating the console is not the issue os this answer.

解决方案

The built-in Windows way: START RUNAS ... allows you to run a process as limited user. Here's an example:

runas /trustlevel:0x20000 cmd.exe

Anyway, there are some internal differences between the execution permissions on a process executed that way and another started from the UI with UAC enabled (explorer.exe via normal user interaction, I mean, execution from file browser or from start menu).

• On the process started via runas (right) we miss some permissions disabled:
• On the process started via runas (right) Administrators have some permisions set over the process:

The Third-Party application way: we can achieve our goal using PSExec, a standalone executable we can find on PSTools from Windows Sysinternals. Here's an example:

psexec -l -d cmd.exe

I've looked very deep into the issue and I've noticed no difference in any of the running permissions or security flags.

From the Microsoft Technet blogs:

PsExec use the CreateRestrictedToken API to create a security context, called a token, that’s a stripped-down version of its own, removing administrative privileges and group membership. After generating a token that looks like one that Windows assigns to standard users Process Explorer calls CreateProcessAsUser to launch the target process with the new token.

These are the best conslussions I've managed to get after many hours of research; anyone who can provide further details will be welcome.

这篇关于从升级脚本启动作为受限用户的进程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！