I have a batch file that starts with elevated privileges (my installer spawns it), but at a certain point I need to run a command as the original user who started my installer (i.e. drop from the elevated privileges).
Is it possible to do so?
You can run a command with restricted privileges with:
runas /trustlevel:0x20000 "YourCommandHere"
You should provide the absolute path to your command including any arguments in double quotes as an argument to runas.
If you would like to run more than one command with restricted privileges, you can put them in a separate batch file and run it with:
runas /trustlevel:0x20000 "cmd /C PathToYourBatchFile"
Anyway, this will open a new console with restricted privileges. You also have to use this syntax whenever you wish to run with restricted privileges an internal command (like copy, del, etc.) as these are provided by the command line interpreter and do not have an associated path.
Note that 0x20000 is the trust level of standard users. You can list other available trust levels by running
runas /showtrustlevels
1. It's still a privileged program (even it's restricted) in task manager by using this command:
runas /trustlevel:0x20000 <cmd>
2. You can try the other way, which will make it unprivileged in task manager:
runas /savecred /user:%username% <cmd>
You still need to enter the password once but not every time.
3. Use explorer.exe to launch the program:
explorer.exe <cmd>
The exploere.exe won't accept arguments for cmd, you can create a temp script file and lauch it by explorer.exe if arguments are necessary.
来源:https://stackoverflow.com/questions/20218076/batch-file-drop-elevated-privileges-run-a-command-as-original-user