Force cmd.exe prompt to run NOT as admin

Question

Related to my other question, I need to be able to run the command prompt NOT as an admin. Whenever I launch a command prompt, either from the Start Menu, or by double clicking the C:\Windows\System32\cmd.exe file in File Explorer, it runs it with elevated permissions.

How can I run it so it just runs in the normal non-elevated mode? Cmd.exe isn't required to be ran as admin, and typically when you launch it, it doesn't run as admin, but for some reason it is defaulting to run as admin on this machine. This is on a Windows Server 2012 R2 server. My account I'm logged in with has admin privileges (but it's not the default built-in Administrator user account), and the only workaround I can think of is to run it as a different user that does not have admin priviledges, which would require me to first create a non-admin account on the server, which seems excessive. Is there an easier way?

Never tried this, but create a cmd shortcut on the desktop, do a properties on the shortcut, then hit advanced button on shortcut Tab, can you uncheck run as admin? — Moab, Sep 28 '15 at 19:53
Do you see anything in the Win-X menu (or right-click Start button), when running as as admin? (not in a position to test from server version at the moment.) — paradroid, Sep 28 '15 at 19:53
@duDE I tried runas and it did launch the cmd.exe as another user, but still as an admin. Titlebar was `Administrator: cmd.exe (running as Domain\Username)`. @Moah I tried that as well, but the shortcut does not have the run as admin checked. @paradroid Win+X does list both `Command Prompt` and `Command Prompt (Admin)`, but they both launch the command prompt as admin. Thanks for the suggestions though guys :) — deadlydog, Sep 28 '15 at 20:05
you can use Process Explorer from Sysinternals. Open Procexp as admin, and then go to `File` -> `Run as Limited User`. A run bar will appear, and you can enter `cmd` or whatever else you want. https://technet.microsoft.com/en-us/sysinternals/ You are correct, Runas will always elevate if the user is capable of elevation. you could create a non-elevatable user, and run as them though if you really want to use runas. Procexp is easier. But make sure that cmd.exe is not marked to always run as Admin under the Properties -> compatibility tab. — Frank Thomas, Sep 28 '15 at 20:32
"My account I'm logged in with is an admin" AFAIK there is a reg and/or gpo hack to make a server admin run everything elevated. Do you have this on? And/or do you have UAC off as @kreemoweet implied? — underscore_d, Sep 28 '15 at 23:44
Yeah, I had UAC turned off. Turning it on and rebooting fixed the problem. Interestingly, I turned UAC back off and rebooted and the problem did not return; I'm able to launch cmd not as admin like usual again now. Maybe the server just needed a reboot. — deadlydog, Sep 29 '15 at 02:27
possible duplicate of [Force a program to run \*without\* administrator privileges or UAC?](http://superuser.com/questions/171917/force-a-program-to-run-without-administrator-privileges-or-uac) — AStopher, Sep 29 '15 at 06:41

score 23 · Accepted Answer · answered Sep 28 '15 at 20:16

23

Turn UAC back on. With that enabled, no program you start will automatically run as administrator.

answered Sep 28 '15 at 20:16

kreemoweet

4,565
17
19

unless you set them to always run as admin in the Compatibility mode for All Users. the app will just refuse to launch for a non-elevatable user. – Frank Thomas Sep 28 '15 at 20:42

score 3 · Answer 2 · edited Sep 28 '15 at 21:12

3

The short term solution:

Find an icon to run the command prompt.
Shift right click -> "Run as a different user"
Then specify a non-admin user account.

The long term solution: Find 'RUNASADMIN' in your registry keys and delete any entries including cmd.exe

edited Sep 28 '15 at 21:12

Francisco Tapia

2,614
4
24
43

answered Sep 28 '15 at 20:03

BlueCollar

41
4

I searched the registry for RUNASADMIN, but it did not find anything. – deadlydog Sep 28 '15 at 20:07
Did you try the temporary solution as well? As for the long term solution, it is just a possibility; try searching for cmd.exe in your registry then and work backwards. – BlueCollar Sep 28 '15 at 21:13
Wouldn't the temporary solution require him to login to another user, a normal user (something he said he didn't want to do in his question)? – Insane Sep 28 '15 at 21:20
First thought was to use Guest credentials which wouldn't have to be another created user – BlueCollar Sep 28 '15 at 21:28
3

@Insane: Kind of silly, really: the OP wants to run `cmd.exe` as some user other than Administrator, but does not want to create any user other than Administrator? It's a nonsense requirement. – Lightness Races in Orbit Sep 29 '15 at 09:18
2

@LightnessRacesinOrbit User is not the same as role. Having administrator privileges does not automatically give those privileges to every program that you run. - That said, you shouldn't log on with admin privileges unless you actually need them - which means that you should have accounts that don't have this privilege. – Taemyr Sep 29 '15 at 10:42
@Taemyr: Hmm okay. Still all seems daft, logically. – Lightness Races in Orbit Sep 29 '15 at 10:45

score 2 · Answer 3 · answered Mar 04 '20 at 19:07

2

I know this topic is > 4 yrs old but I had the same issue and it may help others. My company used software where I would only be able to launch cmd.exe as admin. I had other software (AHK) I could not launch as admin. AHK couldn't interact with cmd.exe in admin. I solved the problem by copying cmd.exe, then renaming it and updating my scripts.

answered Mar 04 '20 at 19:07

user1146483

21
1

Does not work for me: I copied cmd.exe to cmd2.exe, but cmd2 still runs as administrator with elevated privileges. – Jean-François Larvoire Jan 25 '21 at 15:08

Force cmd.exe prompt to run NOT as admin

3 Answers3

Linked