Execute a command in restricted security context


saferun is a Swiss-army knife for privilege manipulation. The child process is executed with minimum available privileges. This is suitable for performing risky tasks, and might reduce the damage caused by running untrusted programs. This tool does NOT create a sandbox. A malicios program may still cause damage, though the impact should be greately reduced.

Priority, window visibility and integrity level can also be specified. Optionally the Administrators group can be removed from the new process by stripping it or using a linked token, where it is available or removed.

Available privileges can only be enabled or disabled. Once a privilege is removed, it can not be restored. However if a process token has ownership of the Administrators group, it can install a service to start a child process restoring any privileges that had been removed: -e -s -S. Since services run with System privileges, they can take the role of any existing process, by duplicating its token: -t PID. It is also possible to execute a process in another session: -n . Use -D to specify a window station and Desktop.

Console applications are usually run in the parent console. To detach the child, and run in a new window, use -d.

There is a hack to elevate selected programs automatically, by assigning a debugger under Image File Execution Options. In that case, specify the -G flag. Otherwise the system will attempt to execute the process indefinitely.

Users who have disabled Animate controls and elements inside windows, might experience poor performance in Office 2013-2016 applications. The workaround is to enable animations, then start an Office application, and disable animations shortly after that: -A.

Command line options

Argumentarun [arguments] [parameters]
number 4 6 8 10 13 24 or
name idle = low below_normal normal above_normal high realtime
-wShow window
number 0-11 or name hide normal max min
-iIntegrity level
untrusted low med = medium mediumui mediumplus
high system protected
-aRemove Administrators group from the token: strip noadmin
-aUse linked token for an elevated process with UAC linked limited
-eElevate the user token, this attempts to install a temporary service
-sRun as a service
-SRun as an interactive service (deprecated since Windows Vista)
-tSpecify a process ID or name to use its token
-nOverride session ID
-DSpecify window station\Desktop e.g. winsta0\default winlogon screensaver
-dDo not attach to parent console
-PSpecify startup directory
-GStart with debugging: required when injected as a debugger under
Image File Execution Options
-ATemporary enable Animate controls and elements inside windows,
to improve scrolling performance and reduce lag in Office 2013-2016
Example: Run Notepad on the login screen
saferun -e -D winlogon notepad
Example: Run Notepad with untrusted integrity

Notepad will not be able to modify any files or access the user directory. Many features are likely not to work.

saferun -i untrusted notepad

Supported Platforms

☂︎ Windows

Prerequisites and build instructions

© 2012-2023 Georgi Valkov