Microsoft is working on a new feature for Chromium-based web
browsers that will protect you from accidentally launching the
browser as an “administrator”.
Run as “administrator” or elevated permission function probably
isn’t foreign to you. For those unaware, elevated
permission allows you to launch a program and its processes
with an administrator token, which enables access to sensitive
features without additional permissions.
While elevated permission is necessary for some apps, it’s
generally recommended to avoid running any browser process with
elevated rights. This is because programs or files that you
download using the browser will be executed with elevated
permission (access to Windows files) and it could be abused for
Microsoft Edge (Chromium) previously warned users when they
launched the browser with elevated permission via a bubble
dialog in the toolbar. However, this feature was removed after
excessive user complaints.
“We actually tried just warning the user (in Edge) via a bubble
dialog in the corner, but this was happening way more often
then we thought it would due to cases where the browser is
launched from an elevated program, like an installer, and we
decided to remove the warning due to excessive user
complaints,” Microsoft said.
Microsoft is now planning to automatically de-elevate Chrome,
Edge or other browsers when launched as elevated.
To this, Microsoft will detect when the browser is running
elevated in a scenario where executables can be run
un-elevated. When detected, Microsoft wants to re-launch the
browser through explorer.exe so the browser will run under the
same user as the shell and de-elevation will take place.
“The goal of this change is to solve for a majority of users
the problems they will run in to with an elevated browser since
elevation should be unnecessary,” the company said.
Once this idea is implemented, Microsoft says your browser will
not launch the downloaded programs as elevated and child
processes will also not run as elevated. This will improve the
security of the browser and fix an issue that results in empty