[efreak]

If you can get the suggestion passed on, a simple way to run a process while _dropping_ elevation would be appreciated. Basically the _opposite_ of sudo. There should be a way to _easily_ drop permissions back to the standard desktop user (or lower?), like Linux's setuidgid. There's runas, but apparently that's not sufficient[0]; instead all I'm aware of is scheduled tasks and proxying through explorer, or leaving an unelevated process open and using IPC or other methods to tell if to run something else (none of this is easy in a simple batch file).

The biggest visibility into this issue is software installers, which regularly offer to launch the freshly installed program for the user's convenience...with the same elevated permissions the installer itself uses.

[0]: according to this SO answer, runas still runs the process with high integrity: https://stackoverflow.com/questions/20218076/batch-file-drop...