Use runas to run cmd.exe shell on Windows to run command as non-admin user

I am trying to run a command as a ‘limited user’ (ie. a normal non-administrative user) on a Windows runner using Github Actions. This is needed because I’m running a program that won’t start when it is run as Administrator due to security concerns.

Looking at the Custom Shell documentation, it seems that I can provide a custom shell to run my commands in.

I’ve tried the following:

name: Run tests (v1)
shell: runas /trustlevel:0x20000 cmd.exe /D /E:ON /V:OFF /S /C “CALL “{0}””
run: python.exe test_postgres.py

That is, for my shell, I’m calling runas with a trust-level set to ‘limited user’ and then using runas to call the cmd.exe shell (with the same parameters Actions uses by default), which then calls my script.

Unfortunately, when running this, I just get Error: Process completed with exit code 1. in the output (see the Run tests (v1) section here).

Is this something which is likely to be possible? I would have thought that runas would just pass everything through to the cmd.exe shell that I’m calling?

Is there any way to get more insight into the error rather than just getting an exit code of 1?

And if not, is there any other way to run as a non-administrative user on a Windows runner? I’m really struggling to get my code to run, as it requires to be run as a non-admin.

Thanks!

This might be helpful for debugging:

The shell command is slightly different in the docs:
%ComSpec% /D /E:ON /V:OFF /S /C "CALL "{0}"".

cmd.exe vs. %ComSpec% should make no difference, but there is a trailing . for some reason - might as well be a bug in the docs.

Furthermore, runas seems to require quoting of the command it is supposed to run. I think it should be like this:

runas /trustlevel:0x20000 "cmd.exe /D /E:ON /V:OFF /S /C \"CALL \"{0}\"\"."

You should also try it without the . if it doesn’t work.