Run WPA unelavated

[brunom]

It's a security risk, as you mention in https://randomascii.wordpress.com/2011/05/27/performance-analyzer-doesnt-process-traces-while-elevated/
Launching an unelevated process from an elevated process is tricky: https://blogs.msdn.microsoft.com/oldnewthing/20131118-00/?p=2643

[randomascii]

I implemented the launch-as-unelevated once but ran into problems, as that article predicts. Permissions issues are a risk, as are environment differences. That said, I think that launch-as-elevated might work in most cases, which would make it worthwhile as an option, probably as an on-by-default option even.

[brunom]

How did you implement it the last time?

[randomascii]

I think my previous version was similar to (or perhaps a copy of) ShellExecuteFromExplorer.

[MagicAndre1981]

I use Task scheduler for that. If you are elevated you can create a task, configure the new to run as limited user and start the task via schtasks.exe to run WPA.exe unelevated

[randomascii]

It's not hard to run WPA unelevated. However the final result is not always desirable. For instance, if you run UIforETW under a separate admin account then when you launch WPA it will be under a different user which won't have permissions to read the traces.

So, changes to how WPA is launched unelevated aren't really helpful. What is needed is a way to detect whether long unelevated will work or not, and some testing to see how well it works, perhaps with an override setting (although I don't like adding more settings).