Google Chrome is about to get a little safer, especially on Windows, as it adds a new security feature to Chrome that automatically de-elevates the browser when it is launched with administrator privileges.
This move is aimed at stopping high-privilege attacks through the browser and strengthening user security across all platforms.
The change, recently submitted via a Chromium code commit, builds on a similar mechanism introduced in Microsoft Edge back in 2019.
Spotted in the wild on Social Media
Asย spotted by Leo (@Leopeva64) on X, the update is designed to improve system security by preventing Chrome from running in elevated mode unnecessarily. In other words, you will no longer be able to run Chrome as an โadminโ user on Windows machines, unless absolutely necessary.
Further, Chrome will now attempt to relaunch itself with standard user permissions when started with admin rights. If the first relaunch attempt fails, Chrome will fall back to the current behavior โrunning with elevated privileges โ but only after ensuring it doesnโt get stuck in a relaunch loop.
“Automatically de-elevate users launching chrome elevated.ย This CL is based on changes we’ve had in Edge, circa 2019, which attempts to automatically de-elevate the browser when it’s run with the elevated part of a split / linked token,” Stefan Smolen working with the Microsoft Edge team and one of the key contributors to this update, wrote in aย Chromium commit.
“This automatically attempts a relaunch once, and then if it still fails it falls back to the current behaviour (which tries to launch admin).”
Microsoft has also introduced a command-line switch, โ-do-not-de-elevate,โ to stop Chrome from de-elevating after an automatic relaunch. This helps prevent potential infinite relaunch loops when the browser fails to start with standard privileges.
“Do not de-elevate the browser on launch. Used after de-elevating to prevent infinite loops,” reads a comment in the source code.
However, this de-elevation wonโt apply to Chrome processes launched with elevated rights in automation scenarios, ensuring compatibility with testing tools and scripts.
New Check Added
To detect when elevated privileges aren’t needed, Chrome now uses a new check called (UserAccountIsUnnecessarilyElevated) that identifies situations where User Account Control (UAC) is enabled, yet the browser is still running with an elevated, linked token โ prompting Chrome to relaunch with standard permissions.
Additionally, the RunDeElevatedNoWait function has been modified to accept the current working directory, which addresses issues where the default directory (typically system32), which previously led to unexpected or buggy behaviour in some scenarios.
With this initiative, the Chromium team warns about the security risks and compatibility issues that could arise from running with administrative rights. By defaulting to standard privileges, Chrome is looking to follow a safer, more user-friendly model, making the browser more robust in today’s increasingly complex digital landscape.
