Multiple Sublime instances using different windows credentials?

As a security minded professional I do my day-to-day work on my computer as an unprivileged account. I will start individual programs, shells or so on with my privileged Domain Administrator account.

I almost always have my sublime editor opened in my unprivileged account with a dozen files open. Occasionally I want to open a new sublime Window with elevated privileges (Start -> Right click on Sublime -> Run as different user). Unfortunately this doesn't start a new sublime instance, it just flashes the existing unprivileged instance.

There are dozens of hits on Google about how you can use File->New Window or a shortcut to open a new instance, but this doesn't help me at all. Since that method will not create a window running under a different set of privileges.

So how do I start a second instance of Sublime running with the privileges from another account?

My system is currently running Windows 8.1, and I am on build 3083 of sublime, but I suspect this won't matter too much.

Zoredache

Posted 2015-08-26T16:49:30.107

Reputation: 18 453

There's an open issue for this kind of problem: https://github.com/SublimeTextIssues/Core/issues/1200

– Thorsten Schöning – 2019-11-08T18:14:39.650

Answers

Technically, a way to achieve such an effect is to open a global accessible synchronization object such as a named pipe. The second process will detect an existing object and in some way tell the first process to open the file.

And that's exactly what Sublime Text does as well. You can observe this with Process Explorer (SysInternals):

Run Process Explorer as administrator
Run Sublime text
Select Sublime text in the process list
Press Ctrl+H to show the lower pane for handles
Find a handle of type Mutant with "Sublime Text 2" in its name. It may look like \Sessions\1\BaseNamedObjects\4d3560c7bb75b0aede072672a3c001bb-Sublime Text 2
Right click the Mutant
Select "Close Handle"
Start another instance of Sublime Text

Now you know how to start a new instance of Sublime Text. Of course you want to automate this process. The required sequence flow is now known to you:

Find all processes of sublim_text.exe, e.g. using EnumProcesses (MSDN)
Go through their list of handles, e.g. using NtQuerySystemInformation with SystemHandleInformation
Close all Mutants with "Sublime Test 2" in the name, e.g. using CloseHandle (MSDN).

You'll need to close the handle for the new process as well, since the new process will create it again.

Handle (Sysinternals) is helpful to set up a script that achieves what you need. It can find a handle (line 1) and close a handle (line 2)

Handle -p sublime_text.exe -a Sublime | find "Mutant"
Handle -c <handle> -p <pid> -y

In the following complete script, adapt the username. Copy handles.exe into the same directory and run the batch file as administrator (since handles.exe needs admin rights:

@echo off
REM Just in case this is run multiple times from a command line 
set pid=    
set handle=
REM Make the working directory the directory of the batch file
cd /d %~dp0 
REM Find PID and Handle
for /f "tokens=3,6" %%i in ('handle -p sublime_text.exe -a Sublime -accepteula ^| find "Mutant"') do set pid=%%i & set handle=%%j   
if "%pid%"=="" goto sublime 
REM Close the handle
handle -c %handle:~0,-1% -p %pid% -y > nul  
:sublime
runas /user:Username sublime_text.exe   
if errorlevel 1 pause

Thomas Weller

Posted 2015-08-26T16:49:30.107

Reputation: 4 102

I've added powershell version, I hope that's ok – arberg – 2018-02-14T13:17:01.290

Try execute (Windows+R) and this command

runas /user:[the-other-user] C:\path\to\sublime_text

I'm not on windows, but it should work..

Update

Definitive working solution to OP was to make a copy of sublime_text.exe in the same directory, and run it with privileges.

Other proposed untested solutions

Make a second instalation of Sublime Text 3 in another directory
Make a parallel instalation of Sublime Text 2
According to Sublime Text Unofficial Documentation, there is a portable version of ST. This can be run with privileges. Source: http://sublime-text-unofficial-documentation.readthedocs.org/en/latest/getting_started/install.html#how-to-install-the-portable-version-of-sublime-text

Joaquín O

Posted 2015-08-26T16:49:30.107

Reputation: 181

1The problem isn't starting sublime as another account. The problem is that sublime blocks additional instances from being started. runas works perfectly fine, if I don't already have a copy of sublime running under my non-privileged account. But I almost always have at least half a dozen files open in sublime. – Zoredache – 2015-09-02T23:08:02.760

1@Zoredache Could you install another copy of sublime text? Install in another directory, maybe even share package files.. Or maybe intall ST2 and ST3 in parallel.. I'm not sure this can be done on windows, but you could give it a try.. – Joaquín O – 2015-09-02T23:53:53.133

@Zoredache I found another alternative in Sublime Unofficial Documentation. You can get a portable version of sublime.. Take a look at this: http://sublime-text-unofficial-documentation.readthedocs.org/en/latest/getting_started/install.html#how-to-install-the-portable-version-of-sublime-text

– Joaquín O – 2015-09-02T23:56:28.787

You should merge that bit about making a copy into the body of your answer. After some testing, seems to be a solution that actually works. – Zoredache – 2015-09-03T16:41:47.743

What did finally work? Two installations of st3, st2 + st3, or a portable version? PS, would be nice to take back that downvote :P – Joaquín O – 2015-09-04T00:10:09.307

1Actually I just made a copy of the sublime_text.exe in the sublime folder and tried that first. And surprisingly that worked. I suspect all the other options you suggested would also work. – Zoredache – 2015-09-04T16:25:16.253

Just edited the answer to include the solution and other possible solutions. Please mark it solved. – Joaquín O – 2015-09-05T00:11:48.713

Windows doesn't provide any way to directly do what Sublime Text is doing, which means there is no universal way to override this behavior. It will depend on how the program itself implements this behavior. Unfortunately, the fact that the second session is the Admin one makes it harder to use techniques that block communication across privilege levels, because the more privileged app needs to talk to the less-privileged, and that's almost always allowed.

First of all, you can probably turn off the merging of sessions automatically. The downside of this is that files you want to have open in the current window would open in a new one. So that's obviously an inferior option, but it exists.

If Sublime simply looks for another instance of itself by name, you could create two copies of the executable, append "Admin" on the name of one, and use the Compatibility tab to mark that one as always needing to run as Admin. Add it to your Start or Taskbar, and you have an admin-only editor easily launchable. Note that it won't update when the first one does, though. Using a symlink or hardlink would work if Sublime is checking the command line, but not if it's checking the image name (image name always resolves to the first canonical path).

A slightly extreme approach that might work is to use loopback remote desktop. This only works on Server SKUs of Windows because it requires having two interactive sessions active at once (which client versions of Windows prohibit) but Sublime might stop at the Session boundary even where it normally ignores the User boundary. Just remote to localhost with the domain admin creds, and then launch Sublime (or even set it up so it automatically launches Sublime, or maybe even so it just forwards that one app back to your desktop instead of fully drawing the other desktop). This approach would work for things like a named mutex or similar that is created in a user session (instead of globally).

It's probably not a file or registry key, since the only places an unprivileged instance of Sublime could create those are generally not where a privileged version would look for them. There are exceptions, though; for example, ProgramData is world-writable. If that is how Sublime is detecting the other instance of itself, I have no workable suggestion except to use a different editor; that's just a flat-out not-multi-user-compatible behavior.

If the approaches above don't work, your only option (short of always starting Sublime as Admin, or using another editor for Admin work) is to poke the developers and ask them to behave better in multi-user scenarios. Most Windows programs are at best unaware of the concept that multiple users might want to run the program at once, but a few are totally incompatible with it. The Sublime devs could, for example, check the credentials the already-existing instances are running under before merging sessions... but if the devs didn't think of that themselves, you might have to file a bug to get them to fix it.

CBHacking

Posted 2015-08-26T16:49:30.107

Reputation: 5 045

I would be fine with disabling the session merging behavior. I could live with that. Do you know how to disable that for sublime? – Zoredache – 2015-09-02T23:39:32.083

Well, damn. I thought this would be an easily-findable setting in any multi-document editor program, but the best I can find is a few references to a open_files_in_new_window "global setting". See http://www.sublimetext.com/forum/viewtopic.php?f=4&t=3121 and http://stackoverflow.com/questions/20201758/sublime-text-with-multiple-windows-how-to-always-open-the-same-file-in-the-same. Have you tried that one (is it even available on Windows?)?

– CBHacking – 2015-09-03T01:34:12.460

1Also, to clarify just in case anybody was wondering what is happening here: Sublime does start a second instance, very briefly. Before this second instance even displays a window, though, it checks for (and finds) a running instance, and then the new instance tells the running instance to open the file and the new instance quits. If you're watching in Task Manager / Process Explorer you might see the second instance appear for a moment, but the whole process takes barely any time so it vanishes so quickly it may seem like it never started at all. – CBHacking – 2015-09-03T01:39:52.557

As mentioned before, simply having different paths to the Exe of Sublime works around reusing running instances and one doesn't even need to copy files, but linking the Exe using hard links or the installation directory itself using a Junction works as well.

Besides that, in a similar discussion on GitHub, the command line argument --multiinstance was mentioned and that really seems to get Sublime to ignore all currently running sessions and start a new one. So what I'm doing is simply creating a shell link containing the path to Sublime in its one and only default installation directory, add the command line argument and enable to start as admin. Looking at Process Monitor, there really is an admin-instance running and kept running. Didn't encounter any short comings so far.

Go and thank FichteFoll for mentioning that.

Thorsten Schöning

Posted 2015-08-26T16:49:30.107

Reputation: 523

Now that I understand the problem better, I would not have a single editor with files opened on both systems. Edit on one system and then transport those changes to the remote system with something like sftp. You can get a plugin for sublime to do that (assuming you have an sftp server on the remote system) or use the build system to execute a copy function to the remote system.

Todd

Posted 2015-08-26T16:49:30.107

Reputation: 209

The problem isn't starting the application with elevated privileges. I already can do that just fine. The problem is running two instances of sublime with different privileges. Attempting to start the second instance with new file results in sublime opening the file in my pre-existing un-privileged instance. – Zoredache – 2015-09-02T18:59:22.430

What is it that you would want to do with this second instance? – Todd – 2015-09-02T19:33:40.297

Edit files with administrator privileges, because I don't have access to them for security reasons on my unprivileged account. – Zoredache – 2015-09-02T20:12:44.807

If you open the file from within the sublime instance with elevated privileges the file appears in the other instance? – Todd – 2015-09-02T20:37:33.403

I have no idea what you are asking here. I can't start an instance of sublime with elevated privileges if I already have another copy running. That is the problem. I want two instances of sublime, why as my normal account, and one with a different set of credentials. Sublime refuses to start the second instance. This is almost certainly a SUBLIME problem. – Zoredache – 2015-09-02T21:37:29.610

Seems that the protected files should be separate from your unprivileged work - like on different machines. Maybe a VM. – Todd – 2015-09-02T21:53:41.387

Let us continue this discussion in chat.

– Todd – 2015-09-02T21:55:07.210

Well they aren't on my local machine. These files happen to be on one of my Windows servers. If I startup Windows Notepad as a different user I can edit them via the network. – Zoredache – 2015-09-02T21:59:18.320