Google Chrome is about to get a little safer

This move is aimed at stopping high-privilege attacks through the browser and strengthening user security across all platforms.

Google Chrome is set to get a little safer, especially on Windows, as it is adding a new security feature to Chrome that will automatically de-elevate the browser when it is launched with administrator privileges.

This move is aimed at stopping high-privilege attacks through the browser and strengthening user security across all platforms.

The change, recently submitted via a Chromium code commit, builds on a similar mechanism introduced in Microsoft Edge back in 2019.

Spotted in the wild on Social Media

As spotted by Leo (@peva64) on X, the update is designed to improve system security by preventing Chrome from running in elevated mode unnecessarily. In other words, you will no longer be able to run Chrome as an “admin” user on Windows machines, unless absolutely necessary.

Further, Chrome will now attempt to relaunch itself with standard user permissions when started with admin rights. If the first relaunch attempt fails, Chrome will fall back to the current behavior —running with elevated privileges — but only after ensuring it doesn’t get stuck in a relaunch loop.

“Automatically de-elevate users launching chrome elevated. This CL is based on changes we’ve had in Edge, circa 2019, which attempts to automatically de-elevate the browser when it’s run with the elevated part of a split / linked token,” Stefan Smolen working with the Microsoft Edge team and one of the key contributors to this update, wrote in a Chromium commit.

“This automatically attempts a relaunch once, and then if it still fails it falls back to the current behaviour (which tries to launch admin).”

Microsoft has also introduced a command-line switch, “-do-not-de-elevate,” to stop Chrome from de-elevating after an automatic relaunch. This helps prevent potential infinite relaunch loops when the browser fails to start with standard privileges.

“Do not de-elevate the browser on launch. Used after de-elevating to prevent infinite loops,” reads a comment in the source code.

However, this de-elevation won’t apply to Chrome processes launched with elevated rights in automation scenarios, ensuring compatibility with testing tools and scripts.

New Check Added

To detect when elevated privileges aren’t needed, Chrome now uses a new check called (UserAccountIsUnnecessarilyElevated) that identifies situations where User Account Control (UAC) is enabled, yet the browser is still running with an elevated, linked token — prompting Chrome to relaunch with standard permissions.

Additionally, the RunDeElevatedNoWait function has been modified to accept the current working directory, which addresses issues where the default directory (typically system32), which previously led to unexpected or buggy behaviour in some scenarios.

With this initiative, the Chromium team warns about the security risks and compatibility issues that could arise from running with administrative rights. By defaulting to standard privileges, Chrome is looking to follow a safer, more user-friendly model, making the browser more robust in today’s increasingly complex digital landscape.