diff --git a/docs/changes.txt b/docs/changes.txt
index fefbe00..bf216eb 100644
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -14,7 +14,7 @@ v0.1.2
 * zapret-antidpi: rst
 * github actions: remove FFI from luajit
 
-v0.1.3
+v0.1.4
 
 * winws2: set low mandatory level in process token if possible : no --wlan-filter or --nlm-filter (no windivert reinit required)
 * nfqws2: optimize debug logging to file
diff --git a/nfq2/darkmagic.c b/nfq2/darkmagic.c
index 505d493..03f4de8 100644
--- a/nfq2/darkmagic.c
+++ b/nfq2/darkmagic.c
@@ -733,13 +733,12 @@ static bool prepare_low_appdata()
 static bool b_isandbox_set = false;
 bool win_sandbox(void)
 {
-
-	if (!RemoveTokenPrivs())
-		return FALSE;
-
 	// there's no way to return privs
 	if (!b_isandbox_set)
 	{
+		if (!RemoveTokenPrivs())
+			return FALSE;
+
 		// set low mandatory label on windivert device to allow administrators with low label access the driver
 		if (logical_net_filter_present() && !SetMandatoryLabelFile("\\\\.\\" WINDIVERT_DEVICE_NAME, SECURITY_MANDATORY_LOW_RID, 0))
 			return FALSE;