Force program to run as user with UAC-virtualization


Recommended Posts

Is it possible to force an exe-file to start with User-privileges so everything it tries to do goes into the UAC-Virtualization?

Right now it prompts me for permissions before i can even start it and if i click no it will just quit.

I've created a standard user account, added exe to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv\Parameters\ExcludedExtensionsAdd and disabled Detect application installations and prompt for elevation in gpedit but it still keeps prompting me when i try to start it.

you can open the exe with an resource hacker tool and remove the requestedExecutionLevel Tag from the Manifest. Vista only uses the UAC-virtualization when the manifest is not included or doesn't contain the requestedExecutionLevel Tag.

Thanks for the tip, i downloaded a resource hacker and removed the requestedExecutionLevel from the manifest and the program started without uac-prompt. :)

But the installer had some kind of built in integrity-check so it detected that i had modified the file and shut down itself :(

Is there any way to make UAC ignore the requestedExecutionLevel without modifying the file you want to run?

Actually I'd like to run all programs in virtualization. Many programs(especially installers) ask for elevation even if they don't actually need it. Often they ask in advance only to get permissions to %ProgramFiles% even if i choose to install in another folder later.

I see no reason why an installer should have full access to my computer only to copy itself into a folder.

I've maybe misunderstood how uac-virtualization works but if programs can't touch system-files or other programs, won't it be like a complete sandbox?

EDIT: The program i was referring to above was World of Goo demo. But as i said, i want to virtualize as much as possible, it was just the first program i tried to install after i found out about this feature.

Edited by blehbleh
  • 1 year later...

Hi Blehbleh,

Eventually it IS possible to automatically activate UAC virtualization for any given program, no matter if it has UAC info in its manifest. I was looking for some other information about this and came on this old thread, but since I came here, I guess others may too so I will post how to do here.

So, the simplest method (and the one I use) is certainly to use the registry-based UAC shim. Let's suppose you want the command prompt to always start UAC-virtualized. You will have to add values to one of the following registry keys, the first one being system-wide, the second one per user only :

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags


Then you have to create the following value : C:\Windows\System32\cmd.exe
Type : REG_SZ (i.e. a string value)
Data : RUNASINVOKER

In case this value already exists and is not empty, just append " RUNASINVOKER" at the end of the data (without the quotes, but don't forget the space).

This seems to make UAC consider that the program doesn't have UAC information into its manifest, hence start with UAC virtualization enabled. That can come useful with programs having a manifest with UAC info, but still poorly designed... and don't tell me that doesn't exist...

Here's some more detailed info about setting UAC options.

HTH smile.gif

No need for a complete sandbox here, I think the creator of this topic only wanted UACV to work with a poorly designed app, as it is supposed to work, even when this app says (and lies) "it's OK, I'm UAC-aware, no need to use that with me".

Moreover, I'm not sure a complete sandbox would do the same job i.e. accepting and sandboxing file and registry write failures. Would it not deny access, since "true writes" would fail ? Eventually I don't know, I didn't use any sandboxing tool yet.

  • 4 years later...

Whoops, sorry ! I just came back to this old thread and noticed an error in my post. The registry keys I mentioned are not the correct ones, one should modify those instead :

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

 

I sincerely apologise to all people who lost time because of my mistake.

 

If only I could edit my post I would, but I see no edit option. Maybe because it's too old...

  On 18/09/2014 at 01:11, NovHak said:

Whoops, sorry ! I just came back to this old thread and noticed an error in my post. The registry keys I mentioned are not the correct ones, one should modify those instead :

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

 

I sincerely apologise to all people who lost time because of my mistake.

 

If only I could edit my post I would, but I see no edit option. Maybe because it's too old...

 

I modified the previous post with the updated keys. Yeah, the thread is pretty old, but this information is useful for old programs...or new ones under devs who still insist that users should turn off UAC. :P

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I’ve just paid £290/$390 for a 4TB Samsung 990 Pro for my PS5 Pro so it’s not too far from the going rate. Microsoft should definitely copy Sony and let users buy their own SSD in their next consoles rather than this proprietary stuff. I paid £374/$505 for the 2TB Seagate card for my Series X a few years ago so it’s not exactly over priced. 4TB of NVMe storage ain’t cheap!
    • The EU regulations force companies to respect users privacy, choice and data. Something all tech companies have abused to the hilt and would continue to do so if it wasn’t for important legislation and laws the EU brought in, which have been adopted elsewhere around the world. The EU can be a nuisance, but they actually do more good than harm. Forcing Apple, Google, Microsoft etc to make changes hasn’t negatively impacted anyone apart from their financials as they aren’t free to pillage our data like they once were, unless they explicitly provide options to obtain consent.
    • Windows 10 Enterprise IoT LTSC will continue getting updates until January 2032. I would expect support from most programs to continue until then. Firefox still supports Windows 7 (until the end of August), which will be just over 16 years since release. Windows 10 will be of a very similar age in January 2032. I'm sure some things like games will move on earlier, but I imagine a Windows 10 machine will be safe and usable for a long time to come yet, despite the pressure and fearmongering from those who stand to gain from selling you a new PC.
    • Refined dock and bug fixes land in latest Elementary OS 8 updates by David Uzondu If you're running Elementary OS 8, there's a new round of updates available, bringing some neat enhancements, particularly to its signature Dock and the underlying window manager, Gala. If you are not familiar, Elementary OS positions itself as a polished alternative to Windows and macOS. It runs its own custom desktop environment called Pantheon, with Gala handling all the window management magic, like animations and how windows behave. In the new update, the Dock gets some notable new tricks, including the return of a couple of features that old-school Plank (the Dock's foundation) users might remember. For starters, the Dock now shows multiple indicator dots beneath an app icon if you have more than one window open for that application, which is useful for quickly seeing what is running. Plus, if you are dragging something and hover over an app icon in the Dock, it will cycle through that app's open windows, making it easier to drop your item into the right place. You can also now long-press an app icon to bring up its context menu, a nice touch for those who prefer that interaction. The elementary OS team also squashed some bugs related to hide modes and memory usage, keeping things running smoothly. Gala itself recently got a massive update, addressing around 20 reported issues and introducing a brand new Gesture Controller. This means users can now swipe up in the Multitasking View to close windows, a slick and intuitive gesture. App titles are now always shown in Multitasking View, a significant improvement for touchscreen users. Users also get notified when they take a screenshot with a keyboard shortcut, and this notification lets them jump straight to the image in Files. Some other welcome Gala improvements include saving window states on sleep and shutdown, and fixing an annoying bug where menus might only show once. For gamers, a fix for Lutris Flatpak installations causing Gala to crash with GE Proton setups will be a relief, and users of the Postman app will be happy to know that window captures for it are no longer partially rendered. Shifting back to Elementary OS 8, in System Settings, choosing light or dark mode properly snoozes your schedule instead of outright disabling it. The Reduce Motion setting has been expanded to cover a wider array of animations, which is a blessing for folks prone to motion sickness. Hotcorners got some fixes too, and there is a new option to keep them active even when an application is full screen. Other notable updates include added screen reader support for notifications and the shortcut overlay, fixes for Flatpak sandbox issues that affected apps like Steam, and the latest version of GNOME Web, which brought better performance and a redesigned bookmarks sidebar. You can download all these updates by opening System Settings, heading to System, and hitting "Update All."
    • WSCC - Windows System Control Center 10.0.0.8 by Razvan Serea Windows System Control Center is a free, portable program that allows you to install, update, execute and organize the utilities from various system utility suites. WSCC can install and update the supported utilities automatically. Alternatively, WSCC can use the http protocol to download and run the programs. WSCC is portable, installation is not required. Extract the content of the downloaded zip archive to any directory on your computer. Free for personal use. The setup packages and updates are downloaded directly from their author's website! This edition of WSCC supports the following utility suites: Windows Sysinternals Suite (including support for "Sysinternals Live" service) NirSoft Utilities Mitec and more... WSCC - Windows System Control Center 10.0.0.8 changelog: Update Manager: scheduled updates will run even if WSCC is already running minor user interface improvements Download: WSCC (64-bit) | 6.9 MB (Free for personal use) Download: WSCC (32-bit) | 6.2 MB View: WSCC Homepage | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • Enthusiast
      Epaminombas went up a rank
      Enthusiast
    • Posting Machine
      Fiza Ali earned a badge
      Posting Machine
    • One Year In
      WaynesWorld earned a badge
      One Year In
    • First Post
      chriskinney317 earned a badge
      First Post
    • Week One Done
      Nullun earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      186
    2. 2
      snowy owl
      131
    3. 3
      ATLien_0
      129
    4. 4
      Xenon
      121
    5. 5
      +Edouard
      91
  • Tell a friend

    Love Neowin? Tell a friend!