Force program to run as user with UAC-virtualization

[blehbleh]

Is it possible to force an exe-file to start with User-privileges so everything it tries to do goes into the UAC-Virtualization?

Right now it prompts me for permissions before i can even start it and if i click no it will just quit.

I've created a standard user account, added exe to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv\Parameters\ExcludedExtensionsAdd and disabled Detect application installations and prompt for elevation in gpedit but it still keeps prompting me when i try to start it.

[MagicAndre1981]

you can open the exe with an resource hacker tool and remove the requestedExecutionLevel Tag from the Manifest. Vista only uses the UAC-virtualization when the manifest is not included or doesn't contain the requestedExecutionLevel Tag.

[blehbleh]

Thanks for the tip, i downloaded a resource hacker and removed the requestedExecutionLevel from the manifest and the program started without uac-prompt. :)

But the installer had some kind of built in integrity-check so it detected that i had modified the file and shut down itself :(

Is there any way to make UAC ignore the requestedExecutionLevel without modifying the file you want to run?

[MagicAndre1981]

no, the UAC-virtualization was designed to run old legacy applications which do not have the Manifest included.

What kind of application do you want to run? What's the name of it?

[blehbleh]

Actually I'd like to run all programs in virtualization. Many programs(especially installers) ask for elevation even if they don't actually need it. Often they ask in advance only to get permissions to %ProgramFiles% even if i choose to install in another folder later.

I see no reason why an installer should have full access to my computer only to copy itself into a folder.

I've maybe misunderstood how uac-virtualization works but if programs can't touch system-files or other programs, won't it be like a complete sandbox?

EDIT: The program i was referring to above was World of Goo demo. But as i said, i want to virtualize as much as possible, it was just the first program i tried to install after i found out about this feature.

Edited February 17, 2009 by blehbleh

[MagicAndre1981]

that's not possible. virtualization was enabled to run application with standard user rights which try to store files to folders where standard user don't have the rights to do.

[NovHak]

Hi Blehbleh,

Eventually it IS possible to automatically activate UAC virtualization for any given program, no matter if it has UAC info in its manifest. I was looking for some other information about this and came on this old thread, but since I came here, I guess others may too so I will post how to do here.

So, the simplest method (and the one I use) is certainly to use the registry-based UAC shim. Let's suppose you want the command prompt to always start UAC-virtualized. You will have to add values to one of the following registry keys, the first one being system-wide, the second one per user only :

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

Then you have to create the following value : C:\Windows\System32\cmd.exe
Type : REG_SZ (i.e. a string value)
Data : RUNASINVOKER

In case this value already exists and is not empty, just append " RUNASINVOKER" at the end of the data (without the quotes, but don't forget the space).

This seems to make UAC consider that the program doesn't have UAC information into its manifest, hence start with UAC virtualization enabled. That can come useful with programs having a manifest with UAC info, but still poorly designed... and don't tell me that doesn't exist...

Here's some more detailed info about setting UAC options.

HTH

[+kjx Subscriber²]

Why don't you run the program inside a sandbox? That's essentially what you seem to want to do.

[NovHak]

No need for a complete sandbox here, I think the creator of this topic only wanted UACV to work with a poorly designed app, as it is supposed to work, even when this app says (and lies) "it's OK, I'm UAC-aware, no need to use that with me".

Moreover, I'm not sure a complete sandbox would do the same job i.e. accepting and sandboxing file and registry write failures. Would it not deny access, since "true writes" would fail ? Eventually I don't know, I didn't use any sandboxing tool yet.

[NovHak]

Whoops, sorry ! I just came back to this old thread and noticed an error in my post. The registry keys I mentioned are not the correct ones, one should modify those instead :

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

 

I sincerely apologise to all people who lost time because of my mistake.

 

If only I could edit my post I would, but I see no edit option. Maybe because it's too old...

[zhangm Supervisor]

  On 18/09/2014 at 01:11, NovHak said:

Whoops, sorry ! I just came back to this old thread and noticed an error in my post. The registry keys I mentioned are not the correct ones, one should modify those instead :

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

 

I sincerely apologise to all people who lost time because of my mistake.

 

If only I could edit my post I would, but I see no edit option. Maybe because it's too old...

 

I modified the previous post with the updated keys. Yeah, the thread is pretty old, but this information is useful for old programs...or new ones under devs who still insist that users should turn off UAC. :P