Force program to run as user with UAC-virtualization


Recommended Posts

Is it possible to force an exe-file to start with User-privileges so everything it tries to do goes into the UAC-Virtualization?

Right now it prompts me for permissions before i can even start it and if i click no it will just quit.

I've created a standard user account, added exe to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv\Parameters\ExcludedExtensionsAdd and disabled Detect application installations and prompt for elevation in gpedit but it still keeps prompting me when i try to start it.

you can open the exe with an resource hacker tool and remove the requestedExecutionLevel Tag from the Manifest. Vista only uses the UAC-virtualization when the manifest is not included or doesn't contain the requestedExecutionLevel Tag.

Thanks for the tip, i downloaded a resource hacker and removed the requestedExecutionLevel from the manifest and the program started without uac-prompt. :)

But the installer had some kind of built in integrity-check so it detected that i had modified the file and shut down itself :(

Is there any way to make UAC ignore the requestedExecutionLevel without modifying the file you want to run?

Actually I'd like to run all programs in virtualization. Many programs(especially installers) ask for elevation even if they don't actually need it. Often they ask in advance only to get permissions to %ProgramFiles% even if i choose to install in another folder later.

I see no reason why an installer should have full access to my computer only to copy itself into a folder.

I've maybe misunderstood how uac-virtualization works but if programs can't touch system-files or other programs, won't it be like a complete sandbox?

EDIT: The program i was referring to above was World of Goo demo. But as i said, i want to virtualize as much as possible, it was just the first program i tried to install after i found out about this feature.

Edited by blehbleh
  • 1 year later...

Hi Blehbleh,

Eventually it IS possible to automatically activate UAC virtualization for any given program, no matter if it has UAC info in its manifest. I was looking for some other information about this and came on this old thread, but since I came here, I guess others may too so I will post how to do here.

So, the simplest method (and the one I use) is certainly to use the registry-based UAC shim. Let's suppose you want the command prompt to always start UAC-virtualized. You will have to add values to one of the following registry keys, the first one being system-wide, the second one per user only :

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags


Then you have to create the following value : C:\Windows\System32\cmd.exe
Type : REG_SZ (i.e. a string value)
Data : RUNASINVOKER

In case this value already exists and is not empty, just append " RUNASINVOKER" at the end of the data (without the quotes, but don't forget the space).

This seems to make UAC consider that the program doesn't have UAC information into its manifest, hence start with UAC virtualization enabled. That can come useful with programs having a manifest with UAC info, but still poorly designed... and don't tell me that doesn't exist...

Here's some more detailed info about setting UAC options.

HTH smile.gif

No need for a complete sandbox here, I think the creator of this topic only wanted UACV to work with a poorly designed app, as it is supposed to work, even when this app says (and lies) "it's OK, I'm UAC-aware, no need to use that with me".

Moreover, I'm not sure a complete sandbox would do the same job i.e. accepting and sandboxing file and registry write failures. Would it not deny access, since "true writes" would fail ? Eventually I don't know, I didn't use any sandboxing tool yet.

  • 4 years later...

Whoops, sorry ! I just came back to this old thread and noticed an error in my post. The registry keys I mentioned are not the correct ones, one should modify those instead :

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

 

I sincerely apologise to all people who lost time because of my mistake.

 

If only I could edit my post I would, but I see no edit option. Maybe because it's too old...

  On 18/09/2014 at 01:11, NovHak said:

Whoops, sorry ! I just came back to this old thread and noticed an error in my post. The registry keys I mentioned are not the correct ones, one should modify those instead :

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

 

I sincerely apologise to all people who lost time because of my mistake.

 

If only I could edit my post I would, but I see no edit option. Maybe because it's too old...

 

I modified the previous post with the updated keys. Yeah, the thread is pretty old, but this information is useful for old programs...or new ones under devs who still insist that users should turn off UAC. :P

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • dBpoweramp Music Converter 2025-06-05 by Razvan Serea Audio conversion perfected, effortlessly convert between formats. dBpoweramp contains a multitude of audio tools in one: CD Ripper, Music Converter, Batch Converter, ID Tag Editor and Windows audio shell enhancements. Preloaded with essential codecs (mp3, wave, FLAC, m4a, Apple Lossless, AIFF), additional codecs can be installed from [Codec Central], as well as Utility Codecs which perform actions on audio files. After 21 days the trial will end, reverting to dBpoweramp Free edition (learn the difference between Reference and dBpoweramp Free, here). dBpoweramp is compatible with Windows 10, 8, 7, Vista, both 32 and 64 bit. dBpoweramp Music Converter features: Convert audio files with elegant simplicity. mp3, mp4, m4a (iTunes / iPod), Windows Media Audio (WMA), Ogg Vorbis, AAC, Monkeys Audio, FLAC, Apple Lossless (ALAC) to name a few! Multi CPU Encoding Support Rip digitally record audio CDs (with CD Ripper) Batch Convert large numbers of files with 1 click Windows Integration popup info tips, audio properties, columns, edit ID-Tags DSP Effects such as Volume Normalize, or Graphic EQ [Power Pack Option] Command Line Encoding: invoke the encoder from the command line DSP Effects - process the audio with Volume Normalize, or Sample / Bit Rate Conversion, with over 30 effects dBpoweramp is a fully featured mp3 Converter dBpoweramp integrates into Windows Explorer, an mp3 converter that is as simple as right clicking on the source file >> Convert To. Popup info tips, Edit ID-Tags are all provided. dBpoweramp Music Converter 2025.06.05 changelog: Darkmode added Core Converter Debug log dumps ID Tags written VST Effect Folders dialog fixed missing InitCommonControls would not show correctly FLAC/Ogg/Opus/etc - allows editing of CDTOC ID Tag CD Ripper secure ripping log where shows TOC was not showing CD Extra correctly CD Ripper was incorrectly setting data track length on main display (for certain drives) CD Ripper internally better handling of corrupt TOCs CD TOC to Tag was incorrectly adding 150 to CD Extra disc CD Ripper shows "AccurateRip Unconfigured" in rip status rather than "not in accuraterip" if unconfigured CD Ripper art paste accepts https CueSheet added as standard - log file written to same folder as cue and folder.jpg AIFF internal code merge (macos >> windows) Download: dBpoweramp Music Converter R2025.06.05 | 82.2 MB (Shareware) View: dBpowerAMP Music Converter Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Staged. It's a requirement that vehicles are strapped down to the bed. Usually wheel and/or chassis tie downs are used. That appears to just be on the winch.
    • I feel Apple's big problem is the lack of big data to train any AI LLM model. They have statistics on usage, but they don't have the written social media, messaging (they were early adopters of end-to-end encryption), they didn't scrape the Internet before the book companies and new sources were wise. So they have no choice but to use a third party LLM provider. Which ties them in knots with their own stance on security and privacy. In short, they are royally stuffed when it comes to developing an in-house AI.
    • Nothing is black and white. Democracy can suck, just as communism can. The risk is people who blindly think one is vastly superior over the other. Democracy needs a lot to make it work well, and there are many examples around the world of it. Good education, mandatory voting, accessible voting, and removing money from politics are just a few elements that need to be sorted for a functional democracy. The USA is the playbook on what not to do with democracy.
  • Recent Achievements

    • Week One Done
      abortretryfail earned a badge
      Week One Done
    • First Post
      Mr bot earned a badge
      First Post
    • First Post
      Bkl211 earned a badge
      First Post
    • One Year In
      Mido gaber earned a badge
      One Year In
    • One Year In
      Vladimir Migunov earned a badge
      One Year In
  • Popular Contributors

    1. 1
      +primortal
      495
    2. 2
      snowy owl
      255
    3. 3
      +FloatingFatMan
      252
    4. 4
      ATLien_0
      226
    5. 5
      +Edouard
      189
  • Tell a friend

    Love Neowin? Tell a friend!