windows 7 - Allow Standard user to run program requiring UAC elevation

24
2014-04
  • Thom Wiggers

    I need a standard or limited Windows 7 user to be able to run an application (Fallout Mod Manager) which requires UAC elevation. I've tried the Application Compatibilty Toolkit, but that did not work as intended. Any Suggestions? I am running Windows 7 Ultimate local, so policies can be applied.

    I basically want something like unix' setuid flag.

  • Answers
  • Ian Boyd

    It's doable, but not easy to explain.

    There are only three reasons why an application would request for elevation on startup:

    • the Compatibilty tab has the "Run this program as an administrator"
    • the application has a manifest (either embedded or external) that specified requireAdministrator
    • there is a compatibility update from Microsoft that marked it as needed administrator

    Assuming you've already checked the compatibility tab, and the application is not set to require administrator:

    enter image description here

    The next step is to check for an embedded resource manifest. i won't go into how you can find that out. But skip to create a manifest for yourself.

    Create a file in the same directory as Fallout Mod Manager (i don't know what the exe is called, but i'll call it FalloutModManager.exe:

    FalloutModManager.exe FalloutModManager.exe.manifest

    This new manifest file you create is a simple text file, containing xml, with a manifest entry that says that we want to launch asInvoker, rather than requireAdministrator:

    FalloutModManager.exe.manifest

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
       <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
          <assemblyIdentity 
               version="1.0.0.0"
               processorArchitecture="X86"
               name="client"
               type="win32" /> 
    
          <description>Poorly written Fallout Mod Manager fails on XP as standard user</description> 
    
          <!-- Disable file and registry virtualization, and don't require elevation -->
          <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
             <security>
                <requestedPrivileges>
                   <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
                </requestedPrivileges>
             </security>
          </trustInfo>
    </assembly>
    

    Having this file next to your executable is called an "external manifest". It is also possible the executable has an embedded resource, which you would need a tool like Resource Hacker to see, or modify.

  • Kai Robbin

    i found a tool to run an application which requires UAC elevation as a limited user.

    http://www.robotronic.de/runasroben.html

    But it is only free for private use. Does anyone know a freeware tool like this?


  • Related Question

    windows 7 - How can I get the UAC/elevation prompt to remember my local username?
  • dpp

    I want to be able to run as a non-admin domain account for normal work and be prompted for elevation when needed. This is fine when not in a domain as the elevation prompt remembers my user name and I just have to enter my password. In a domain environment, however, the elevation prompt does not remember the domain (the local machine) or the username from the local machine. How can I get the UAC/Elevation prompt to remember this information?


  • Related Answers
  • dpp

    Finally found the answer:

    Launch C:\Windows\System32\gpedit.msc using Run As Administrator (from the right click menu) and enable the following setting:

    Local Computer Policy / Computer Configuration / Administrative Templates / Windows Components / Credential User Interface / Enumerate administrator accounts on elevation

  • Sam Morris

    For those using a Home edition of Windows which lacks the policy editor, you can create the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI and add a EnumerateAdministrators of type DWORD set to 1.