windows - How to Configure own's .NET application to run under Standard User Account without administrative level with UAC enabled?

08
2014-07
  • John

    My question relates to another similar:

    How to configure app to run in elevated mode from Standard User Account?

    Generally I am curious:

    What should I do to configure my .NET the application to run under Standard User Account without needed elevated mode? (To get rid of the window: Do you want to allow the following program from an unknown publisher to make changes to this computer.)

    Thanks in advance

    • Answers
  • Frank Thomas

    If I'm understanding your query correctly, you would like your application to be able to perform privileged operations without UAC prompts.

    in order to do that, MS expects you to architect your application as two separate components, a service running in system-space, and a client application in user-space. that way the service is running in an elevated state, and is started by an high integrity process, but the client connecting to it need not do so.

    Of course, installing, registering, and starting a service requires admin, but once installed and rebooted, any user with access to the application should be able to invoke the privledged service component without additional privldges for the interactive user.


    • Related Question

    windows - Force a program to run *without* administrator privileges or UAC?
  • Andrew Russell

    Is there any way that I can force a program that normally requires administrator privileges (via UAC) to run without them? (ie: no UAC prompt and no system-wide access.)

    Added: Without modifying the executable itself.

    In spite of James's answer, I have found a few ways that it can almost be done:

    1. By modifying the executable I can remove the trustInfo entry from the manifest (or the manifest entirely, so I can use an external one), allowing the program to start without UAC. Unfortunately this modifies the executable, so it exits shortly after due to an internal checksum test.
    2. By using Process Explorer I can launch it as a Limited User. However this seems to limit it significantly more than I would like (it runs like Protected Mode IE and so can access significantly less than what my standard un-elevated user can).

    • Related Answers
  • Mxx

    I hope I'm not too late to the party, but I was looking for a similar question and without seeing an answer here I found out that Windows' builtin RunAscommand, when run as administrator, can do that with /trustlevel switch.

    RUNAS /trustlevel:<TrustLevel> program

/showtrustlevels  displays the trust levels that can be used
                  as arguments to /trustlevel.
/trustlevel       <Level> should be one of levels enumerated
                  in /showtrustlevels.

    This worked in my case. Ironically, starting a program explicitly without elevation requires an elevated command prompt. Go figure. :) I hope it helps you.

  • Oliver Salzburg 
    Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker]
@="Run without admin rights (UAC)"

[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker\command]
@="cmd /min /C \"set __COMPAT_LAYER=RUNASINVOKER && start \"\" \"%1\"\""

    Simple - add in context menu on app. file choice to run without administrative rights. In some cases - small amount 0.1% of programs may ask twice about UAC prompt.

    Save in <name_of_file>.reg and add it to the Windows Registry.

  • user53639

    I solved this problem today using the MS application customization toolkit.

    I followed the instructions in a tech republic article: http://www.techrepublic.com/blog/window-on-windows/selectively-disable-uac-for-your-trusted-vista-applications/635

    Basically:

    1) you get the tookit from MS here .

    2) Click Fix

    3) Choose the RunAsInvoker option

    4) Right Click the fix and choose Install

  • slhck

    I fixed this problem by going changing the permissions on the folder that contained the program.

    I added each user that will run that program and gave them "full control" priviledges. That took care of the problem and I left the "run as admin" unchecked.

    I don't have any security concerns for the users who will be running the program.

  • Aurimas

    While in his question Andrew stated that the following did not quite work:

    By modifying the executable I can remove the trustInfo entry from the manifest (or the manifest entirely, so I can use an external one), allowing the program to start without UAC. Unfortunately this modifies the executable, so it exits shortly after due to an internal checksum test.

    I was able to modify an external .manifest file for the software I was using and change

    <ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

    to

    <ms_asmv2:requestedExecutionLevel level="asInvoker" uiAccess="false" />

    Turns out the software I was using did not really require administrator rights so I was able to run it on a Standard User account without UAC or administrator passwords. Thanks!

  • James Watt

    No, if a program requires UAC then it is trying to access something outside of its sandbox. The program will not correctly run without the elevated access.

    If you just want to get rid of the notification, you can disable UAC.

    Disable UAC on Windows Vista: Start, type "user". Click on "User Accounts". On the window that pops up, click on "User Account Control Settings" and then Turn off UAC.

    Disable UAC on Windows 7: Start, type "user". Click on "User Account Control Settings". Drag the choice bar all the way to the bottom to "Never Notify."