4
1
I need a standard or limited Windows 7 user to be able to run an application (Fallout Mod Manager) which requires UAC elevation. I've tried the Application Compatibilty Toolkit, but that did not work as intended. Any Suggestions? I am running Windows 7 Ultimate local, so policies can be applied.
I basically want something like unix' setuid flag.
Thom Wiggers
Posted 2010-02-02T14:21:35.800
Reputation: 489
3
It's doable, but not easy to explain.
There are only three reasons why an application would request for elevation on startup:
requireAdministratorAssuming you've already checked the compatibility tab, and the application is not set to require administrator:
The next step is to check for an embedded resource manifest. i won't go into how you can find that out. But skip to create a manifest for yourself.
Create a file in the same directory as Fallout Mod Manager (i don't know what the exe is called, but i'll call it FalloutModManager.exe:
FalloutModManager.exe FalloutModManager.exe.manifest
This new manifest file you create is a simple text file, containing xml, with a manifest entry that says that we want to launch asInvoker, rather than requireAdministrator:
FalloutModManager.exe.manifest
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="X86"
name="client"
type="win32" />
<description>Poorly written Fallout Mod Manager fails on XP as standard user</description>
<!-- Disable file and registry virtualization, and don't require elevation -->
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Having this file next to your executable is called an "external manifest". It is also possible the executable has an embedded resource, which you would need a tool like Resource Hacker to see, or modify.
Ian Boyd
Posted 2010-02-02T14:21:35.800
Reputation: 18 244
What if you copied Fallout3.exe into a folder outside of %Program Files%, had FOMM modify the copy, and then launch Fallout using that exe instead of the one inside %Program Files% ? – Dan Henderson – 2015-10-20T20:38:03.377
1Won't creating a manifest saying don't run a admin only work if the program is incorrectly manifested; but fail if the program is actually doing something that requires elevation? (The memory hook.) – Dan is Fiddling by Firelight – 2011-08-26T17:37:44.843
If there is an internal manifest, it will take prescidence over an external manifest. In that you you should edit the internal manfiest to specify asInvoker. If the program is doing something that requires administrator access then it will fail - but then it would also fail on Windows XP with a standard user. There are a number of workaround that Microsoft added to try to fix buggy applications that fail as standard user. But the best bet is: If you want all users to be able to modify HKLM and ProgramFiles, then grant All Users full permission to HKLM and ProgramFiles. – Ian Boyd – 2011-08-26T17:58:15.357
I'm afraid @DanNeely is right, and that this won't work. FOMM tries to insert it's own DLLs into a different exectuable (Fallout3.exe) – Thom Wiggers – 2011-08-28T10:18:12.373
i'm sure there are things FOMM can do that don't require administrative access. By marking the executable asInvoker you will no longer have to elevate in order to run the program. You might not be able to accomplish all you want - but at least now you can run the executable as a regular user. – Ian Boyd – 2011-08-28T17:53:00.220
When you can the toolkit did you click 'Change settings for all users'? – Unfundednut – 2010-02-02T14:42:19.073
I've used sdbinstall to deploy the changes, and I went through MSDN/Technet docs. asAdmin or asHighest don't work because they do trigger the promt, and asInvoker won't work because it does need the priviliges – Thom Wiggers – 2010-02-02T18:09:48.737
Have you been able to figure out why the application is requiring elevation? If it needs read/write access to certain folders, for example, you might be able to solve that by changing NTFS permissions. – nhinkle – 2010-12-05T19:55:44.450
@nhinkle memory hook (on the fallout process. (Fallout Script Extender)) – Thom Wiggers – 2010-12-06T12:42:05.830
The user can run the program, but will have to enter the credentials of an administrator account when UAC prompts for elevation. If that's not a satisfactory solution, unfortunately I don't know enough to help any further. :) – Ben Richards – 2011-08-26T17:40:36.540