Force a program to run *without* administrator privileges or UAC?

128

Is there any way that I can force a program that normally requires administrator privileges (via UAC) to run without them? (ie: no UAC prompt and no system-wide access.)

Added: Without modifying the executable itself.

In spite of James's answer, I have found a few ways that it can almost be done:

By modifying the executable I can remove the trustInfo entry from the manifest (or the manifest entirely, so I can use an external one), allowing the program to start without UAC. Unfortunately this modifies the executable, so it exits shortly after due to an internal checksum test.
By using Process Explorer I can launch it as a Limited User. However this seems to limit it significantly more than I would like (it runs like Protected Mode IE and so can access significantly less than what my standard un-elevated user can).

Andrew Russell

Posted 2010-08-04T13:49:40.120

Reputation: 1 535

Aside from running via Process Explorer GUI, it's possible to run with psexec.exe -l. Sometimes it's better because it requires less manual actions. Still it will limit the process beyond "user" group permissions, as with process explorer's Run as Limited User. – LogicDaemon – 2015-03-29T09:59:46.843

If a program has no manifest and refuses to run with no admin privileges, it is most likely due to UAC Installer Detection. I posted this question and misha256 has a good solution. I tested it and I can confirm that it works. https://superuser.com/questions/857616/how-to-disable-installer-detection-feature-of-uac-in-windows-7-home-premium?lq=1 I did some research and I found that there is no reason for Installer Detection to exist. Note that if the admin privileges are due to a trustinfo entry in a manifest, obviously this will not work.

– user1258361 – 2014-12-29T00:28:51.987

1You specify not modifying the executable, yet modifying the .exe is one of your attempted ways? – cutrightjm – 2012-04-20T04:39:26.950

3@ekaj I only specified that after I found out that it wouldn't work ;) – Andrew Russell – 2012-04-21T15:29:41.460

Could you maybe specify the program, even if you don't use it anymore? That might help people to know what it is trying to access that requires admin privileges – cutrightjm – 2012-04-21T16:45:10.380

@ekaj Unfortunately not. However it's not especially relevant: UAC is triggered by a program asking for elevation during process creation (the usual way - as in this case - is with a manifest). Once a process is started, it cannot change its elevation status - no matter what restricted resources it tries to access. – Andrew Russell – 2012-04-22T04:59:32.370

Answers

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker]
@="Run without privilege elevation"

[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker\command]
@="cmd /min /C \"set __COMPAT_LAYER=RUNASINVOKER && start \"\" \"%1\"\""

Save this text in <name_of_file>.reg and add it to the Windows Registry. (Double-clicking on it should do the trick.)

Afterwards, right-click the app you'd like to run without administrative privileges and select "Run without privilege elevation".

In some cases - small amount 0.1% of programs may ask twice about UAC prompt.

Vom

Posted 2010-08-04T13:49:40.120

Reputation: 792

2Accepting this as it seems to be the most straightforward method, and I've (finally!) been able to verify it. Also has the very nice property of being trivially usable as a once-off command line (remove the outer " and then turn \" into "). – Andrew Russell – 2014-12-29T15:33:46.037

@Vom - Do you know of an easy way to get past programs that ask multiple times? Thanks! – Derek – 2015-01-06T16:25:32.200

1I have the same issue as @Derek, the application seems to constantly keep re-asking for UAC, I don't trust it with system wide access but I need its functionality.. – Gizmo – 2015-03-11T22:19:19.087

@Gizmo: I now use either a virtual machine as a sandbox or the program Sandboxie. You should still be monitoring all file changes and enable file-versioning/backups on windows to be safe. – Derek – 2015-03-12T00:44:17.770

For some reason, the program still asks for admin rights from me, if I run it with admin account but with UAC on. – LogicDaemon – 2015-03-29T10:45:44.267

@Derek, Gizmo: This only prevents windows from trusting the file properties. If the application demands elevation in its code and won't continue until it gets it, the only way out is patching the exe (or running it in an environment where it doesn't matter). – SilverbackNet – 2015-10-30T05:52:09.910

Is /min documented anywhere? – jpmc26 – 2015-12-11T18:28:37.073

1You can add this to the registry for only the currently signed in user by changing the keys to : HKEY_CURRENT_USER\Software\Classes*\shell\forcerunasinvoker and HKEY_CURRENT_USER\Software\Classes*\shell\forcerunasinvoker\command – GodEater – 2016-03-03T11:36:16.863

This didn't work for me.I added a forcerunasinvoker key to HKEY_CLASSES_ROOT*\shell with (Default)=Run with standard privileges and then added a subkey "command" with (Default)=cmd /min /C "set __COMPAT_LAYER=RunAsInvoker && start "" "%1"". I get a command window with an error: "The filename, directory name, or volume label syntax is incorrect". – user1258361 – 2017-01-15T22:08:57.753

1@jpmc26 I think the /min is an error. The solution works exactly the same without it. Vom must have mixed up cmd and start switches. It seems that cmd.exe doesn't complain of wrong switches. Try cmd /whatever, for example. – cdlvcdlv – 2017-07-02T11:50:49.607

1I used to use the Application Compatibility Toolkit shim, but that was a lot of work for each executable and left junk in the registry for each file as well. This method works and I like it a lot better. – Ben Voigt – 2013-04-17T21:28:56.937

Save to nonadmin.bat:

cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %1"

Now you can drag and drop programs to this to run them without admin.

This doesn't require admin privileges as changing that registry key does. Also you won't clutter the context menu.

Based on Vom's answer

Update: Should now work with programs that have spaces in name as well.

Hjulle

Posted 2010-08-04T13:49:40.120

Reputation: 796

I tried it on some programs requiring access on my drives and it couldn't detect them or didn't work in the first place :/ (rufus https://rufus.akeo.ie/ for example)

– keinabel – 2016-04-11T19:04:15.177

7@keinabel That's probably because they actually needed admin to work. This script is for programs which demands admin privileges without actually doing something which requires it. Raw access to drives is a typical admin-thing. – Hjulle – 2016-04-11T19:23:13.520

2Pretty neat! Was able to install XAMPP using this method. – Krishnaraj – 2016-08-08T09:31:50.817

This doesn't seem to be working for me for any executables in the "C:\Program Files..." directory. I get a Windows cannot find 'C:\Program'. Make sure you typed the name correctly, and then try again. I've tried this command manually several times with slight variations and no luck. Any ideas? – Jake Smith – 2016-09-30T18:09:21.643

@amanuel2 I haven't tried with VirtualBox, but I was able to get this to work as long as there wasn't any spaces in the path to the .exe – Jake Smith – 2016-10-03T21:32:13.353

@JakeSmith May you please tell me how you got this to work? I really need Virtualbox.exe to work without admin .. the portable version: http://www.vbox.me/ ..

– amanuel2 – 2016-10-03T21:36:17.390

Like I said, I had to make sure the exe I dragged into the icon was not saved on disk to a location with a path that had a space in it. Move the executable to another location that does not have a space in the path – Jake Smith – 2016-10-03T21:37:26.147

@JakeSmith sorry I didn't know you messaged me back. I might sound dumb but what exactly do you mean by space in the path? – amanuel2 – 2016-10-03T23:11:06.733

@amanuel2, I mean the difference between "C:\Program Files\file.exe" vs. "C:\ProgramFiles\file.exe" – Jake Smith – 2016-10-04T13:19:48.890

@JakeSmith How do i fix that? – amanuel2 – 2016-10-04T16:57:42.773

@amanuel install the program in a location that does not have spaces in the names of any folders. – Jake Smith – 2016-10-05T03:19:51.863

This worked with visual studio exe which was set to run as admin by default.I was able to run exe without admin permission prompt in a case where admin permission was not available. – Deshan – 2016-10-23T20:32:26.877

1I had the same issue with the location of the file being in a folder with spaces. Solved it removing some double quotes: cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %1" – ragnar – 2017-02-13T17:30:50.757

Same here, it appears drag/drop is already adding quotes by default, in other words delete the quotes on both sides of the %1 and you will be good. – Xander – 2017-03-22T16:22:11.333

It worked for me. – Pranit Kothari – 2018-03-07T05:21:41.317

I hope I'm not too late to the party, but I was looking for a similar question and without seeing an answer here I found out that Windows' builtin RunAscommand, when run as administrator, can do that with /trustlevel switch.

RUNAS /trustlevel:<TrustLevel> program

/showtrustlevels  displays the trust levels that can be used
                  as arguments to /trustlevel.
/trustlevel       <Level> should be one of levels enumerated
                  in /showtrustlevels.

This worked in my case. Ironically, starting a program explicitly without elevation requires an elevated command prompt. Go figure. :) I hope it helps you.

Mxx

Posted 2010-08-04T13:49:40.120

Reputation: 2 659

I can confirm this does not work. I just tested it and got an error: "RUNAS ERROR: Unable to run - (program name here). The requested operation requires elevation". – user1258361 – 2014-12-28T03:21:44.160

9@user1258361 you have to run this command from elevated prompt, just like I wrote in bold... – Mxx – 2014-12-28T04:01:35.880

It doesn't seem to require an elevated prompt on Windows 7... – SamB – 2015-09-09T01:23:58.453

4Tested with elevated prompt, used command line runas /trustlevel:0x20000 (program), program ran as admin anyway. For reference, 0x20000 is basic user. – user1258361 – 2017-01-15T23:21:49.367

2requires an elevated command prompt...of course it does. Otherwise you're already without admin rights and any process you start will also lack them. – I say Reinstate Monica – 2018-01-20T02:24:16.090

If you have a particular application that you want to always run without UAC, you can target it with the Registry (add the text to a REG file and import it into the Registry):

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\example\\application.exe"="RunAsInvoker"

Unlike this answer, this solution requires no alternate click or change to user interaction.

Microsoft calls this process adding the RunAsInvoker "Compatibility Shim".

palswim

Posted 2010-08-04T13:49:40.120

Reputation: 2 793

The answer to a different, yet related question provided the inspiration for this answer. – palswim – 2016-09-09T20:17:26.993

1Thank you very much! This was the only thing worked for me! I had am Application which was being called from the windows context menu, and it was always coming up as administrator, despite it being called correctly from everywhere else. After this fix, the application started being called correctly. – user – 2017-05-06T17:55:58.340

If it's a setup (installation) exe file that is requiring administration privilege, there's a trick to run it without elevated access:

If the file's name contains words like setup or install windows forcefully runs it with elevated access even if it doesn't need elevated access:

If the .exe file has a manifest in it, these heuristics for elevation do not apply.

For example if the manifest indicates that the exe does not need elevation, even including any of these words in the file name won't make it run as elevated.

Another keyword is patch as stated by Mgamerz in the comments.

This is documented on the UAC (User Account Control) docs:

Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.

Installer detection only applies to:

32-bit executable files.

Applications without a requested execution level attribute.

Interactive processes running as a standard user with UAC enabled.

Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer:

The file name includes keywords such as "install," "setup," or "update."

...

Read mode here: https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works

Shayan

Posted 2010-08-04T13:49:40.120

Reputation: 590

2Of course, that only works when the application manifest doesn’t explicitly specify it must run elevated. – Daniel B – 2019-01-25T11:57:37.717

3@DanielB: in fact this trick only works when there is no manifest – AntoineL – 2019-03-05T15:33:13.753

1Upvoted. Good observation. A link to official docs would also be nice. – Denis Nikolaenko – 2019-07-22T20:25:19.123

@DenisNikolaenko Ty, added source :) – Shayan – 2019-07-22T20:45:57.533

1Another keyword is "patch". Just for people coming by as googling. – Mgamerz – 2019-11-16T21:23:59.423

I solved this problem today using the MS application customization toolkit.

I followed the instructions in a tech republic article.

Basically:

1) you get the toolkit from MS here .

2) Click Fix

3) Choose the RunAsInvoker option

4) Right Click the fix and choose Install

user53639

Posted 2010-08-04T13:49:40.120

Reputation: 238

@mxx actually no. If current user is limited (or you've got UAC enabled), then the process will launch with limited privileges altogether. – LogicDaemon – 2015-03-29T09:54:11.673

1@LogicDaemon If you actually read the article, you'll see that it explains that if you follow those steps, you'll run an app as Administrator without UAC prompt. This is opposite of what OP asked for. – Mxx – 2015-03-29T14:35:59.813

@mxx nope. Read on technet what RunAsInvoker actually do. This is indeed what topicstarter asked for, though this only works for older apps.

– LogicDaemon – 2015-03-30T11:53:01.470

As long as Explorer, a non-admin cmd, or any other standard process is the parent, RunAsInvoker will run with the same limited rights. (Explorer runs restricted by default, otherwise it would never ask you to elevate to delete a file.) It actually seems to work even with new apps. RunAsInvoker means it inherits the exact same ACL token. – SilverbackNet – 2015-10-30T05:59:53.687

ApplicationCompatibilityToolkitSetup.exe needs admin rights .. ;-) – weberjn – 2016-10-20T08:11:28.977

Your answer does exactly the opposite of the desired effect. Original question was how to force an app that asks for elevated privileges to run without elevating. Your answer still uses UAC but just disables that prompt. That's a wrong answer for this question. – Mxx – 2014-01-22T14:07:23.663

While in his question Andrew stated that the following did not quite work:

By modifying the executable I can remove the trustInfo entry from the manifest (or the manifest entirely, so I can use an external one), allowing the program to start without UAC. Unfortunately this modifies the executable, so it exits shortly after due to an internal checksum test.

I was able to modify an external .manifest file for the software I was using and change

<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

<ms_asmv2:requestedExecutionLevel level="asInvoker" uiAccess="false" />

Turns out the software I was using did not really require administrator rights so I was able to run it on a Standard User account without UAC or administrator passwords. Thanks!

Aurimas

Posted 2010-08-04T13:49:40.120

Reputation: 104

It might be easier to edit the executable instead, as the manifest may just be included in the file. Note that the namespace prefix ms_asmv2: might also be omitted. Also, it is possible that changing the size of the embedded xml block may corrupt the binary, so "requireAdministrator" should be changed to "asInvoker" padded to the same length with spaces before uiAccess. – kdb – 2019-02-13T16:33:24.043

-2

I fixed this problem by going changing the permissions on the folder that contained the program.

I added each user that will run that program and gave them "full control" priviledges. That took care of the problem and I left the "run as admin" unchecked.

I don't have any security concerns for the users who will be running the program.

Tim D

Posted 2010-08-04T13:49:40.120

Reputation: 5

-5

No, if a program requires UAC then it is trying to access something outside of its sandbox. The program will not correctly run without the elevated access.

If you just want to get rid of the notification, you can disable UAC.

Disable UAC on Windows Vista: Start, type "user". Click on "User Accounts". On the window that pops up, click on "User Account Control Settings" and then Turn off UAC.

Disable UAC on Windows 7: Start, type "user". Click on "User Account Control Settings". Drag the choice bar all the way to the bottom to "Never Notify."

James Watt

Posted 2010-08-04T13:49:40.120

Reputation: 1 759

7Disabling UAC is not what I am trying to achieve. Also: your description of how UAC works is correct only in a general sense. It's possible for a program to request UAC when it doesn't strictly need it. And UAC happens before a program starts - once its running, if it steps beyond its permissions, it will simply get permission-denied errors. – Andrew Russell – 2010-08-04T14:32:26.897

Semantics aside, you can't "disable" UAC notifications for a specific program while still limiting their access. – James Watt – 2010-08-04T14:47:00.177

James: Actually - it looks like you can - I've updated my question. – Andrew Russell – 2010-08-04T16:11:29.350

Short of modifying the program code itself, I would be interested to know of a working solution if you find one. – James Watt – 2010-08-05T05:17:48.983