In this article, we will show how to selectively disable UAC for a specific application without disabling User Account Control service completely. Consider several ways to turn off UAC for one app using the RunAsInvoker compatibility flag. User Account Control asks the user to confirm any action that requires administrator privileges. This is a fairly effective mechanism for protecting Windows from a number of threats (viruses, trojans, worms, rootkits, etc.). Some users find the popping up UAC windows annoying, and they prefer to disable this security feature, although Microsoft and security experts strongly recommend not doing this.
The RunAsInvoker flag allows you to run the application with a marker inherited from the parent process. This cancels the processing of the application manifest, and the discovery of the installer processes. This parameter doesn’t provide administrator privileges, but only bypasses UAC prompt.
As an example, we will disable the User Account Control prompt for the registry editor (regedit.exe). Despite the fact that my account has local administrator privileges, when I run the utility, a UAC request still appears to confirm the launch.
If the program requires administrator permissions since it changes the system settings or files, the user privileges in the application won’t elevate after disabling UAC. The program will still run under current user permissions, and if you do not have the authority to make these changes, the program won’t be able to make them. There are also a small number of applications that run only in “As an administrator” mode, ignoring the RunAsInvoker compatibility flag.
Disabling UAC for a program using the Application Compatibility Toolkit
We need to install the Application Compatibility Toolkit, which is part of the Windows ADK. Download the latest version of the Windows ADK for Windows 10 here.
Run the adksetup.exe file and during installation (the program needs Internet access), select only the Application Compatibility Tools item.Microsoft Application Compatibility Tools is a free set of tools to fix app compatibility issues when migrating to the new Windows versions.
There are two versions of Application Compatibility Administrator in the system – 32-bit and 64-bit. Run the version of Application Compatibility Administrator depending on the application bitness for which you want to disable the UAC request.
Run the Compatibility Administrator (32-bit) with administrator privileges (!). In the Custom Databases node, right click New Database and select Create New -> Application Fix.
In the following window, enter the name of the application (regedit), the vendor name (Microsoft) and the path to the executable file (C:\Windows\System32\regedit.exe).
Skip the next window (Compatibility Mode) of the configuration wizard by pressing Next. In the Compatibility Fixes window, check the option RunAsInvoker.
You can make sure that the application can run without UAC by pressing the Test Run button.
In the Matching Information dialog, you can specify which application parameters should be checked (version, checksum, size, etc.). I left the COMPANY_NAME, PRODUCT_NAME and ORIGINAL_FILENAME options checked to avoid the recreation of the compatibility patch file after the next Windows 10 update.
Tip. To protect against the spoofing of the executable by a hacker, you can request additional checks when running the file (e. g., CHECKSUM, FILE_VERSION or FILE_SIZE verification, etc.). It should be noted that the additional checks will slow down the app startup.
Click Finish and specify the name of the file the compatibility fixing package has to be saved to, e. g., regedit.sdb. This file will contain instructions for starting the application with the specified compatibility options.
Now you only have to apply the compatibility fix package to our application. You can do it either from the Compatibility Administrator console (choosing Install in the menu) or from the command prompt.
To do it, run elevated command prompt and execute the following command:
sdbinst -q c:\ps\regedit.sdb
If you have done it right, a message of successful package installation appears.
Installation of regedit complete.
After the package has been installed, the corresponding record will appear in the list of the installed Windows programs (Programs and Features).
Try now to run the application in a user session without local administrator permissions. Now it should start without a UAC request.
Now check the privileges for running application. Run the Task Manager, go to the Process tab, add the “Elevated” column. Make sure that the regedit.exe process is started from the user in the unprivileged mode (Elevated = No).
In this registry editor process, the user can only edit his own registry keys and parameters. But if you try to edit/create something in the system HKLM key, an error appears: “You don’t have the requisite permissions”.
Later this compatibility fix can be distributed to all user computers using the Group Policies. Thus you can disable UAC checks for the specific applications on multiple computers in an Active Directory domain.
To remove the compatibility fix, run the command:
sdbinst –u c:\ps\regedit.sdb
Enable the RunAsInvoker App Flag via the Registry
You can enable the RUNASINVOKER compatibility flag in Windows 10/8.1/7 through the registry. The application compatibility flag can be set for a single or for all computer users.
For example, for regedit app you need to create a new registry parameter (REG_SZ) in the following registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers:
- Value name: C:\windows\regedit.exe
- Value data: RunAsInvoker
If you want to enable application compatibility mode for all local computer users, you need to create this parameter in the different registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers.
In the domain, you can import/deploy these registry settings to users through a GPO.
Batch file to Run the Application in the RunAsInvoker Mode
There is another way to run the program without admin privileges and bypassing the UAC prompt.
Just create a .bat file with the following code:
Set ApplicationPath="C:\windows\regedit.exe"
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %ApplicationPath%"
When this bat file is being run under a common user, the specified application will start without a UAC prompt.
So, we looked at how to disable UAC for a specific program without completely disabling User Account Control. This will allow you to run Windows programs under non-admin without a UAC prompt and without entering an administrator password.
