155

Is there any way that I can force a program that normally requires administrator privileges (via UAC) to run without them? (ie: no UAC prompt and no system-wide access.)

Added: Without modifying the executable itself.

In spite of James's answer, I have found a few ways that it can almost be done:

  1. By modifying the executable I can remove the trustInfo entry from the manifest (or the manifest entirely, so I can use an external one), allowing the program to start without UAC. Unfortunately this modifies the executable, so it exits shortly after due to an internal checksum test.
  2. By using Process Explorer I can launch it as a Limited User. However this seems to limit it significantly more than I would like (it runs like Protected Mode IE and so can access significantly less than what my standard un-elevated user can).
Andrew Russell
  • 1,805
  • 3
  • 13
  • 11
  • 2
    You specify not modifying the executable, yet modifying the .exe is one of your attempted ways? – cutrightjm Apr 20 '12 at 04:39
  • 3
    @ekaj I only specified that *after* I found out that it wouldn't work ;) – Andrew Russell Apr 21 '12 at 15:29
  • Could you maybe specify the program, even if you don't use it anymore? That might help people to know what it is trying to access that requires admin privileges – cutrightjm Apr 21 '12 at 16:45
  • @ekaj Unfortunately not. However it's not especially relevant: UAC is triggered by a program asking for elevation during process creation (the usual way - as in this case - is with a manifest). Once a process is started, it cannot change its elevation status - no matter what restricted resources it tries to access. – Andrew Russell Apr 22 '12 at 04:59
  • Aside from running via Process Explorer GUI, it's possible to run with `psexec.exe -l`. Sometimes it's better because it requires less manual actions. Still it will limit the process beyond "user" group permissions, as with process explorer's *Run as Limited User*. – LogicDaemon Mar 29 '15 at 09:59
  • If a program has no manifest and refuses to run with no admin privileges, it is most likely due to UAC Installer Detection. I posted this question and misha256 has a good solution. I tested it and I can confirm that it works. https://superuser.com/questions/857616/how-to-disable-installer-detection-feature-of-uac-in-windows-7-home-premium?lq=1 I did some research and I found that there is no reason for Installer Detection to exist. Note that if the admin privileges are due to a trustinfo entry in a manifest, obviously this will not work. – user1258361 Dec 29 '14 at 00:28

10 Answers10

95
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker]
@="Run without privilege elevation"

[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker\command]
@="cmd /min /C \"set __COMPAT_LAYER=RUNASINVOKER && start \"\" \"%1\"\""

Save this text in <name_of_file>.reg and add it to the Windows Registry. (Double-clicking on it should do the trick.)

Afterwards, right-click the app you'd like to run without administrative privileges and select "Run without privilege elevation".

In some cases - small amount 0.1% of programs may ask twice about UAC prompt.

Vom
  • 982
  • 7
  • 3
  • 2
    I used to use the Application Compatibility Toolkit shim, but that was a lot of work for each executable and left junk in the registry for each file as well. This method works and I like it a lot better. – Ben Voigt Apr 17 '13 at 21:28
  • 2
    Accepting this as it seems to be the most straightforward method, and I've (*finally!*) been able to verify it. Also has the very nice property of being trivially usable as a once-off command line (remove the outer `"` and then turn `\"` into `"`). – Andrew Russell Dec 29 '14 at 15:33
  • @Vom - Do you know of an easy way to get past programs that ask multiple times? Thanks! – Derek Jan 06 '15 at 16:25
  • 1
    I have the same issue as @Derek, the application seems to constantly keep re-asking for UAC, I don't trust it with system wide access but I need its functionality.. – Gizmo Mar 11 '15 at 22:19
  • @Gizmo: I now use either a virtual machine as a sandbox or the program Sandboxie. You should still be monitoring all file changes and enable file-versioning/backups on windows to be safe. – Derek Mar 12 '15 at 00:44
  • For some reason, the program still asks for admin rights from me, if I run it with admin account but with UAC on. – LogicDaemon Mar 29 '15 at 10:45
  • @Derek, Gizmo: This only prevents windows from trusting the file properties. If the application demands elevation in its code and won't continue until it gets it, the only way out is patching the exe (or running it in an environment where it doesn't matter). – SilverbackNet Oct 30 '15 at 05:52
  • Is `/min` documented anywhere? – jpmc26 Dec 11 '15 at 18:28
  • 3
    You can add this to the registry for only the currently signed in user by changing the keys to : HKEY_CURRENT_USER\Software\Classes\*\shell\forcerunasinvoker and HKEY_CURRENT_USER\Software\Classes\*\shell\forcerunasinvoker\command – GodEater Mar 03 '16 at 11:36
  • This didn't work for me.I added a forcerunasinvoker key to HKEY_CLASSES_ROOT\*\shell with (Default)=Run with standard privileges and then added a subkey "command" with (Default)=cmd /min /C \"set __COMPAT_LAYER=RunAsInvoker && start \"\" \"%1\"\". I get a command window with an error: "The filename, directory name, or volume label syntax is incorrect". – user1258361 Jan 15 '17 at 22:08
  • 1
    @jpmc26 I think the `/min` is an error. The solution works exactly the same without it. Vom must have mixed up `cmd` and `start` switches. It seems that `cmd.exe` doesn't complain of wrong switches. Try `cmd /whatever`, for example. – cdlvcdlv Jul 02 '17 at 11:50
  • 1
    @GodEater You missed a backslash between 'Classes' and the asterisk. – Nick Betcher May 18 '20 at 23:14
  • thank you @NickBetcher, it doesn't work without that fix. GodEater's solution should honestly be added to the answer for better visibility. Also, unfortunately at least for me, the solution seems to only work for some applications. – I'm_With_Stupid Mar 31 '23 at 23:20
76

Save to nonadmin.bat:

cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %1"

Now you can drag and drop programs to this to run them without admin.

This doesn't require admin privileges as changing that registry key does. Also you won't clutter the context menu.

Based on Vom's answer

Update: Should now work with programs that have spaces in name as well.

Hjulle
  • 992
  • 7
  • 18
  • I tried it on some programs requiring access on my drives and it couldn't detect them or didn't work in the first place :/ (rufus https://rufus.akeo.ie/ for example) – keinabel Apr 11 '16 at 19:04
  • 10
    @keinabel That's probably because they actually needed admin to work. This script is for programs which demands admin privileges without actually doing something which requires it. Raw access to drives is a typical admin-thing. – Hjulle Apr 11 '16 at 19:23
  • 3
    Pretty neat! Was able to install XAMPP using this method. – Krishnaraj Aug 08 '16 at 09:31
  • @amanuel2 I haven't tried with VirtualBox, but I was able to get this to work as long as there wasn't any spaces in the path to the .exe – Jake Smith Oct 03 '16 at 21:32
  • @JakeSmith May you please tell me how you got this to work? I really need Virtualbox.exe to work without admin .. the portable version: http://www.vbox.me/ .. – amanuel2 Oct 03 '16 at 21:36
  • Like I said, I had to make sure the exe I dragged into the icon was not saved on disk to a location with a path that had a space in it. Move the executable to another location that does not have a space in the path – Jake Smith Oct 03 '16 at 21:37
  • @JakeSmith sorry I didn't know you messaged me back. I might sound dumb but what exactly do you mean by space in the path? – amanuel2 Oct 03 '16 at 23:11
  • @amanuel2, I mean the difference between "C:\Program Files\file.exe" vs. "C:\ProgramFiles\file.exe" – Jake Smith Oct 04 '16 at 13:19
  • @JakeSmith How do i fix that? – amanuel2 Oct 04 '16 at 16:57
  • @amanuel install the program in a location that does not have spaces in the names of any folders. – Jake Smith Oct 05 '16 at 03:19
  • This worked with visual studio exe which was set to run as admin by default.I was able to run exe without admin permission prompt in a case where admin permission was not available. – Deshan Oct 23 '16 at 20:32
  • Unfortunately some applications will notice they couldn't get elevated privileges and will start but they display an error notice, something like "Please run XXXX as an administrator." then they will close. For example, PSS (for digital cameras). Bummer! :/ – Paul-Sebastian Manole Feb 19 '21 at 08:38
  • If already invoking a command from cmd (or in my case powershell) setting `$env:__COMPAT_LAYER = 'RUNASINVOKER'` really does just make it work. `&./your.exe`, `start-process your.exe`, everything – Hashbrown Jun 24 '23 at 06:37
40

I hope I'm not too late to the party, but I was looking for a similar question and without seeing an answer here I found out that Windows' builtin RunAscommand, when run as administrator, can do that with /trustlevel switch.

RUNAS /trustlevel:<TrustLevel> program

/showtrustlevels  displays the trust levels that can be used
                  as arguments to /trustlevel.
/trustlevel       <Level> should be one of levels enumerated
                  in /showtrustlevels.

This worked in my case. Ironically, starting a program explicitly without elevation requires an elevated command prompt. Go figure. :) I hope it helps you.

Mxx
  • 2,791
  • 2
  • 19
  • 35
  • I can confirm this does not work. I just tested it and got an error: "RUNAS ERROR: Unable to run - (program name here). The requested operation requires elevation". – user1258361 Dec 28 '14 at 03:21
  • 10
    @user1258361 you have to run this command from elevated prompt, just like I wrote in bold... – Mxx Dec 28 '14 at 04:01
  • It doesn't seem to require an elevated prompt on Windows 7... – SamB Sep 09 '15 at 01:23
  • 5
    Tested with elevated prompt, used command line runas /trustlevel:0x20000 (program), program ran as admin anyway. For reference, 0x20000 is basic user. – user1258361 Jan 15 '17 at 23:21
  • 2
    *requires an elevated command prompt*...of course it does. Otherwise you're **already** without admin rights and any process you start will also lack them. – I say Reinstate Monica Jan 20 '18 at 02:24
  • Worth noting RUNAS does not put a program in the exact same state as it would be if run as a non-admin. For example, if you start a normal cmd prompt, the window's title will be "Command Prompt - cmd.exe". And if you run as admin, the title will be "Administrator: Command Prompt". If you create it with `runas /trustlevel:0x20000 cmd.exe`, the window title is "Administrator: cmd.exe (running as GROUP\USER with restricted privileges)". The program started with RUNAS will still show as Elevated: yes in taskmgr. – Weston Feb 19 '21 at 17:39
29

If you have a particular application that you want to always run without UAC, you can target it with the Registry (add the text to a REG file and import it into the Registry):

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\example\\application.exe"="RunAsInvoker"

Unlike this answer, this solution requires no alternate click or change to user interaction.

Microsoft calls this process adding the RunAsInvoker "Compatibility Shim".

Community
  • 1
palswim
  • 3,451
  • 10
  • 46
  • 65
  • 1
    [The answer to a different, yet related question](http://superuser.com/a/690761/45163) provided the inspiration for this answer. – palswim Sep 09 '16 at 20:17
  • 3
    Thank you very much! This was the only thing worked for me! I had am Application which was being called from the windows context menu, and it was always coming up as administrator, despite it being called correctly from everywhere else. After this fix, the application started being called correctly. – user May 06 '17 at 17:55
8

If it's a setup (installation) exe file that is requiring administration privilege, there's a trick to run it without elevated access:

If the file's name contains words like setup or install windows forcefully runs it with elevated access even if it doesn't need elevated access:

enter image description here

If the .exe file has a manifest in it, these heuristics for elevation do not apply.

For example if the manifest indicates that the exe does not need elevation, even including any of these words in the file name won't make it run as elevated.

Another keyword is patch as stated by Mgamerz in the comments.

This is documented on the UAC (User Account Control) docs:

Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.

Installer detection only applies to:

  • 32-bit executable files.

  • Applications without a requested execution level attribute.

  • Interactive processes running as a standard user with UAC enabled.

Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer:

  • The file name includes keywords such as "install," "setup," or "update."

  • ...

Read mode here: https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works

Shayan
  • 1,426
  • 6
  • 24
  • 34
3

While in his question Andrew stated that the following did not quite work:

By modifying the executable I can remove the trustInfo entry from the manifest (or the manifest entirely, so I can use an external one), allowing the program to start without UAC. Unfortunately this modifies the executable, so it exits shortly after due to an internal checksum test.

I was able to modify an external .manifest file for the software I was using and change

<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

to

<ms_asmv2:requestedExecutionLevel level="asInvoker" uiAccess="false" />

Turns out the software I was using did not really require administrator rights so I was able to run it on a Standard User account without UAC or administrator passwords. Thanks!

Aurimas
  • 224
  • 2
  • 4
  • It might be easier to edit the executable instead, as the manifest may just be included in the file. Note that the namespace prefix `ms_asmv2:` might also be omitted. Also, it is possible that changing the size of the embedded xml block may corrupt the binary, so "requireAdministrator" should be changed to "asInvoker" padded to the same length with spaces before uiAccess. – kdb Feb 13 '19 at 16:33
2

I solved this problem today using the MS application customization toolkit.

I followed the instructions in a tech republic article.

Basically:

1) you get the toolkit from MS here .

2) Click Fix

3) Choose the RunAsInvoker option

4) Right Click the fix and choose Install

0xC0000022L
  • 6,819
  • 10
  • 50
  • 82
user53639
  • 246
  • 1
  • 2
  • 7
  • Your answer does exactly the opposite of the desired effect. Original question was how to force an app that asks for elevated privileges to run without elevating. Your answer still uses UAC but just disables that prompt. That's a wrong answer for this question. – Mxx Jan 22 '14 at 14:07
  • @mxx actually no. If current user is limited (or you've got UAC enabled), then the process will launch with limited privileges altogether. – LogicDaemon Mar 29 '15 at 09:54
  • 1
    @LogicDaemon If you actually read the article, you'll see that it explains that if you follow those steps, *you'll run an app as Administrator without UAC prompt*. This is opposite of what OP asked for. – Mxx Mar 29 '15 at 14:35
  • @mxx nope. Read on [technet](https://technet.microsoft.com/en-us/library/dd638389%28v=ws.10%29.aspx) what RunAsInvoker actually do. This is indeed what topicstarter asked for, though this only works for older apps. – LogicDaemon Mar 30 '15 at 11:53
  • As long as Explorer, a non-admin cmd, or any other standard process is the parent, RunAsInvoker will run with the same limited rights. (Explorer runs restricted by default, otherwise it would never ask you to elevate to delete a file.) It actually seems to work even with new apps. RunAsInvoker means it inherits the exact same ACL token. – SilverbackNet Oct 30 '15 at 05:59
  • ApplicationCompatibilityToolkitSetup.exe needs admin rights .. ;-) – weberjn Oct 20 '16 at 08:11
0

There is two ways. You can use RunAs with a standard user name:

RunAs /user:StandardUser C:\Temp\Foo.exe

But you'll need to enter the user's password.

Or you can use PsExec from SysInternal, where you can pass the password as an argument:

PsExec -u StandardUser -p secret C:\Temp\Foo.exe
Maxence
  • 151
  • 3
-3

I fixed this problem by going changing the permissions on the folder that contained the program.

I added each user that will run that program and gave them "full control" priviledges. That took care of the problem and I left the "run as admin" unchecked.

I don't have any security concerns for the users who will be running the program.

slhck
  • 223,558
  • 70
  • 607
  • 592
Tim D
  • 3
  • 1
-7

No, if a program requires UAC then it is trying to access something outside of its sandbox. The program will not correctly run without the elevated access.

If you just want to get rid of the notification, you can disable UAC.

Disable UAC on Windows Vista: Start, type "user". Click on "User Accounts". On the window that pops up, click on "User Account Control Settings" and then Turn off UAC.

Disable UAC on Windows 7: Start, type "user". Click on "User Account Control Settings". Drag the choice bar all the way to the bottom to "Never Notify."

James Watt
  • 1,815
  • 7
  • 19
  • 26
  • 8
    Disabling UAC is not what I am trying to achieve. Also: your description of how UAC works is correct only in a general sense. It's possible for a program to request UAC when it doesn't strictly need it. And UAC happens before a program starts - once its running, if it steps beyond its permissions, it will simply get permission-denied errors. – Andrew Russell Aug 04 '10 at 14:32
  • Semantics aside, you can't "disable" UAC notifications for a specific program while still limiting their access. – James Watt Aug 04 '10 at 14:47
  • James: Actually - it looks like you can - I've updated my question. – Andrew Russell Aug 04 '10 at 16:11
  • Short of modifying the program code itself, I would be interested to know of a working solution if you find one. – James Watt Aug 05 '10 at 05:17