4

I need a standard or limited Windows 7 user to be able to run an application (Fallout Mod Manager) which requires UAC elevation. I've tried the Application Compatibilty Toolkit, but that did not work as intended. Any Suggestions? I am running Windows 7 Ultimate local, so policies can be applied.

I basically want something like unix' setuid flag.

Thom Wiggers
  • 499
  • 1
  • 7
  • 18
  • When you can the toolkit did you click 'Change settings for all users'? – Unfundednut Feb 02 '10 at 14:42
  • I've used sdbinstall to deploy the changes, and I went through MSDN/Technet docs. asAdmin or asHighest don't work because they do trigger the promt, and asInvoker won't work because it does need the priviliges – Thom Wiggers Feb 02 '10 at 18:09
  • Have you been able to figure out why the application is requiring elevation? If it needs read/write access to certain folders, for example, you might be able to solve that by changing NTFS permissions. – nhinkle Dec 05 '10 at 19:55
  • @nhinkle memory hook (on the fallout process. (Fallout Script Extender)) – Thom Wiggers Dec 06 '10 at 12:42
  • The user can run the program, but will have to enter the credentials of an administrator account when UAC prompts for elevation. If that's not a satisfactory solution, unfortunately I don't know enough to help any further. :) – Ben Richards Aug 26 '11 at 17:40

1 Answers1

3

It's doable, but not easy to explain.

There are only three reasons why an application would request for elevation on startup:

  • the Compatibilty tab has the "Run this program as an administrator"
  • the application has a manifest (either embedded or external) that specified requireAdministrator
  • there is a compatibility update from Microsoft that marked it as needed administrator

Assuming you've already checked the compatibility tab, and the application is not set to require administrator:

enter image description here

The next step is to check for an embedded resource manifest. i won't go into how you can find that out. But skip to create a manifest for yourself.

Create a file in the same directory as Fallout Mod Manager (i don't know what the exe is called, but i'll call it FalloutModManager.exe:

FalloutModManager.exe FalloutModManager.exe.manifest

This new manifest file you create is a simple text file, containing xml, with a manifest entry that says that we want to launch asInvoker, rather than requireAdministrator:

FalloutModManager.exe.manifest 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
      <assemblyIdentity 
           version="1.0.0.0"
           processorArchitecture="X86"
           name="client"
           type="win32" /> 

      <description>Poorly written Fallout Mod Manager fails on XP as standard user</description> 

      <!-- Disable file and registry virtualization, and don't require elevation -->
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
         <security>
            <requestedPrivileges>
               <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
            </requestedPrivileges>
         </security>
      </trustInfo>
</assembly>

Having this file next to your executable is called an "external manifest". It is also possible the executable has an embedded resource, which you would need a tool like Resource Hacker to see, or modify.

Ian Boyd
  • 21,642
  • 49
  • 139
  • 184
  • 1
    Won't creating a manifest saying don't run a admin only work if the program is incorrectly manifested; but fail if the program is actually doing something that requires elevation? (The memory hook.) – Dan Is Fiddling By Firelight Aug 26 '11 at 17:37
  • If there is an internal manifest, it will take prescidence over an external manifest. In that you you should edit the internal manfiest to specify `asInvoker`. If the program is doing something that requires administrator access then it will fail - but then it would also fail on Windows XP with a standard user. There are a number of workaround that Microsoft added to try to fix buggy applications that fail as standard user. But the best bet is: If you want all users to be able to modify `HKLM` and `ProgramFiles`, then grant **All Users** full permission to `HKLM` and `ProgramFiles`. – Ian Boyd Aug 26 '11 at 17:58
  • I'm afraid @DanNeely is right, and that this won't work. FOMM tries to insert it's own DLLs into a different exectuable (Fallout3.exe) – Thom Wiggers Aug 28 '11 at 10:18
  • i'm sure there are things FOMM can do that don't require administrative access. By marking the executable `asInvoker` you will no longer have to elevate in order to run the program. You might not be able to accomplish all you want - but at least now you can run the executable as a regular user. – Ian Boyd Aug 28 '11 at 17:53
  • What if you copied Fallout3.exe into a folder outside of %Program Files%, had FOMM modify the copy, and then launch Fallout using that exe instead of the one inside %Program Files% ? – Dan Henderson Oct 20 '15 at 20:38