type
status
date
summary
tags
category
URL
password
slug
icon
When started, some programs require permission elevation (the shield next to the app icon), but actually, they don’t need administrator privileges for their normal operation. For example, you can manually grant permissions for your users on the app folder in the ProgramFiles and/or registry keys used by the program. If the User Account Control is enabled on the computer, a UAC prompt will appear and Windows will ask the user to enter the administrator password if you try to run such a program as a standard user.
To bypass this mechanism, many admins simply disable UAC or grant admin rights by adding a user account to the local group “Administrators”. Of course, both methods are not safe. Neither of these methods is recommended for widespread use because they reduce Windows security. In this article, we will look at how to run a program that requires administrator permissions as a standard user and suppress the UAC elevation prompt.
Contents:
Configure Permissions for Non-Admin Users to Run a Program
A Windows program may ask you for administrator permissions when it starts if:
- The program needs to access a system directory or a file for which the NTFS permissions have not been granted to non-privileged users;
- If the program was compiled with a special flag that requires elevation at startup (
requireAdministrator).
In the first case, all that is required to solve the problem is to grant the RW or Full Control user permissions to the program directory or the required system directory/file. For example, a program stores its files (logs, configuration files, etc.) in its own folder in
C:\Program Files (x86)\SomeApp or some system directory. The user must have permission to write to these files for the program to work correctly. In order for this program to work normally, administrator permissions are required.To allow the program to run as a non-admin user, it is sufficient to manually grant the user (or the built-in Users group) the permission to modify/write a file/directory at the NTFS file system level
To find a list of files, folders, and registry keys that the program is accessing, use the Process Monitor (https://learn.microsoft.com/en-us/sysinternals/downloads/procmon). Enable the filter by the name of the program process and find all the resources, if you try to access them, Access Denied is displayed. Grant the necessary permissions to folders/files/registry keys.
Note. Actually, it is not recommended to store the changing application data in the C:\Program Files directory. It’s better to store the app data in the user profile. But it is a question of laziness and incompetence of the app developers.
Allow Standard Users to Run a Program That Requires Admin Privileges
Earlier we described how to disable a UAC prompt for a specific program using the RunAsInvoker parameter. However, this method is not flexible enough.
Let’s look at a simpler way to force any program to run without administrator privileges (without entering the admin password) and with UAC enabled (Level 4, 3, or 2 of the UAC slider).
Let’s take the Registry Editor as an example — regedit.exe (it is located in the C:\Windows\ folder). Notice the UAC shield next to the app icon. This icon means that UAC elevation is required to run this application.
When you run
regedit.exe, you will see a User Account Control prompt asking for the administrator credentials (Do you want to allow this app to make changes to your device?). If you do not provide a password and do not confirm elevation, the app won’t start.Let’s try to bypass the UAC request for this program. Create the text file run-as-non-admin.bat containing the following code on your Desktop:
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %1"To force the regedit.exe to run without administrator privileges and to suppress the UAC prompt, simply drag the EXE file you want to run to this BAT file on the desktop.
The Registry Editor should start without a UAC prompt and without entering an administrator password. If you open the Task Manager and add the Elevated column, you will see that there is the regedit.exe process without the elevated status (run with non-admin user permissions).
Try to edit any item under the HKEY_LOCAL_MACHINE registry hive. As you can see, a user cannot edit the item in this registry key (the user doesn’t have write permissions for the system registry keys). However, you can add or edit registry keys and parameters in your user hive (HKEY_CURRENT_USER).
In the same way, you can run any app using the BAT file. Just specify the path to the executable.
run-app-as-non-admin.bat
Set ApplicationPath="C:\Program Files\SomeApp\testapp.exe"
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %ApplicationPath%"You can also add a context menu that allows running all apps without elevation. To do it, create the RunAsUser.REG file, copy the following code into it, save, and import it into the Windows registry by double-clicking on the reg file (you will need administrator permissions to apply this change).
After that, to run any application without administrator privileges, just select “Run as user without UAC privilege elevation” from the Windows File Explorer context menu.
You can deploy this menu item to all computers in the domain by importing the registry parameters using GPO.
I’d like to remind you that using
RUNASINVOKER mode for the program won’t allow you to elevate the permissions. The RunAsInvoker suppresses the UAC prompt and tells the program that it should run with the current user’s privileges, and not ask for the elevation of privileges. If a program really needs elevated privileges to edit system settings or files, it won’t work or will ask for admin permissions again.How to Bypass UAC with the RunAsInvoker Option in CMD?
The __COMPAT_LAYER environment variable allows you to set different compatibility levels for the applications (the Compatibility tab in the properties of an EXE file). This variable allows you to specify the compatibility settings with which you want to run the program. For example, to start an app in Windows 8 compatibility mode with a 640×480 resolution, set the following:
set __COMPAT_LAYER=Win8RTM 640x480The __COMPAT_LAYER variable has some options that we are interested in. There are the following parameters:
- RunAsInvoker – run an app with the privileges of a parent process without a UAC prompt;
- RunAsHighest – run a program with the highest-level permission available to the user (the UAC prompt will appear if a user has administrator privileges);
- RunAsAdmin – run an app as administrator (the UAC prompt will always appear).
This means that the RunAsInvoker parameter doesn’t grant administrator privileges, it just suppresses the UAC prompt.
The following commands enable the RunAsInvoker mode for the current process and run the specified program without elevation:
set __COMPAT_LAYER=RUNASINVOKER
start "" "C:\Program Files\MyApp\testapp.exe"Enable the RunAsInvoker Mode in the EXE File Manifest
As mentioned above, Windows displays the UAC shield icon for programs that require elevated privileges to run. Developers set this requirement when compiling the application in the program manifest
You can edit the manifest of any EXE file and disable the requirement to run the program in elevated mode.
Use the free Resource Hacker tool to edit the program manifest. Open the program executable in Resource Hacker.
In this example, I will edit the manifest of the
Autologon.exe tool by Sysinternals, which can be used to automatically log into Windows without a password.In the tree on the left, go to the Manifest section and open the program manifest. Pay attention to the following XML section:
With the requireAdministrator option enabled, Windows always runs this program with administrator rights.
Change requireAdministrator to asInvoker and save changes to the .exe file.
Note that now the UAC shield has disappeared from the program icon, and you can run it as the current user without asking for the administrator password.
If the executable app file is signed with a digital signature (Code Signing certificate), then after modifying the exe file, it may stop working or display a warning.
In this case, you can force the program to use an external manifest file. Create a plain text file appname.exe.manifest (for example,
Autologon.exe.manifest) in the directory with the exe file and copy the manifest code from Resource Hacker into it. Replace requireAdministrator with asInvoker. Save the manifest file.To make Windows always try to use an external manifest file when starting EXE files, enable a special registry parameter:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide" /v PreferExternalManifest /t REG_DWORD /d 1 /fRestart Windows and make sure that the program is using an external manifest file and is running without administrator privileges.
Create a Shortcut to Run the Program with a Saved Administrator Password
If the methods of running a program with the RunAsInvoker flag do not work for your legacy application, you can try to run such an app in a user session using saved administrator credentials. This is the least secure way to run programs without granting the user local administrator privileges, so we have deliberately left it last.
To open the program, create a new shortcut on your desktop. Specify the computer name, the local administrator name, and the full path to the target app executable.
For instance:
runas /user:wks-123\root /savecred "C:\CorpApp\myapp.exe"When you run the program for the first time, it will open a command prompt in which you will be asked to enter the administrator password.
The RunAs command, when run with the /SAVECRED option, saves the username and password to the Windows Credentials Manager.
The next time the shortcut is run, the runas tool will automatically get the saved password from Credentials Manager and use it to run the app under the specified local administrator account (you won’t be prompted for the password each time you open the shortcut).
The following command lists saved passwords in Credential Manager:
RunDll32.exe keymgr.dll,KRShowKeyMgrAn error occurs when launching such a shortcut on Windows 11:
To fix this, change the command in the shortcut properties. Replace it with:
C:\Windows\System32\runas /profile /user:WKS-123\root /savecred "cmd.exe /C C:\CorpApp\myapp.exe"Using the /savecred option is not secure, as we mentioned above. This is because a user who has the administrator password saved in their profile can use it to run any program or command with elevated permissions, or even to reset the administrator account password. Passwords stored in the Credential Manager can also be dumped in plain text by tools such as Mimikatz, so it is better to disable the use of saved passwords.
On Windows, you can disable saving the password in the Credential Manager using the Group Policy option Network access: Do not allow storage of passwords and credentials for network authentication (Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options).
There are several third-party tools that allow you to work around the drawback of using a stored admin password in runas. For example, AdmiLink, RunAsRob, RunAsSpc. These apps allow you to store the encrypted administrator password and safely run the program with administrator privileges. These tools will not allow the user to run any application or command with saved credentials because they check the path and checksum of the executable file when it starts.
- Author:NetSec
- URL:https://blog.51sec.org/article/751a8ec3-0538-4a91-bdcb-141fc138adbe
- Copyright:All articles in this blog, except for special statements, adopt BY-NC-SA agreement. Please indicate the source!
