Windows – Allow Standard user to run program requiring UAC elevation

elevationstandard-useruacwindows 7

I need a standard or limited Windows 7 user to be able to run an application (Fallout Mod Manager) which requires UAC elevation. I've tried the Application Compatibilty Toolkit, but that did not work as intended. Any Suggestions? I am running Windows 7 Ultimate local, so policies can be applied.

I basically want something like unix' setuid flag.

Best Answer

It's doable, but not easy to explain.

There are only three reasons why an application would request for elevation on startup:

  • the Compatibilty tab has the "Run this program as an administrator"
  • the application has a manifest (either embedded or external) that specified requireAdministrator
  • there is a compatibility update from Microsoft that marked it as needed administrator

Assuming you've already checked the compatibility tab, and the application is not set to require administrator:

enter image description here

The next step is to check for an embedded resource manifest. i won't go into how you can find that out. But skip to create a manifest for yourself.

Create a file in the same directory as Fallout Mod Manager (i don't know what the exe is called, but i'll call it FalloutModManager.exe:

FalloutModManager.exe FalloutModManager.exe.manifest

This new manifest file you create is a simple text file, containing xml, with a manifest entry that says that we want to launch asInvoker, rather than requireAdministrator:

FalloutModManager.exe.manifest 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
      <assemblyIdentity 
           version="1.0.0.0"
           processorArchitecture="X86"
           name="client"
           type="win32" /> 

      <description>Poorly written Fallout Mod Manager fails on XP as standard user</description> 

      <!-- Disable file and registry virtualization, and don't require elevation -->
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
         <security>
            <requestedPrivileges>
               <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
            </requestedPrivileges>
         </security>
      </trustInfo>
</assembly>

Having this file next to your executable is called an "external manifest". It is also possible the executable has an embedded resource, which you would need a tool like Resource Hacker to see, or modify.

Related Question