In this article, we will show how to selectively disable UAC for a specific application without disabling User Account Control service completely. Consider several ways to turn off UAC for one app using the RunAsInvoker compatibility flag.
The RunAsInvoker flag allows you to run the application with a marker inherited from the parent process. This cancels the processing of the application manifest, and the discovery of the installer processes. This parameter doesn’t provide administrator privileges, but only bypass UAC prompt.
As an example, we will disable the User Account Control prompt for the registry editor (regedit.exe). Despite the fact that my account has local administrator privileges, when I run the utility, a UAC request still appears to confirm the launch.
Disabling UAC for a program using the Application Compatibility Toolkit
We need to install the Application Compatibility Toolkit, which is part of the Windows ADK. Download the latest version of the Windows ADK for Windows 10 here.
Run the adksetup.exe file and during installation (the program needs Internet access), select only the Application Compatibility Tools item.
There are two versions of Application Compatibility Administrator in the system – 32-bit and 64-bit. Run the version of Application Compatibility Administrator depending on the application bitness for which you want to disable the UAC request.
Run the Compatibility Administrator (32-bit) with administrator privileges (!). In the Custom Databases node, right click New Database and select Create New-> Application Fix.
In the following window, enter the name of the application (regedit), the vendor name (Microsoft) and the path to the executable (C:\Windows\System32\regedit.exe).
Skip the next window (Compatibility Mode) of the configuration wizard by pressing Next. In the Compatibility Fixes window, check the option RunAsInvoker.
You can make sure that the application can run without UAC by pressing the Test Run button.
In the Matching Information dialog, you can specify which application parameters should be checked (version, checksum, size, etc.). I left the COMPANY_NAME, PRODUCT_NAME and ORIGINAL_FILENAME options checked so as not to recreate the compatibility patch file after the next Windows 10 update.
Click Finish and specify the name of the file the compatibility fixing package has to be saved to, e. g., regedit.sdb. This file will contain instructions for starting the application with the specified compatibility options.
Now you only have to apply the compatibility fix package to our application. You can do it either from the Compatibility Administrator console (choosing Install in the menu) or from the command prompt.
To do it, run elevated command prompt and execute the following command:
sdbinst -q c:\ps\regedit.sdb
If you have done it right, a message of successful package installation appears.
Installation of regedit complete.
After the package has been installed, the corresponding record will appeared in the list of the installed Windows programs (Programs and Features).
Try now to run the application in a user session without local administrator permissions. Now it should start without a UAC request.
Now check the privileges for running application. Run the Task Manager, go to the on the Process tab, add the “Elevated” column. Make sure that the regedit.exe process is started from the user in the unprivileged mode (Elevated = No).
In this registry editor process, the user can only edit his own registry keys and parameters. But if you try to edit/create something in the system HKLM key, an error appears: “You don’t have the requisite permissions”.
Later this compatibility fix can be distributed to all user computers using the Group Policies. Thus you can disable UAC checks for the specific applications on multiple computers in an Active Directory domain.
To remove the compatibility fix, run the command:
sdbinst –u c:\ps\regedit.sdb
Enable the RunAsInvoker App Flag via the Registry
You can enable the RUNASINVOKER compatibility flag in Windows 10/8.1/7 through the registry. The application compatibility flag can be set for a single or for all computer users.
For example, for regedit app you need to create a new registry parameter (REG_SZ) in the following registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers:
- Value name: C:\windows\regedit.exe
- Value data: RunAsInvoker
If you want to enable application compatibility mode for all local computer users, you need to create this parameter in the different registry key:
In the domain, you can import/deploy these registry settings to users through a GPO.
Batch file to Run the Application in the RunAsInvoker Mode
There is an another way to run the program without admin privileges and bypassing the UAC prompt (see the article).
Just create a .bat file with the following code:
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %ApplicationPath%"
When this bat file is run under a common user, the specified application will start without a UAC prompt.
So, we looked at how to disable UAC for a specific program without completely disabling User Account Control. This will allow you to run Windows programs under non-admin without an UAC prompt and without entering an administrator password.