Posted on July 4, 2014 · Posted in Windows 7

How to Disable UAC for Specific Applications

A User Account Control (UAC) that has appeared in Windows Vista is a great security solution for Windows OSs allowing to protect a PC from a number of threats, like viruses, trojans, worms, rootkits, etc. When the UAC is enabled, a system asks for a confirmation of any action performed with the administrator privileges.

Some users find the popping up UAC windows annoying, and they prefer to disable this feature in their system though Microsoft and the information security experts strongly do not recommend it.

Today we’ll show how to disable UAC for a specific application without totally disabling it. To do it, we’ll need Microsoft Application Compatibility Toolkit 5.6, than can be downloaded here:

Note. Microsoft Application Compatibility Toolkit is a free set of tools to fix compatibility issues of the apps when migrating to the later Windows versions. One of the opportunities of this toolkit is to elevate the privileges of a certain app, bypassing the UAC system.  

There is nothing special in the Application Compatibility Toolkit installation, so we won’t describe it.

After the ApplicationCompatibilityToolkitSetup.exe (12.2 MB) has been installed, two versions (32- and 64-bit) of this tool appear in the system. If you have to disable the UAC of a 32-bit app, you have to use the 32-bit version of the Application Compatibility Toolkit (and vice versa).

Let’s configure the registry editor (regedit.exe) to launch without User Account Control request.

how to disable uac for regedit

Run the Compatibility Administrator (32-bit) with administrator privileges (!). In Custom Databases, right click New Database and select Create New-> Application Fix.   create application fix - ApplicationCompatibilityToolkit

In the following window, enter the name of the application (regedit), the vendor name (Microsoft) and the path to the executable (C:\Windows\System32\regedit.exe).

create new application fix

Omit the next window (Compatibility Mode) of the configuration wizard by pressing Next. In Compatibility Fixes window, check RunAsInvoker.

Note. RunAsInvoker allows to run application with the same rights as the parent process (in our case it is Compatibility Administrator which has been run as administrator).

If you wish, you can make sure that the application can run without UAC by pressing the Test Run button.

RunAsInvoker - aplication copmatibility fix

Click Finish and specify the name of the file the compatibility fixing package has to be saved to, e. g., regedit.sdb. This file contains the guidelines on how to run the app with the definite privileges.

create compatibility sdb file

Tip. Since we have diminished the system security allowing the app to run with the elevation without UAC, it is a potential flaw in the system. To protect against the spoofing of the executable by a hacker, you can request additional checks when running the file (e. g., CHECKSUM or  FILE_VERSION verification, etc.). It should be noted that the additional checks will slow down the app startup. check application cheksum and file version

Now you only have to apply the compatibility fixing package to our application. You can do it either from the Compatibility Administrator console (choosing Install in the menu) or from the command line. To do it, start the command line as the administrator and run the following command:

sdbinst -q c:\tools\regedit.sdb

install app compatibility pack windows 7

If you have done it right, a message of successful package installation appears.

Installation of regedit complete.

sdbinst -q *.sdb

After the package has been installed, the corresponding record appears in the list of the installed Windows programs (Programs and Features).

new compatibility app in windows programs

Now try to start the application normally. It should start without a UAC request.

Later this compatibility fix can be propagated to all corporate PCs using the group policies. Thus you can disable User Account Control (UAC) checks for the definite applications in the whole Active Directory domain.

To remove the compatibility fix, run the following command:

sdbinst –u c:\tools\regedit.sdb
Related Articles