Preventing executables from requiring UAC elevation

I’ve just found this great tip over at Stack Overflow.

In Windows Vista and later, an application can be coded to require UAC elevation.  If you try to run it as a non-administrator, you get asked for an administrator username and password, and if you don’t provide them the application doesn’t start.  That’s all very well, but some developers set this flag when it isn’t really needed (I’m looking at you, beepa) which locks out all non-administrators.

This isn’t usually a big problem on a home machine, because you probably have an administrator account even if you don’t use it for everyday activities.  In a teaching lab, however, as in many other contexts, it’s fatal; the students don’t know the administrator password (or at least I devoutly hope they don’t!) and obviously we’re not going to tell them what it is.

It turns out that this is as simple as setting an environment variable.  Set __compat_layer to RunAsInvoker, and Windows will ignore the application manifest.  You could set this globally via group policy, or write a simple wrapper program around specific applications that need it.  (Of course, if an application really does require administrator privilege it may fail in strange and unexpected ways, so take care.)

Hope this helps – and Norbert, if you’re reading this, thank you.  Knowing about this is going to come in very handy.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: