Security

Selectively disable UAC for your trusted Vista applications

Do you want to selectively disable User Account Control (UAC) for specific programs that run from Vista's Start menu? You can -- Greg Shultz shows you step by step using the Application Compatibility Toolkit.

If you've been reading the Windows Vista Report on a regular basis, you know that I've written several articles about working with Vista's User Account Control (UAC) feature:

While the first two methods essentially remove the UAC prompt altogether for all programs, the third method allows you to selectively remove the UAC prompt for specific programs. However, the third method only works at startup. I really wanted to find a way to selectively disable UAC for specific programs that run from the Start menu.

Well, I recently discovered a copy of a Microsoft Knowledge Base article titled "How To Disable The User Account Control Prompt For Certain Applications" that shows you how to selectively disable UAC for specific programs by using Version 5 of the Microsoft Application Compatibility Toolkit. (The article is no longer available on the Microsoft site.) In this edition of the Windows Vista Report, I'll show you how this method works.

Note: Native Windows Vista applications that require a UAC are immune to this technique.

The Application Compatibility Toolkit

As you may know, the Application Compatibility Toolkit 5.0 is a big program designed to provide a set of tools that admins can use to evaluate and mitigate application compatibility issues before deploying Vista or a Windows Update in the enterprise. One of its features is that this tool allows you to elevate the privileges with which an application runs, thus allowing you to bypass the UAC.

You can begin by downloading the Application Compatibility Toolkit from the Microsoft Download center. Once the download is complete, just click the Application Compatibility Toolkit.msi file, click Run on the Open File Security Warning dialog box, and follow along with the Installation wizard.

Running the Compatibility Administrator

As I mentioned earlier, the Application Compatibility Toolkit is a large program and you will only need to use a small part of the program to disable the UAC for your particular application. Essentially, you'll use the Compatibility Administrator to create a database, then create a record in that database that contains instructions on how to automatically run your application(s) with elevated privileges.

To begin, click the Start button, access All Programs, and then open the Microsoft Application Compatibility Toolkit 5.0 submenu. Then, right-click on the Compatibility Administrator shortcut and select Run As Administrator (Figure A).

Figure A

Figure A

In order for this technique to work correctly, launch the Compatibility Administrator using the Run As Administrator command.
You will encounter a UAC. Once you deal with it appropriately, the Compatibility Administrator window will appear (Figure B). The program will automatically open and select a new database template.

Figure B

Figure B

The Compatibility Administrator allows you to create a database of compatibility fixes that will allow you to run certain applications without an accompanying UAC.
Click the Fix button on the toolbar. When you see the Create New Application Fix wizard, enter information about the application for which you want to disable the UAC prompt. For my example, I have chosen the Vista Shortcut Overlay Remover program, which displays a UAC each time you run it. I filled in the Create New Application Fix dialog box (Figure C).

Figure C

Figure C

Begin by entering information about the application that you want to run without a UAC.
To continue, click Next. When you see the Compatibility Modes page, select Windows XP (SP2), as shown in Figure D.

Figure D

Figure D

On this page, select the Microsoft Windows XP (SP2) option.
Click Next to bring up the Compatibility Fixes page. Scroll down the list until you locate the RunAsInvoker option and select it (Figure E). The RunAsInvoker option will allow the application to run with the same privileges and user rights as those of the parent process, which in this case is the Compatibility Administrator that you launched using the Run As Administrator command. Your application will run with full Administrator privileges.

Be sure to leave all the preselected options as they are. If you wish, you can click the Test Run button to see your application launch without a UAC.

Figure E

Figure E

Selecting the RunAsInvoker option will allow the application to launch without requiring the UAC prompt.

When you click Next, the Matching Information page will appear. Leave everything as it is on this page and click the Finish button.

When you return to the Compatibility Administrator window, you'll see a detailed entry about your application in the new database. Click the Fix button on the toolbar and follow same set of steps in the Create New Application Fix wizard to add other applications to your database.

Saving your database

Once you are finished adding applications, you can save your database. However, keep in mind that once you save your database, you'll be unable to edit the entries. To save your database, click the Save button on the toolbar and assign your database a name (Figure F).

Figure F

Figure F

You'll need to name the database as the first step in saving it.
When you click OK, you'll receive a prompt to save the database file onto your hard disk (Figure G). The default location is in the C:\Windows\System32 folder.

Figure G

Figure G

You can use the same name as you used for the database for the actual file.
To complete the operation, pull down the File menu and select the Install command. A dialog box with a message indicating that the database has successfully been installed will appear (Figure H). Upon installation, Vista adds an entry for the database to Programs And Features, which is the equivalent of Windows XP's Add/Remove Programs.

Figure H

Figure H

Once you save the database, you have to install it before it will function.

Now, click OK and close the Compatibility Administrator. Go to the Start menu and launch your application as usual. Your application will launch without displaying a UAC first.

Uninstalling the Application Compatibility Toolkit

Once you are happy with the way that your UAC-less application works, you can uninstall the Application Compatibility Toolkit if you wish to recover the 25+ MB it occupies on your hard disk. The database that you created will continue to function as a standalone file.

What's your take?

If you're tired of UACs appearing for your trusted applications, are you likely to use the Microsoft Application Compatibility Toolkit 5.0 to selectively disable UACs? Please drop by the discussion area and let us know.

Get Vista tips in your mailbox!

Delivered each Friday, TechRepublic's Windows Vista Report newsletter features tips, news, and scuttlebutt on Vista development, as well as a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

29 comments
Tim_2014
Tim_2014

This is extremely helpful. Thank you for taking the time to publish this.

aart12
aart12

Odd. Ran through your 'tutorial' and 'tested' the app. Saved the DB... but when I run the app, it still requires UAC approval. The test ran the app without UAC, but when invoked normally, it still asks for UAC. :(

mikepeiman
mikepeiman

It's ridiculous that this is even the status quo design standard. All that work to change the way the OS interacts with me? Microsoft needs to remember first principles of design and useability, or they will be obsolete very quickly. This include Win8, which I have been using for a few months - WinOS's seem to be increasingly about containing us inside the designer's vision, rather than giving us the tools to customize for ourselves easily.

Jim Costello
Jim Costello

I tried this solution for some legacy applications that access HKLM area of registry and protected system folders at runtime. Although the 'UAC' did not appear, I checked the inegrity level of the processes the applications were running in, and it was 'medium' (standard user privileges) not 'high'(admin privileges) which is what these applications required to run correclty. The OS used virtualisation to simulate the registry accesses which works but is very misleading when your looking through the registry for something that doesn't exist... beware virtualisation!

okunsm
okunsm

Dear all, It seems that the article describes how to disable UAC prompts but not how to disable UAC for selective applications. May be I am wrong but I could not use my application having configured as described in the article with activated UAC.

dolt_20
dolt_20

Hi, How can I disable password prompting when I issue this command in my Run program? "\\user1\c$" ? user1 is my computer_name. I am using Windows 2008 server. I am setting RAC, and I think that issue should be corrected first for user equivalence. Hope someone could help me out on this.

MeghansUncle
MeghansUncle

I can't get this to work for starting the oracle enterprise manager which actually invokes cmd.exe. Any suggestions, If I run the oracle enterprise manager (through a batch file because it sets up a lot of things in an environment before it runs) without the "run as admin' option I can't update setting while in the EM. I run it with the "run as admin' option and I get the UAC warning. Doing this 'fix' thing for cmd.exe didn't work. Any suggestions?

david_henn
david_henn

Works good with gvim and openvpn. Saved each with its own db because openvpn gave me problems at first. Cool.

Yaroslav Stavnichiy
Yaroslav Stavnichiy

My understanding is that this fix (RunAsInvoker) effectively marks a program as not requiring administrator privileges. Therefore not requiring UAC prompt. As a result there will be no UAC prompt - true. But there will be no administrator privileges either. So the programs that do require such privileges will either fail or misbehave. I think this point should be stressed in the text of the article. Otherwise it leads to misunderstanding. As far as I've researched the topic so far there is no way to gain administrator privileges without UAC prompt, otherwise than through task scheduler (perhaps, not tested myself yet).

jackaz2all_2000
jackaz2all_2000

One additional thing I'd like to add is that you don't have to select an operating system to simulate when you set this up (Figure D). Running in native vista may alleviate some of the compatibility issues people are experiencing.

stanislas
stanislas

I think I will henceforth start using Microsoft Application Compatibility Toolkit 5.0 to selectively disable UACs for my trusted applications. Why will I be clicking 'Continue' all the time I run an application when I trust it? Thanks a lot for the tip!

steveschwab
steveschwab

Quickbooks Pro 2007 doesn't work. Foxit Pdf Reader does. If you discover a problem it's necessary to remove the whole database in "Programs and Features" and start over. You can't remove just an application. At least that is my experience so far.

arthg
arthg

"....keep in mind that once you save your database, you???ll be unable to edit the entries" So you just get one shot at provisioning? If that is true, personally I won't bother.

NikonGuy
NikonGuy

Looks useful, but I was unable to download the ACT. The links are there but disabled, at least for me.

rjl24
rjl24

I Tried this for WIZMO to open the tray and it still does not open the tray unless the UAC comes on. This still even after a re-boot. Please advise, Robert

Greg Shultz
Greg Shultz

This technique does not seem to work consistently in all cases... Some applications launch without a UAC but then fail to run, which might be why Microsoft pulled the original article (kb946932) from the Knowledge Base. I'll continue to investigate this to see what I can discover. In the meantime, please continue to post your experiences/results here.

DoubleJava
DoubleJava

Mark, Good and useful article. Question: I'm assuming that your method only disables the UAC prompt for the application in question for your own user account. However, I see in Figure E that one of the options is "RunAsAdmin". Could we assume that using the "RunAsAdmin" option instead of the "RunAsInvoker" option would disable the UAC prompt for the application in question for all users of the system?

rader
rader

I too had a need to work this out and run the application in question as an administrator for file copy rights issues. Also needed to run from the startup group. Here's my solution... http://meridian.ws/wordpress/?p=306 Hope it helps someone else.

Ron_007
Ron_007

If I read correctly, you have to run the ACT "as admin", and that access right gets passed on to the application, which is why you don't get the UAC prompt. I tried it with "Everything.exe" (a file search tool). The test ran, but slowly. After finishing the setup and installing the db I tried it from the shortcut. That worked, but it took literally several minutes to start the program. When I checked the log it showed hundreds of entries that said: (date/timestamp) WinXPSP2VerionLie 3 - [GetVersion] called. return 0x0a280105. Not satisfactory. But I'm willing to try it with some others before giving up on it.

Gildawie
Gildawie

What he says is true - a database cannot be edited after it is saved. But you can uninstall a database (use the Compatibility Administrator to uninstall, not the Control Panel applet), and build another if you are not happy with the results.

Gildawie
Gildawie

Bypassing UAC for - ShadowProtect - SyncBack SE Pro - WinPatrol Explorer - X-setup Pro Classic All seem to be working normally apart from missing the UAC when they start. Thanks for a very useful tip!

Colin Higgins
Colin Higgins

I tried it on Advanced Uninstaller 2006 and it failed twice. On the first run when I tested it by clicking on the desktop shortcut, my Widgets dissappeared and IE7 was whisked off to the MS App Comp website, the prog did not run. On the second try I did a test run and it failed with error code 45. Colin

martika
martika

Could this be something to do with the temp folder? From research that I have done, it seems that dissabling UAC also dissables access to the temp folder. Should work OK for programs not requiring access to this folder.

nov02
nov02

I was wrestling with a problem in which Avimark (leading veterinary practice management app) would generate an error whenever it tried to create a merge document using OpenOffice. The error: "Server execution failed, ProgID: com.sun.star.ServiceManager." So far so good with this solution. Thanks a million, Greg!

normhaga
normhaga

is to also disable writing to temp folders and it also disables endpoint mapping. If a program needs either of these functions, it will not operate and results may be unpredictable.

MeghansUncle
MeghansUncle

Works like a champ. Thanks. So is it going to expire or stay free because it's still in the evaluation stage do you think? Thanks, Vince

Gildawie
Gildawie

but the developers don't have a good track record on those lines. Question is, will it still be useful with Windows 7? Regards, Ian

Editor's Picks