Welcome to MSDN Blogs Sign in | Join | Help

News

  • Chris Jackson is a Principal Consultat at Microsoft and the Technical Lead for the Windows Application Experience SWAT Team. He is also known as The App Compat Guy.

    This is provided "AS IS" with no warranties, and confers no rights. Use of materials found on this page is subject to the terms specified in the Terms of Use

How to Run Applications Manifested as HighestAvailable With a Logon Script Without Elevation for Members of the Administrators Group

Updated 17-Sept-2009

My friend Aaron has been trying to post a comment with his recommendation. However, it never, never, ever shows up because apparently we either don’t buy good software for our blogging system, or else the software has a personal vendetta from him (perhaps it’s angry at him for not posting often enough himself). But his comment is worthwhile, so here it is:

Rather than use that undocumented (and unsupported) environment variable, why not just change the "regedit" invocation to "REG.EXE IMPORT"? REG.EXE doesn't demand elevation -- it's manifested "asInvoker", and can import .reg files...

Here’s a trick I used to help out a customer:

My customer was using a logon script to set some per-user registry keys when the user logged in. This worked fine for their standard users on Windows XP, and it also worked fine for their standard users on Windows 7. However, it added an extra prompt for the few folks who had exceptions to be members of the Administrators group.

You see, they were using regedit.exe to import a .reg file. And, even though they didn’t need administrator privileges to edit the parts of the registry they wanted to modify, the entire application is manifested as highestAvailable, so it would always prompt for their administrators.

So I cooked up the following .bat file to achieve the same thing without annoying their administrators:

set __COMPAT_LAYER=RunAsInvoker
start regedit.exe

And they were off to the races.

Was there another way? Perhaps. But this let them keep their existing scripts and only have to add a single line at the front, so it was the path of least resistance.

Posted: Sunday, September 13, 2009 10:22 AM by Chris Jackson
Filed under: ,

Comments

Ganesh said:

REG - well thats a usefull tool I didnt know about :) thanks!

# September 18, 2009 2:46 AM

Nathan C. said:

How is cscript handled?  If they added the registry data with vbs or powershell, would it also run as highest?

# September 28, 2009 2:31 PM

Chris Jackson said:

cscript is always going to run in the context of the calling shell.

# September 28, 2009 11:28 PM

Amit said:

After adding my account to the Administrators group, I got UAC prompt for the mmc.exe. I had fixed this via the solution provided by you.

set __COMPAT_LAYER=RunAsInvoker

start mmc.exe

But when I tried to shim the mmc.exe with compatibility fix 'RunAsInvoker',I got the message that 'the requested operation requires elevation'.

I tried to manifest the mmc.exe with level 'asInvoker' as well but in vain.

Is there any reason for mmc.exe to not to work via shim or manifest? Am I missing something?

Pleae advise.

# November 2, 2009 3:15 PM

Chris Jackson said:

@Amit - You can't manifest it because it's already manifested. Since there is an internal manifest, then external ones are ignored. You can shim it if you want - I shimmed it with RunAsInvoker and it works fine, so I can't reproduce your issue.

# November 4, 2009 2:56 PM

Ian Boyd said:

i'd be interested in seeing the documentation on this __COMPAT_LAYER environment variable. The closest i can find is KB286705 (HOW TO: Script Compatibility Layers in Windows XP)

# November 11, 2009 10:30 AM

Chris Jackson said:

@Ian - well, it's not really documented. I took the KB article as my documentation. :-)

# November 13, 2009 3:15 PM
New Comments to this post are disabled
Page view tracker