Tag Archives: __COMPAT_LAYER=RunAsInvoker

Run applications as restricted user in Windows 7 – RunAsInvoker

It’s irritating that in Windows 7 there is no obvious way to run an application (that is either detected as needing elevation or includes a manifest to elevate) as a restricted user. I usually disable heuristic detection of executables needing elevation in the UAC options in gpedit.msc but that doesn’t help with executables that include a manifest. Of course, some things really do need elevating to work correctly but I prefer to test them first as a restricted user.

There is a largely undocumented variable that you can use to your advantage here:

set __COMPAT_LAYER=RunAsInvoker

I simply create a .cmd file called RunAsInvoker.cmd and paste the following into it:

set __COMPAT_LAYER=RunAsInvoker
start %~dpsnx1

Click start – run (or Windows key + R) and enter:

shell:sendto

…then hit OK. This will take you to your sendto folder. Here you can either copy the cmd file or create a shortcut to it. Now you can simply right click and send to RunAsInvoker on executables to prevent them from prompting for elevation. You can also just leave a copy on your desktop and drop executables on it to kick them off with restricted rights. Try it with regedit.exe…

(You can also use it to start a command prompt that inherits the RunAsInvoker variable meaning (most) things you run from that shell don’t prompt for elevation.

I’m guessing this works for Vista too – but I really can’t be arsed to check it :)

9 Comments

Filed under Geeky stuff