Run applications as restricted user in Windows 7 – RunAsInvoker

It’s irritating that in Windows 7 there is no obvious way to run an application (that is either detected as needing elevation or includes a manifest to elevate) as a restricted user. I usually disable heuristic detection of executables needing elevation in the UAC options in gpedit.msc but that doesn’t help with executables that include a manifest. Of course, some things really do need elevating to work correctly but I prefer to test them first as a restricted user.

There is a largely undocumented variable that you can use to your advantage here:

set __COMPAT_LAYER=RunAsInvoker

I simply create a .cmd file called RunAsInvoker.cmd and paste the following into it:

set __COMPAT_LAYER=RunAsInvoker
start "" "%~dpnx1"

Click start – run (or Windows key + R) and enter:

shell:sendto

…then hit OK. This will take you to your sendto folder. Here you can either copy the cmd file or create a shortcut to it. Now you can simply right click and send to RunAsInvoker on executables to prevent them from prompting for elevation. You can also just leave a copy on your desktop and drop executables on it to kick them off with restricted rights. Try it with regedit.exe…

(You can also use it to start a command prompt that inherits the RunAsInvoker variable meaning (most) things you run from that shell don’t prompt for elevation.

I’m guessing this works for Vista too – but I really can’t be arsed to check it 🙂

Advertisements

14 Comments

Filed under Geeky stuff

14 responses to “Run applications as restricted user in Windows 7 – RunAsInvoker

  1. Finally! I’ve been searching ever since I installed Win 7 came out on how to do this, and barely could even find anyone even WANTING to do this.

    In XP land I always ran as user and “run as” separate admin when I needed. Maybe it’s because I love sudo on *nix. So I’m one of the few people who actually think UAC is a good idea (compared to always running as admin).

    On Vista/7 I’ve been extremely annoyed that when Win thinks I need admin because it’s “an installer” and when you say no to UAC it won’t let you install. Sometimes I’m in a standard user account and I don’t want the app to install or run anything as an admin, because who knows what the installer might do?

    I saw that there was some way to do this via group policy but I didn’t like that method, and I don’t want to touch that on machines run by my IT dept.

    I also saw you could set a value in HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers with RunAsInvoker but this method is far easier and better.

    Now I’m happy that I can run/install one-off apps for trial in a “sandbox” standard user account without elevating it to admin. And if it doesn’t run as a standard user… I don’t want it!

  2. Glad this was useful, Jason. Check out Aaron Margosis’ Non-Admin blog if you haven’t already, a lot of talk of this kind of thing.

    http://blogs.msdn.com/b/aaron_margosis/

  3. Mark

    Hello. I am really glad I came across your blog post here! I’ve been having trouble with a free voice chat program that my guild uses that forces me to run it with admin privileges.

    From my understanding, using your method above will force a program to run, without giving it admin privileges. This is what I’m looking for. I’ve run an installer for a free game my guild is trying out, and it seems to be running fine.

    When I run the voice chat program called Raidcall it will open up and work fine, BUT when I look at the taskbar the Raidcall icon still has the yellow and blue admin shield in the bottom right corner of the icon. Does this mean that the program forced itself into admin privileges after your method forced it to run without admin privileges? Or perhaps I am misunderstanding what your process does.

    I would appreciate any input, thank you!

    • Joe Abraham (jmaii)

      Funny you should mention RaidCall. I’ve been researching RunAsInvoker specifically to get around RaidCall’s admin requirement. The little yellow shield is telling you that the program itself is demanding that admin rights are needed, but using the method above will still run the program as the current user.

      I used a slightly different method:
      1) Create shortcut to program
      2) Go to Properties of the shortcut
      3) In the Target text box add this to the very beginning (space at the end):
      cmd.exe /C set __COMPAT_LAYER=RunAsInvoker & start “”
      4) Click Change Icon and locate/select the original icon (default will be black cmd icon after Step 3)
      5) Press OK in Properties window to save changes

      Now your shortcut will launch the program as the current user, eliminate the yellow shield, and is pinnable to the Win7 taskbar. The downside is remembering the syntax every time you make a shortcut, which is why the article’s method is great for running any program as invoker on a whim.

      Note: Specifically as a double-check for RaidCall, after saving the changes to the shortcut in Win7 the Target box should read:
      C:\Windows\System32\cmd.exe /C set __COMPAT_LAYER=RunAsInvoker & start “” “C:\Program Files (x86)\raidcall\raidcall.exe”

      • Kostas

        I am trying to do the exact same thing with raidcall. I followed your instructions and changed the shortcut accordingly. Raidcall runs and for the moment it seems to be working fine except that I am asked for the administrator password for the program startRC.exe. I press no, and then raidcall starts and it seems ok.
        But I want to get rid of the irritating admin password prompt. Any ideas?

      • Dan Ashby

        Have you tried Privilege Authority Client to permanently elevate the appropriate processes or possibly LUAbuglight to track down the issues?

  4. Kostas

    I do not know either of them, I will check them out, thank you.

  5. Stefan

    Thanks a lot! This bug (yes, I consider the default behavior a bug) has annoyed me ever since I switched to Windows 7. With this neat little environment variable set globally (via Control Panel/System) Windows now works as expected.

  6. Isabelle

    Very usefull posts and comment; many thanks from France ! 🙂

  7. Liam

    Holy SH*T!!! (excuse the language, just excited) This actually works, just great man, just great. You are the modern age hero we need. Great work, thanks for this.

  8. Pingback: Optiunea RunAsInvoker - Yogi IT Blog

  9. I have to point out my affection for your kind-heartedness giving support to those individuals that need help with in this situation. Your special commitment to getting the message all through has been exceedingly invaluable and has all the time allowed employees like me to arrive at their endeavors. Your own insightful guideline entails this much a person like me and much more to my office colleagues. With thanks; from everyone of us.

  10. Thank you for every other excellent post.I’ve a presentation next week, and I have found what I can add in my speech. Great job!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s