Run on behalf of the administrator without right. Why the usual application may need administrator rights

Run an application with administrator rights and without issuing a message when the UAC is turned on (Windows 7)

Inspired by the article setting up UAC in Windows 7. I read comments and I wanted to describe here the ability to start a trusted application with administrator rights with the UAC enabled. This technology Really good Microsoft step to the security of a computer by the user, but the user can often use unsigned applications by itself trusts, which leads to permanent issues of the UAC system and further irritation of the user. How to run applications with administrator rights and without issuing a message from UAC I will consider on the use example Far Manager.which I need to work.
So first need to go to the task scheduler
"Start - All Programs - Standard - Utilities - Task Scheduler" (Start - All Programs - Accessories - System Tools - Task Scheduler)
And "Create a task" (Create Task). In the window that appears, set the "name" (name), (for example, FAR) tasks and install the check box on the option "Execute with the highest rights" options (RUN WITH HIGHEST PRIVILEGES).
Next, go to the Actions tab (Actions) and click the "Create" button to configure the program running.
In the Program or Script (Program / Script) field, use the "Browse" button (Browse), specify the location of the file you need and press the Open button. Next, click two times the OK buttons.

Thus, we have a task with high attributes for starting on behalf of the administrator. Now you need to create a shortcut to start this task.

Create a shortcut on the desktop and in the "Location of the object" (target) field, enter Schtasks / Run / TN FAR (if the task name was from several words separated by spaces, you need the name of the task in the label to specify in " double quotes"). Click "Next" (Next), specified the name of the label (best that it coincides with the name of the program) and click the OK button. Next, you can go to the properties of this shortcut and assign it the icon from the program. Minus this method It is that in this way you can run only one copy of the program. To make two copies, you will need to register another task in the scheduler with another name, but on the same system and also make a label on it.

Tags: Windows 7, UAC, Task Scheduler, Application Run

Many programs at startup require raising rights (icon of the shield from the icon), but in fact, for their normal administrator rights, it is not required (for example, you manually provided necessary rights Users to the program catalog in ProgramFiles and registry branches that are used by the program). Accordingly, when you start such a program from under simple userIf account control is enabled on the computer, the UAC request will appear and you will need to enter the administrator password. To get around this mechanism, many simply turn off UAC or provide the user to the administrator's right on the computer by adding it to a local administrators group. Naturally, both of these methods are unsafe.

Why the usual application may need administrator rights

Administrator rights may be required by the program to modify certain files (logs, configurations, etc.) in your own folder in C: \\ Program Files (x86) \\ SomeApp). By default, users have no rights to edit this directory, respectively, for the normal operation of such a program, administrator rights are needed. To solve this problem, you need to manually on the NTFS administrator to manually assign the right to change / write for the user (or group users) to the folder with the program.

Note. In fact, the practice of storing changing application data in its own directory in C: \\ Program Files is incorrect. It is more correct to store the application data in the user profile. But this is a question of the laziness and incompetence of developers.

Running a program that requires administrator right from normal user

We have already described before, as you can, using the RunasInvoker parameter. However, this method is not flexible. You can also use with the preservation of the Admin password / Savecred (also unsafe). Consider a simpler method of forced launch of any program without administrator rights (and without administering an admin) with the UAC (4,3 or 2 level) included.

For example, take the registry editing utility - regedit.exe (It is located in the C: \\ Windows \\ System32 directory). When the REGEDIT.EXE is started, the UAC window appears and, if you do not confirm the privilege, the registry editor does not start.

Create a file on the desktop rUN-AS-NON-Admin.Bat With the following text:

cMD / MIN / C "SET __COMPAT_LAYER \u003d RUNASInVoker && start" "% 1"

Now for forced to start the application without administrator rights and suppress the UAC request, simply drag the desired exe file to this BAT file on the desktop.

After that, the registry editor should start without the appearance of the UAC request. Opening the processes manager, and add a column Elevated (With a higher level of permissions), you will see that the system has a REGEDIT.exe process with a non-sensitive status (launched with user rights).

Try editing any parameter in the HKLM branch. How do you see access to registry editing in this branch (this user has no rights to write to the registry system branches). But you can add and edit keys in your own user registry branch - HKCU.

Similarly, you can run via BAT file and a specific application, it is enough to specify the path to the executable file.

rUN-APP-AS-NON-ADMIN.BAT

Set ApplicationPath \u003d "C: \\ Program Files \\ Myapp \\ TestApp.exe"
cMD / MIN / C "set __compat_layer \u003d runasinvoker && start" "% applicationpath%"

You can also add a context menu that adds to all applications that the launch is possible without increasing rights. To do this, create the following rEG file. And import it to the registry.

Windows Registry Editor Version 5.00

@ \u003d "CMD / MIN / C \\" set __compat_layer \u003d runasinvoker && start \\ "\\" \\ "% 1 \\" \\ ""

After that, to start any application without admin rights, it is enough to choose the item "" in context menu.

Environment Variable __Compat_Layer and RunasInvoker

Environment variable __compat_layer allows you to install various levels Compatibility for applications (tab Compatibility In the EXE file properties). Using this variable, you can specify the compatibility settings with which you want to run the program. For example, to launch the application in compatibility mode with Windows 7 and the resolution of 640 × 480, set:

set __compat_layer \u003d win7rtm 640x480

Of the options of interest to us, the __compat_layer variable will highlight the following parameters:

• Runasinvoker - Starting an application with the privileges of the parent process without a UAC request.
• Runashighest. - Run an application with maximum rights available to the user (the UAC request appears if the user has administrator rights).
• Runasadmin. - Run an application with administrator rights (AUC request always appears).

Those. The RunasInvoker parameter does not provide administrator rights, and only blocks the appearance of the UAC window.

In operating room windows system With certain situations, the means must be used with elevated privileges. So necessary because of the actions leading to changes in the system level and ordinary users (not admins) it is not necessary. In the article I will tell about run on behalf of the administrator of any application on the computer.

When running programs with elevated rights, the window appears in which you want to confirm the launch. Some users disable this feature at all. This suffers from computer security. After all, the warning window of the UAC does not appear, any malware will be able to start from your computer on behalf of the administrator. "Bad" code and writing gone.

To facilitate users launching programs on behalf of the administrator, I prepared a couple of methods.

Run on behalf of the administrator using the context menu

The context menu is called right mouse button. Click on any program with the mouse and from the context menu, click on the option. This opens the command line and other program where elevated privileges are needed.

Using the CTRL + SHIFT + Enter combination when searching

When on the desktop or in the Start menu there is no any tool we appeal to the search. Any windows version Equipped with them, and in the tenth it is most convenient. Write some command, for example, CMD - command line. Selecting the result simultaneously clamp a combination Ctrl + Shift + Enter. A simple way isn't it?

Additional properties of a shortcut

Suppose you are interested in the question. The icon is already located on the desktop as quick accessBut you do not want to run the context menu all the time. You can solve this problem.

Go to the label properties (right mouse button and Properties) and go to the section "Additionally".

Open extra options. Tick \u200b\u200bthe checkbox "Run on the name of the administrator". Now, with the usual launch of the program, it will always open with elevated rights.

Additionally! In the properties on the Compatibility tab, there is the option "Run this program on behalf of the administrator." Also a useful thing.

Programs for running on behalf of the administrator

Exists the following programs: Runas, Admilink, Execas.

Runas tool

It is part of Windows, so they can be used. To run it enough to open command line And enter the following command:

Most likely, a request for entering a password will appear. Be sure to enter.

Let's create a shortcut on the desktop. Press the right mouse button on the empty area and choose the "shortcut". As a location, we prescribe the very command:

runas / User: NamePK \\ user MSCONFIG.EXE user

Let the name of the label and save.

After starting the shortcut, the command line will open where you need to enter a password from the account. When entering the correct data, the msconfig or utility you have chosen immediately.

With such a situation, you or people who have access to PCs will enter the password every time. This moment is solved by adding the / Savecred parameter to the command, then the team will be like this:

runas / Savecred / User: NamePK \\ user name msconfig.exe

If you think about security, then such labels with such an option is better not to use. It is better to enter the password every time and does not worry that some kind of fucking will use windows tools Without a password, in favor of yourself and in harm to you.

Use Execas tool

Startup on behalf of the administrator is possible by the Execas program. After startup, the window appears with the proposal to enter the account information (login and password), and the name of the program and the path. After entering the data, click "Write".

In the Execas window, our experimental rabbit appeared, close the program and discover again. Immediately the program specified in Execas will open. To add additional application You need to register execs.exe / s on the command prompt. (At the same time, it is necessary to be in the catalog with the utility, for example, C: \\ Execas).

Running Execas, add any more program. Close the tool and run again. The same window appears. But so we are not convenient, so let's turn to the creation of shortcuts:

We make two labels with such teams:

• C: \\ Execas \\ Execas.exe 1
• C: \\ Execas \\ Execas.exe 2

Numbers 1 and 2 respond to the program number in Execas.

Running shortcuts, we see that they opened on behalf of the administrator.

Using the Admilink utility

The header of the utility is a console, and after installation will be in the Windows directory.

We launch the tool and see a completely comfortable window with a Russian interface, so it will be easy to understand.

• In the first field, enter the path to the file that we want to run;
• Command line parameters in the second field is not necessary;
• The third line will be filled yourself, if it is not so, enter with: \\ Windows \\ System32
• Mode Display window. In 4 stitching there are 2 parameters:
  • Show - standard Start By visible window;
  • Hide - work software in the background;

Customize the parameters on the tab Account:

• As a domain name, we write the name of your PC, or NetBIOS and Test.lan;
• Username - You can choose by clicking on the button with three dots;
• Password from account and confirm.
• Entering all data, click "Test".

The utility will verify the performance of the information we specified. Click any key in CMD.

After a successful test, click the button "Generate Admirun launch key". If this is not done, then nothing will work.

• We go to the "LINK" tab and do the following:
• Name label - call any name;
• Catalog - indicate where the label will be located;
• Picture - choose the image for a shortcut;
• Click the button "Generate the command line".
• Now press the big button "Create a shortcut now!".

The icon will immediately appear on the desktop or directory you specified.

We try to run a label. If everything successfully and the program started on behalf of the admin, I congratulate. Otherwise, the actions are incorrectly performed at some step.

If you go to the properties of the shortcut and change the program in the "Object" field to another, then it is simply not to start. This is a small damage from maliciousness.

Task Scheduler

Run the program on behalf of the administrator, sufficiently using the tool "Task Scheduler". There is one nuance here - if you are not an admin, then they will not be able to use.

Enter just two words: task scheduler and open the result.In the window on the right choose the item "Create a task".

Name it with the appropriate name, let's say, you run the command line, then you can call CMD. Also put the donkey "Run with the highest rights".

On the Actions tab, click the button "Create".

Select an action (in our case, the program start).Click "Overview" and select the Utility running.If you run the command line, the path will be: C: \\ Windows \\ System32 \\ cmd.exe.Now click OK.

A new line appeared on the "Actions" deposit. Excellent, you can click OK.

Stage of creating a shortcut

On the desktop we make a label and specify such a command:

schtasks / Run / TN_Disting_Bad

the name_name_v_liber is the name you gave at the very beginning of the task creation process.

Hooray, we did a shortcut, but that's not all. Go to its properties.

On the "Label" tab, change the icon. Of course, you don't have to do it.

Addition to the method with task scheduler

For, you can use the Elevated Shortcut utility. You take a shortcut or executable file and drag on the Elevated Shortcut icon.

Running programs from the command line

If you open the command line on behalf of the administrator specified in the methods, then the launch of all programs from CMD will also allow you to open them with increased rights.How to transfer an account to another computer

conclusions

We looked at a bunch of ways to launch programs on behalf of the administrator. There are options where you need to enter a password is one of the secure solutions, because every time we enter the password, you can not be particularly afraid for the loss of some data. Viral programs will also not be able to run windows tools in this manner.

To install some software Requires administrator rights. In addition, the administrator himself can put a limit on the installation of various software. In the case when you need to install, but there are no permissions on it, we propose to use several simple methodsdescribed below.

On the Internet there are many different software, allowing to bypass protection and install the program under the guise of a regular user. We do not recommend using them especially on working computers, as this may carry serious consequences. We imagine safe methods Installations. Let's look at them in more detail.

Method 1: issuance of rights to the folder with the program

Most often administrator rights, software are required when actions with files in their folder will be carried out, for example, on the system section hard disk. The owner can provide complete rights to other users to certain folders, which will allow you to further install under the regular user login. This is done as follows:

Now, during the installation of the program, you will need to specify the folder to which you provided full accessAnd the whole process must go successful.

Method 2: Starting a program from a regular user account

In cases where there is no opportunity to ask the administrator to provide access rights, we recommend using the built-in in Windows solution. Using the utility via the command line, all actions are carried out. You only need to follow the instructions:

Method 3: Using a portable version of the program

Some software has a portable version that does not require installation. You will be enough to download it from the developer's official website and run. Perform it is possible very simple:

You can cross the software file to any removable information storage device and run it on different computers without administrator rights.

Today we looked at a few simple ways How to install and use various programs without administrator rights. All of them are not complicated, but require the implementation of certain actions. We recommend simply log in to the system from the administrator account, if available. Read more about this in our article by reference below.

Some applications for Windows work requires increased rights, and it is necessary to run them on behalf of the administrator. At the same time the request is displayed. User Account Control"(User Account Control or UAC), in which the system asks for your consent to launch an application.

Many users incorrectly believe that the "user accounting of user accounts" only interferes, and disconnect it. This seriously suffers from the security of the computer, because The user's consent to launch applications is no longer required, and any malicious program can be easily launched and operating. The presence of antivirus can also be 100% guaranteed by computer security.

In this article, I will tell you how to simplify the process of running selected applications on behalf of the administrator, without turning off the UAC (fully or partially) and without damage to security.

To start the application on behalf of the administrator, you can use in several ways:

As an example, we will run the command prompt (CMD) on behalf of the administrator.

Method number 1 (normal) - launch via the right mouse button (UAC request is displayed)

Press the right mouse button on the icon such application and select " Run on the name of the administrator":

Method number 2 - launch using " Ctrl + Shift + Enter"(UAC request is displayed)

Click Start, in the search string, type the desired command and click Ctrl + Shift + Enter.

Method number 3 - Install the launch from the name of the administrator in the label properties (the UAC request is displayed)

Right-click on the desired label and select " Properties".

Click the tab " Label", click" Additionally", Check the box" Run on behalf of the administrator":

Or go to the tab " Compatibility"And check the box" Execute this program on behalf of the administrator":

Method number 4 - simplify the launch for selected applications using the task scheduler (the UAC request is not displayed)

Important! This method only works for accounts included in the group. Administrators. In ordinary users, it will not work, because their ceiling are limited rights.

Go to the most interesting way. If there is an application that you constantly run, and it is obtained from a reliable manufacturer by, for example, it windows application - You can simplify the launch. Creating a label for necessary program Does not take more than 2 minutes and this will allow you to get rid of unnecessary actions in the future. Run task Scheduler (Start---> All programs ---> Standard---> Service---> Task Scheduler) and click " Create a task":

Indicate Namefor a new task and set the checkbox " Fulfill the highest":

Go to the tab Actions, click " Create", In the next window, click" Overview":

Indicate the path to the desired application and click " Open":

Enlarge Figure

Click " OK":

We close the planner and go to the creation of a shortcut.

To create a shortcut on the desktop, click the right mouse button, choose " Create" ---> "Label":

In field Property location We introduce:

Schtasks / Run / TN CMD_ADMIN

where cmd_admin. - The name of the task we created. If the name contains spaces, it must be specified in quotes.

We specify the name of the label:

Enlarge Figure

The label is created and ready to use.

To change the icon - right-click on the shortcut, select " Properties":

Click the tab " Label"and press " Change icon":

"Overview..."

Indicate the path to the program:

Enlarge Figure

Select the desired icon and close both windows with the button. OK":

Now the launch of the desired application on behalf of the administrator is performed double-click According to the created label, while the UAC request is not displayed and security remains in preservation.

Utility for automation "Fashion No. 4"

In case you need to create shortcuts for a large number of programs, it is convenient to use the utility Elevated Shortcut..

Working with the utility comes down to two simple steps:

• Installation
• Dragging an executable file (* .exe, * .bat, * .cmd) on the label of the utility:

Focus auto equipment on the running program

The specifics of the application launch from the planner is that the focus on the window does not translate and, for example, to type a command in the command line, it is necessary to add to the window. This behavior can help in the automation of routine schedule operations, but for "Method No. 4" is not always convenient.

There are several methods for "bypass". They work a little different, so choose the most suitable. The first is more convenient to launch programs, and the second to start scripts.

Add when creating a task:

Using the Start team

Program or script:

Arguments:

/ C START / D "PATE_K_PRogram" file_name.exe

/ C Start / D "C: \\ Windows \\ System32 \\" cmd.exe

Using the Nircmd utility

Program or script:

Path_K_Nircmd \\ nircmd.exe.

Arguments:

Exec Show "Path_Program \\ File Name.exe"

Exec Show "C: \\ Windows \\ System32 \\ Cmd.exe"

Run the "Run" dialog on behalf of the administrator

By analogy with the launch of the command line, you can configure the launch of the dialog box " Perform", And the commands entered into it will also be run on behalf of the administrator. The convenience of this approach is that the list of previously used commands is saved, and you can select the desired from the list.

When creating a task in the scheduler, in the window " Creating actions"Specify:

in field " Program or script":

Rundll32.

in field " Add Arguments":

Shell32.dll, # 61

Download the utility, unpack. Run the command line, enter the desired command, the syntax is not good:

<путь к утилите> <путь к нужному приложению>

The UAC request will be displayed and the application will start on the administrator.

Note: In contextual windows menu 7 is very comfortable feature Copy File Path: Hold Shift., Right click on the file, select " Copy as a way".

Running user programs on behalf of the administrator without entering the administrator password

Important! This method is unsafe, as allowing the user with limited rights to launch the code with full rights. Sunny user or malware can use it and compromise the system.

Consider another interesting task: your account windows recording enters the group of administrators, there is one more or more accountsincluded in the user group. The user needs to launch a program that requires increased rights. It usually looks like this: the user presses the right mouse over the file and selects the "Run from the administrator name", and the request is displayed to enter the administrator password:

Of course, to distribute the administrator password to users is not the best idea. To "get around" to use the Utility Admilink Alexei Kuryakin. With its help, the administrator can create a label for the user to start necessary programAt the same time, the administrator password entry takes only 1 time - when creating a shortcut. During the program startup, the user password will be transmitted in encrypted form.

This method will work if the program start is possible only on behalf of the administrator and the developer did not forget to specify this condition in the manifest. However, there is still a large number of old programs or programs, the launch of which is possible as in as usual modeAnd on behalf of the administrator (a different set of functions will be available). When trying to start such a program using Admilink - it starts in normal mode (without administrative privileges). And if you try to put the checkbox "method number 3. The original style of the author is saved.