How to Run Applications Manifested as HighestAvailable With a Logon Script Without Elevation for Members of the Administrators Group

Updated 17-Sept-2009

My friend Aaron has been trying to post a comment with his recommendation. However, it never, never, ever shows up because apparently we either don’t buy good software for our blogging system, or else the software has a personal vendetta from him (perhaps it’s angry at him for not posting often enough himself). But his comment is worthwhile, so here it is:

Rather than use that undocumented (and unsupported) environment variable, why not just change the “regedit” invocation to “REG.EXE IMPORT”? REG.EXE doesn’t demand elevation — it’s manifested “asInvoker”, and can import .reg files…

Here’s a trick I used to help out a customer:

My customer was using a logon script to set some per-user registry keys when the user logged in. This worked fine for their standard users on Windows XP, and it also worked fine for their standard users on Windows 7. However, it added an extra prompt for the few folks who had exceptions to be members of the Administrators group.

You see, they were using regedit.exe to import a .reg file. And, even though they didn’t need administrator privileges to edit the parts of the registry they wanted to modify, the entire application is manifested as highestAvailable, so it would always prompt for their administrators.

So I cooked up the following .bat file to achieve the same thing without annoying their administrators:

set __COMPAT_LAYER=RunAsInvoker
start regedit.exe

And they were off to the races.

Was there another way? Perhaps. But this let them keep their existing scripts and only have to add a single line at the front, so it was the path of least resistance.

Comments (7)

  1. Ganesh says:

    REG – well thats a usefull tool I didnt know about 🙂 thanks!

  2. Nathan C. says:

    How is cscript handled?  If they added the registry data with vbs or powershell, would it also run as highest?

  3. cjacks says:

    cscript is always going to run in the context of the calling shell.

  4. Amit says:

    After adding my account to the Administrators group, I got UAC prompt for the mmc.exe. I had fixed this via the solution provided by you.

    set __COMPAT_LAYER=RunAsInvoker

    start mmc.exe

    But when I tried to shim the mmc.exe with compatibility fix ‘RunAsInvoker’,I got the message that ‘the requested operation requires elevation’.

    I tried to manifest the mmc.exe with level ‘asInvoker’ as well but in vain.

    Is there any reason for mmc.exe to not to work via shim or manifest? Am I missing something?

    Pleae advise.

  5. cjacks says:

    @Amit – You can’t manifest it because it’s already manifested. Since there is an internal manifest, then external ones are ignored. You can shim it if you want – I shimmed it with RunAsInvoker and it works fine, so I can’t reproduce your issue.

  6. Ian Boyd says:

    i’d be interested in seeing the documentation on this __COMPAT_LAYER environment variable. The closest i can find is KB286705 (HOW TO: Script Compatibility Layers in Windows XP)

  7. cjacks says:

    @Ian – well, it’s not really documented. I took the KB article as my documentation. 🙂