UAC for individual .EXEs

How do I set the UAC to off for individual .EXE.
e.g. Opera, and others I know are OK to open.

You bypass it by using the Task Scheduler to fire off the exe.

On 9/12/2011 19:41, BeeJ wrote:
> How do I set the UAC to off for individual .EXE.
> e.g. Opera, and others I know are OK to open.
>
>

Bob I wrote:

> BeeJ wrote:
>
>> How do I set the UAC to off for individual .EXE. e.g. Opera, and
>> others I know are OK to open.
>
> You bypass it by using the Task Scheduler to fire off the exe.

What's missing from Bob's response is that you define a scheduled task
(but not a time to run it or disable the event) and then use/copy a
shortcut for the schtask.exe shortcut.

For an example, see:
http://social.technet.microsoft.com/...1-416f6134c34d

Since the schtask.exe program will elevate the program it loads;
however, changing priority (from the default of Below-Normal) is
mentioned here by editing the XML file (export, edit, import). Remember
to NOT define the task to "Run as Administrator" but instead to "Run
with highest privilegies".

Obviously the elevation accomplished by using schtask.exe only works
when you use that shortcut to load the app. If the program is called as
a child process, like you clicking on a hypertext link in a message
viewed in your e-mail client then the shortcut is not used so there
won't be any elevation of the web browser.

I don't think you can edit the registry to add an "auto-elevate"
privilege mode to a hash or path rule in a software restriction policy
(SRP). Unrestricted (run), Disallowed (block), and Basic (run as normal
user) are it. If there were a privilege mode for auto-elevate then you
could define a path policy for the executable so it always got
auto-elevated even if ran as a child process (i.e., when the executable
was called and loaded by a parent process).

Alternatively, I've seen mention of using the Application Compatibility
Toolkit (ACT) to get a program elevated but, I think, that also requires
a certificate to digitally sign the application (i.e., you install a
signed app) along with a manifest defined inside the app that specifies
its privilege level. Opera already digitally signs their installer but
that doesn't mean the app's executable is signed. Right-clicking on
opera.exe shows the file is digitally signed. There are lots of
articles on how to use the ACT to modify the RunAsInvoker attribute for
an app. No point in me pointing at or duplicating all that info.

Enjoy.

It happens that VanguardLH formulated :
> Bob I wrote:
>
>> BeeJ wrote:
>>
>>> How do I set the UAC to off for individual .EXE. e.g. Opera, and
>>> others I know are OK to open.
>>
>> You bypass it by using the Task Scheduler to fire off the exe.
>
> What's missing from Bob's response is that you define a scheduled task
> (but not a time to run it or disable the event) and then use/copy a
> shortcut for the schtask.exe shortcut.
>
> For an example, see:
> http://social.technet.microsoft.com/...1-416f6134c34d
>
> Since the schtask.exe program will elevate the program it loads;
> however, changing priority (from the default of Below-Normal) is
> mentioned here by editing the XML file (export, edit, import). Remember
> to NOT define the task to "Run as Administrator" but instead to "Run
> with highest privilegies".
>
> Obviously the elevation accomplished by using schtask.exe only works
> when you use that shortcut to load the app. If the program is called as
> a child process, like you clicking on a hypertext link in a message
> viewed in your e-mail client then the shortcut is not used so there
> won't be any elevation of the web browser.
>
> I don't think you can edit the registry to add an "auto-elevate"
> privilege mode to a hash or path rule in a software restriction policy
> (SRP). Unrestricted (run), Disallowed (block), and Basic (run as normal
> user) are it. If there were a privilege mode for auto-elevate then you
> could define a path policy for the executable so it always got
> auto-elevated even if ran as a child process (i.e., when the executable
> was called and loaded by a parent process).
>
> Alternatively, I've seen mention of using the Application Compatibility
> Toolkit (ACT) to get a program elevated but, I think, that also requires
> a certificate to digitally sign the application (i.e., you install a
> signed app) along with a manifest defined inside the app that specifies
> its privilege level. Opera already digitally signs their installer but
> that doesn't mean the app's executable is signed. Right-clicking on
> opera.exe shows the file is digitally signed. There are lots of
> articles on how to use the ACT to modify the RunAsInvoker attribute for
> an app. No point in me pointing at or duplicating all that info.
>
> Enjoy.

So how does IE run elevated when a link is clicked? Must be a way to
get Opera or FireFox to do the same. Registry or?
You probably helped explain this, I just need to study the terminology.
Thanks for the insights.

I have a similar problem, but worse, with scripts. They will not run
at all. I am about to turn off UAC and try the scripts.

I ran Vista for years with UAC off and had zero problems. Seems UAC is
of little help. Any stats on what UAC catches. MS must have some data
someplace.

I run Avast and it does catch bad suff on rare occassions. Maybe that
is good enough.

On 12 Sep 2011, BeeJ <> wrote in
alt.windows7.general:

> How do I set the UAC to off for individual .EXE.
> e.g. Opera, and others I know are OK to open.

I'm surprised you would find that necessary. I would think any recent
popular, well-written program would install itself in a manner that
would cooperate with UAC. I haven't had to jump through any such hoops
with either Vista or Windows 7, with the exception of Everything
Search, which needs the Task Scheduler trick described elsewhere in
this thread to avoid triggering UAC to request permission to run.

BeeJ wrote:

> It happens that VanguardLH formulated :
>> Bob I wrote:
>>
>>> BeeJ wrote:
>>>
>>>> How do I set the UAC to off for individual .EXE. e.g. Opera, and
>>>> others I know are OK to open.
>>>
>>> You bypass it by using the Task Scheduler to fire off the exe.
>>
>> What's missing from Bob's response is that you define a scheduled task
>> (but not a time to run it or disable the event) and then use/copy a
>> shortcut for the schtask.exe shortcut.
>>
>> For an example, see:
>> http://social.technet.microsoft.com/...1-416f6134c34d
>>
>> Since the schtask.exe program will elevate the program it loads;
>> however, changing priority (from the default of Below-Normal) is
>> mentioned here by editing the XML file (export, edit, import). Remember
>> to NOT define the task to "Run as Administrator" but instead to "Run
>> with highest privilegies".
>>
>> Obviously the elevation accomplished by using schtask.exe only works
>> when you use that shortcut to load the app. If the program is called as
>> a child process, like you clicking on a hypertext link in a message
>> viewed in your e-mail client then the shortcut is not used so there
>> won't be any elevation of the web browser.
>>
>> I don't think you can edit the registry to add an "auto-elevate"
>> privilege mode to a hash or path rule in a software restriction policy
>> (SRP). Unrestricted (run), Disallowed (block), and Basic (run as normal
>> user) are it. If there were a privilege mode for auto-elevate then you
>> could define a path policy for the executable so it always got
>> auto-elevated even if ran as a child process (i.e., when the executable
>> was called and loaded by a parent process).
>>
>> Alternatively, I've seen mention of using the Application Compatibility
>> Toolkit (ACT) to get a program elevated but, I think, that also requires
>> a certificate to digitally sign the application (i.e., you install a
>> signed app) along with a manifest defined inside the app that specifies
>> its privilege level. Opera already digitally signs their installer but
>> that doesn't mean the app's executable is signed. Right-clicking on
>> opera.exe shows the file is digitally signed. There are lots of
>> articles on how to use the ACT to modify the RunAsInvoker attribute for
>> an app. No point in me pointing at or duplicating all that info.
>>
>> Enjoy.
>
> So how does IE run elevated when a link is clicked? Must be a way to
> get Opera or FireFox to do the same. Registry or?
> You probably helped explain this, I just need to study the terminology.
> Thanks for the insights.

I haven't done any of this by using the ACT to set elevated privileges
for an app. You create an sdb database file that lists the compat
config for an app and apparently Windows will read that database to
decide which apps get auto-elevated.

http://www.ghacks.net/2010/07/08/get...ility-toolkit/
http://www.msigeek.com/4823/creating...-administrator
http://www.msigeek.com/4817/virtualr...on-to-fix-apps

Actually it looks like you create an sdb (shim database) file and then
use the sdbinst command to read from it and store that config info. So
it's probably stored in the registry, I don't know where, and it could
be encoded which means doing a text search won't find where that info
gets stored.

If you need to know where the sdb database info gets stored in the
registry, use an install monitor, like Zsoft Uninstaller. Take a
snapshot before registering the sdb database, register the sdb database
using the sdbinst program, and then have the install monitor check for
changes on your host which will list the registry changes (add, deletes,
and modifies). Or use a process monitor, like the one from SysInternals
(I have the old procmon utility since I don't like how they merged
procmon and memmon into their new utility), then run sdbinst and check
what registry entries it defines or touches. They might just add a GUID
definition (http://en.wikipedia.org/wiki/Globally_unique_identifier) in
the registry which defines attributes for a program of which privilege
level might be one.

http://technet.microsoft.com/en-us/l...69(WS.10).aspx
http://technet.microsoft.com/en-us/l...28(WS.10).aspx

"An application shim is a compatibility layer that fools a legacy
application in to believing it's running in an older operating system"
(http://www.zdnet.com/blog/ou/the-rea...patibility/325).
Or for whatever other attributes were defined in the shim.

I haven't bothered getting into all of this so you're asking the wrong
person if you want detailed help on how to use ACT and where the app
shims get defined or stored. It's up to you if you want to get into all
of this. Of course, you could suggest to Opera that they include an
..sdb file to provide an application shim so their users can circumvent
the UAC prompts.

On 13 Sep 2011 15:08:57 GMT, Nil wrote:
>
> On 12 Sep 2011, BeeJ <> wrote in
> alt.windows7.general:
>
> > How do I set the UAC to off for individual .EXE.
> > e.g. Opera, and others I know are OK to open.
>
> I'm surprised you would find that necessary. I would think any recent
> popular, well-written program would install itself in a manner that
> would cooperate with UAC. I haven't had to jump through any such hoops
> with either Vista or Windows 7, with the exception of Everything
> Search, which needs the Task Scheduler trick described elsewhere in
> this thread to avoid triggering UAC to request permission to run.

Maybe the OP initially had UAC turned off when installing those
things, and then turned them on. I know some of the software I use
at work required manually elevating privilege under those
circumstances, though if I had UAC on when installing, the installer
requested elevated privilege (as it should) and then the actual
applications did not.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://OakRoadSystems.com
Shikata ga nai...

Stan Brown was thinking very hard :
> On 13 Sep 2011 15:08:57 GMT, Nil wrote:
>>
>> On 12 Sep 2011, BeeJ <> wrote in
>> alt.windows7.general:
>>
>>> How do I set the UAC to off for individual .EXE.
>>> e.g. Opera, and others I know are OK to open.
>>
>> I'm surprised you would find that necessary. I would think any recent
>> popular, well-written program would install itself in a manner that
>> would cooperate with UAC. I haven't had to jump through any such hoops
>> with either Vista or Windows 7, with the exception of Everything
>> Search, which needs the Task Scheduler trick described elsewhere in
>> this thread to avoid triggering UAC to request permission to run.
>
> Maybe the OP initially had UAC turned off when installing those
> things, and then turned them on. I know some of the software I use
> at work required manually elevating privilege under those
> circumstances, though if I had UAC on when installing, the installer
> requested elevated privilege (as it should) and then the actual
> applications did not.

In my case, the UAC has always been set the same.
I guess I can uninstall Opera and re-install agaim.