In this article, we will show how to selectively disable UAC for a specific application without disabling User Account Control service completely. Consider several ways to turn off UAC for one app using the RunAsInvoker compatibility flag.
The RunAsInvoker flag allows you to run the application with a marker inherited from the parent process. This cancels the processing of the application manifest, and the discovery of the installer processes. This parameter doesn’t provide administrator privileges, but only bypasses UAC prompt.
As an example, we will disable the User Account Control prompt for the registry editor (regedit.exe). Despite the fact that my account has local administrator privileges, when I run the utility, a UAC request still appears to confirm the launch.
Disabling UAC for a program using the Application Compatibility Toolkit
We need to install the Application Compatibility Toolkit, which is part of the Windows ADK. Download the latest version of the Windows ADK for Windows 10 here.
Run the adksetup.exe file and during installation (the program needs Internet access), select only the Application Compatibility Tools item.
There are two versions of Application Compatibility Administrator in the system – 32-bit and 64-bit. Run the version of Application Compatibility Administrator depending on the application bitness for which you want to disable the UAC request.
Run the Compatibility Administrator (32-bit) with administrator privileges (!). In the Custom Databases node, right click New Database and select Create New -> Application Fix.
In the following window, enter the name of the application (regedit), the vendor name (Microsoft) and the path to the executable file (C:\Windows\System32\regedit.exe).
Skip the next window (Compatibility Mode) of the configuration wizard by pressing Next. In the Compatibility Fixes window, check the option RunAsInvoker.
You can make sure that the application can run without UAC by pressing the Test Run button.
In the Matching Information dialog, you can specify which application parameters should be checked (version, checksum, size, etc.). I left the COMPANY_NAME, PRODUCT_NAME and ORIGINAL_FILENAME options checked to avoid the recreation of the compatibility patch file after the next Windows 10 update.
Click Finish and specify the name of the file the compatibility fixing package has to be saved to, e. g., regedit.sdb. This file will contain instructions for starting the application with the specified compatibility options.
Now you only have to apply the compatibility fix package to our application. You can do it either from the Compatibility Administrator console (choosing Install in the menu) or from the command prompt.
To do it, run elevated command prompt and execute the following command:
sdbinst -q c:\ps\regedit.sdb
If you have done it right, a message of successful package installation appears.
Installation of regedit complete.
After the package has been installed, the corresponding record will appear in the list of the installed Windows programs (Programs and Features).
Try now to run the application in a user session without local administrator permissions. Now it should start without a UAC request.
Now check the privileges for running application. Run the Task Manager, go to the Process tab, add the “Elevated” column. Make sure that the regedit.exe process is started from the user in the unprivileged mode (Elevated = No).
In this registry editor process, the user can only edit his own registry keys and parameters. But if you try to edit/create something in the system HKLM key, an error appears: “You don’t have the requisite permissions”.
Later this compatibility fix can be distributed to all user computers using the Group Policies. Thus you can disable UAC checks for the specific applications on multiple computers in an Active Directory domain.
To remove the compatibility fix, run the command:
sdbinst –u c:\ps\regedit.sdb
Enable the RunAsInvoker App Flag via the Registry
You can enable the RUNASINVOKER compatibility flag in Windows 10/8.1/7 through the registry. The application compatibility flag can be set for a single or for all computer users.
For example, for regedit app you need to create a new registry parameter (REG_SZ) in the following registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers:
- Value name: C:\windows\regedit.exe
- Value data: RunAsInvoker
If you want to enable application compatibility mode for all local computer users, you need to create this parameter in the different registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers.
In the domain, you can import/deploy these registry settings to users through a GPO.
Batch file to Run the Application in the RunAsInvoker Mode
There is another way to run the program without admin privileges and bypassing the UAC prompt (see the article).
Just create a .bat file with the following code:
Set ApplicationPath="C:\windows\regedit.exe"
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %ApplicationPath%"
When this bat file is being run under a common user, the specified application will start without a UAC prompt.
So, we looked at how to disable UAC for a specific program without completely disabling User Account Control. This will allow you to run Windows programs under non-admin without a UAC prompt and without entering an administrator password.
39 comments
Great. Thanks
Heck yeah. Massively helpful. For some reason, certain Steam games dog-whistle the UAC prompt. I don’t want to have to tell the computer that – yes – I would like to play Phantasy Star Online 2 after saying that I would like to play it.
Many thanks!
Hi, I went through the steps, but it still prompted me with a UAC when i tried to open regedit. You’re supposed to open it like you normally would, correct?
Thanks,
Paul
Yeah, I tried it right now with a Windows 10 1709 build and using both 32 and 64 bits version of the Compatibility Administrator. Control panel shows regedit there but it keeps showing UAC.
The file on Windows 10 is in C:\Windows\regedit.exe
This doesn’t work on Windows 10?
You can try to run regedit.exe without showing UAC using this bat file:
startwithoutUAC.bat
Set AppPath=”C:\Windows\regedit.exe””
cmd /min /C “set __COMPAT_LAYER=RunAsAdmin && start “”%AppPath%”
Thanks, the way I’ve managed to make it work was using the command line below:
cmd /min /C “set __COMPAT_LAYER=RuAsAdmin && start C:\Windows\Regedit”
I have tried all this for VS Code (instead of Regedit). The bat file just opens the program regularly and not as admin. Is this something more to do for programs other than Regedit?
Eli,
I believe that this will only work for programs that trigger UAC, VS Code can run without administrator rights.
If you want VS Code to run always as admin, you have to configure the shortcut.
The prompt comes up for VS Code and any program I need to run Admin on for as far as I can tell. I didn’t want to turn UAC all together for security reasons, so thought this would allow selective turning off. Thanks for trying to assist Vandrey.
I’ve decided to switch to Linux and get away from all of Window’s problems. Don’t think I’ll ever look back 🙂
Eli,
As far as I know, there are different installs of Visual Studio Code, check on their website.
And you are free to switch to Linux whenever you want, but take a look at the news that Catalina is bringing UAC to macOS too.
It’s a great security feature from Microsoft and it won’t be a surprise if Linux gets something like that.
I am having same issue
Try: set __COMPAT_LAYER=RunAsInvoker
Let me ask you something about this. I have been trying to figure this out for a while. Close to almost 1 month hitting my head at my desk. I have a certain program we run on all workstation. Once in a while, we get an update from our vendor to update it. We download the .msi or exe file and place it in a shared folder that everyone has access too. When the user opens the file it checks that folder and see’s there’s an update. it tried to install the update but the UAC comes up. Since the users are just standard users we have to enter our username/password. I notice towards the bottom you talked about GPO in a domain and pushing this out. How does that work and do you have any documentation on how to set this up?
I need to bypass the UAC on this program. Maybe adding other software to the database too. Any kind of help would be awesome.
As far as I understand, in your case some app trying to install an update on users’ computers. Obviously, without administrator permissions, it is not installed at all.
I think it’s easier for you to install this update through installing a GPO software / SCCM / GPO startup script or something similar.
Works great for me using the ADK on Win 10 1803. Delighted to be able to stop those popups!
There has got to be a simple program out that will do this in 2 to 3 steps…this is crazy and complicated. A program you enter the file path to, boom….done. Anything? I’ve tried this using instructions above and not working in Win 10 v1903
Trying to use the program called “Everything” search program, 64 bit portable, without the UAC prompt coming up every time. I prefer it to MS search.
Got to be an easier way, I’m uninstalling the dang Windows Compatibility Manager. Too bloated and complicated for allowing this little program to run.
There is an easier way by using a batch file like this example:
set __COMPAT_LAYER=RunAsInvoker
start regedit.exe
I’m using GiMeSpace QuickMenu Version 2.0.3.18 (freeware available on Cnet). I’m running it as admin with the Windows Task Scheduler at startup. You can add programs in a menu that launches with a click/key you choose. Any program launched through it will run with admin right without UAC prompt on Windows 10 1909 x64.
You just have to run it normally to add programs in it, you can’t do it when it’s running as admin (bug?).
You may try more recent versions which are designed for very high screen resolutions. The one I tried was buggy on my system.
I suppose same thing can be done with shorcut managers or other kinds of program managers running with admin rights. It’s easy to configure them to run with admin rights at startup with the Task Scheduler.
My mistake: by “shortcut managers”, I meant Keyboard Hotkeys (Shortcuts) Managers. And it works fine with them also. You just have to configure a hotkey to run the program you want, and launch the manager on connection to user session with highest privileges through the Task Scheduler.
Here are some programs you can use: Clavier+ (UtilFr), Keyboard Shortcuts Manager (Softpedia), HotkeyP, and a bunch of others that are listed on TheWindowsClub, for instance.
Just tried getting a single application that’s been bugging me for months, on top of other apps that I use frequently, didn’t work. Spent over an hour going through this entire walk-through which I am grateful, but couldn’t get it to work at the installation of the .sdb part at command line. I didn’t see the installation complete dialog and when I tried to run the app, it says I need admin rights in order to run it when I’m the admin running admin privileges. I’m running the latest Windows 10 Pro 64bit 2004, MSDN build which I just downloaded and installed last night.
Anyways, I have the same gripe like most users, I don’t understand why MS can’t have an option that disables the UAC dialog box from appearing everytime startup launches my app, and every other app. Jumping through all these “fixes” just to find out hours later that it doesn’t work for me. Can’t believe there’s no easier way than this or the taskscheduler method, just pisses me off daily…
But thanks to the author for your time and effort in contributing this “fix” for the community, even though it didn’t work out for me. Thanks again.
Heck yeah. Massively helpful. For some reason, certain Steam games dog-whistle the UAC prompt. I don’t want to have to tell the computer that – yes – I would like to play Phantasy Star Online 2 after saying that I would like to play it.
Many thanks!
(Sorry. The layout of the comments is a bit ambiguous. I didn’t notice that the “Leave a Comment” form was at the bottom. I thought the “Reply” button *was* to leave a comment.)
Trying to use this, the applications I want to bypass UAC on runs fine in the Test Runs inside the application, but refuse to open outside of it. I have 3 applications these settings are applied to stored in one database, surely that’s not the issue. Installation of the database says it’s successful, but running the app brings up a text box titled ‘Fatal Error’ and the body contains ‘Failed to execute game’. No further details are presented.
After some poking around, apparently I can’t run the applications in question in administrator mode if I want them to run at all. A very peculiar issue, not sure why that would cause any problems.
[…] when I started Cool Edit. So my question was whether I could exclude ceregkey.exe from UAC. WindowsOSHub seemed to say that I could use the registry tweak summarized in this .reg […]
If I make this .reg, can I port it to another computer without installing the windows tool?
Thank you! For some reason my Adobe Illustrator and Premiere Pro kept asking for UAC despite of always removing the Run-As in the advanced options of each app, I’ve been looking for everywhere and got no fix until I found this.
Thank you very much!
Thanks for this. I had a licensed copy of Microsoft Money 2005 (the last version of Money that Microsoft provided) and it had the annoying launch question. Your fix worked and has made my life much pleasanter. For other Money users, please note: After I had followed through the recommended procedure, I still had to go into the Registry, find the MsMoney AppCompatFlags>Layers entry for Money and manually change the entry to “RunAsInvoker” as discussed. Only then did MsMoney work without the “Do you want to allow this App to make changes to your device?” warning. With the Registry change made, Money works as you’d typically expect.
Great guide thank you!
Thank you all for the guide. I have been searching for awhile now on how to do this. This one was flawless!
This fix worked perfectly for me too. Thanks!!
Just a word about the last resort (batch file) thing, it WILL work but you will probably (as far as I can guess) get security denials when trying to edit/add/delete certain keys or values whilst running regedit.exe, or access certain locations from within the program. It might even make some programs crash depending on the type of access they need to system resources. I assume with minimalist programs that run in a way that does not require special privileges, they most likely will run ok (might affect where you can save though!)
No joy here.
I’m doing this for dragon center. C:\Program Files (x86)\MSI\Dragon Center. It works fine from the compatibility administration. Then I create the entry at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Value name: C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe
Value data: RunAsInvoker
But when it starts with the system, or if I execute it manually, the UAC still appears
About Windows ADK:
If you want to bypass UAC for something, you shouldn’t have to install an application that requires UAC anyway. Why even bother?
It can be a useful as a troubleshooting step or for simulating lower permissions in application development
Also, the other options don’t work anyway. load of BS.
When running the test on the compatibility administrtator UAC does not prompt but…… when install and run from the executable UCM still showed. 🙁 any help will be appreciated.
This method is not valid for win10 21H2. But I found another method that still works with the latest Win10
[Use the finished product directly] https://github.com/XIU2/UACWhitelistTool
[principle or manual execution] https://zhuanlan.zhihu.com/p/113767050
PS: but it’s in Chinese, but it’s easy to use
Sweet, just what I needed for “Clover” Explorer Extension.
XMuli said (August 18, 2022): “This method is not valid for win10 21H2.”
But I tried it on my win10 21H2 and it did work (tested on application PowerChute.exe, not regedit).
I installed the ADK for Windows 10, version 1903.
The process worked perfectly until “Click Finish”
It didn’t ask for the package name, and it didn’t create a c:\ps\ folder.
I created a C:\sdb files\ folder and used
File, Save, C:\sdb files\PowerChute
which created the PowerChute.sdb file.
Then
File, Install
which returned: “The database ‘PowerChute’ was successfully installed.”
and no more UAC prompt for PowerChute.
Thanks for this fix!