Friday, May 20, 2022

How to Run Program without Admin Privileges and Bypass UAC Prompt

 


Intro:

I ran into a particular issue with a client program when it ran nightly backups. I won't name this company as it's never a good idea to interrupt your enemy while he's making a mistake. I will say that they require this application to run as admin under Windows 10. For reasons that should be obvious, I won't be giving users admin rights or anything close to it anytime soon.


Problem:

So I need a way for this backup application to run but not prompt for the admin password.  The backup application is not triggered by a user but instead called up by the main program itself. To clarify there's two programs: "main.exe" and "backup.exe". "Main.exe" is the user application. Whenever the "main.exe" is set to run a backup it calls, "backup.exe" which in this case for some dumb reason needs to run as admin. Both applications are in the same folder in the root of the C:\ drive and only "backup.exe" requires to be run as admin. Yea idk ask the devs.

I was under the impression that during coding you would force the exe to require admin permissions if that file was trying to write to either "C:\Program Files", "C:\Program Files (x86)", and or "C:\ProgramData" as users do not have edit permissions in these folders.

However in this case the program, "main.exe" and "backup.exe" reside in "C:\Appli123\" which brings me back to why did "backup.exe" ever need admin permissions in the first place? If someone has a better understanding of this please leave a comment below.


*UPDATE* - I actually found out why this is. This could most definitely be because of the way this program is cobbled together but "main.exe" calls "backup.exe" which calls a service called, "backup-service-xyz". The service is set to run under the "Local System Account". This won't work because our user is a standard non-privileged user and does not have access to do so. At this point two things could occur however one isn't built into "main.exe".

As we know so far, if you run a backup from "main.exe" it calls up "backup.exe" and fails in the GUI after only a few seconds because it must receive a return code from trying to run the service which it can't. The backup process ends here and it dumps you back to the app with an appropriate error.

If you run "backup.exe" from a non-admin command prompt it will call up the service, fail, keeps the cmd window open, then exactly 60 seconds later run the backup in the window, create the necessary backup file in "C:\Appli123\BACKUPS\. This behavior does not exist when it's called up from "main.exe".

So more than likely whoever programmed the backup routine definitely wasn't in the same planning room as the people who wrote the main application.

What the developer should have done if they couldn't code in a service call directly was to at least allow the user setting up the software to run this service as a different user. Allowing the user to enter in the correct account with admin level credentials.


Solution:

There are a few solutions to this issue (I may write about them later) however the one I will be talking about in this article is forcing Windows to look at an external manifest file when running an executable. Using "requestedExecutionLevel level="asInvoker" will in turn tell the program not to force a UAC prompt and since the "main.exe" program is not running as admin to begin with, the "backup.exe" program will run without prompting the UAC.



Here's how to set this up:

1. Find the application .exe file you are trying to run and make a backup copy of it just in case something gets changed that you don't intend.

2. Grab a copy of Resource Hacker from, "http://www.angusj.com/resourcehacker/".

3. Open the .exe file in Resource Hacker, expand the Manifest folder on the left and click on, "1 : 1033". It should have a star to the left of it as seen below.



4. In Resource Hacker copy all of the contents on the right side of the screen starting from "<assembly>" and ending with "</assembly>" and paste this into a blank "notepad.exe" file.

5. Save this Notepad file as "application-name-goes-here.exe.manifest" in the same folder as the application exe but don't close it. It should look similar to the screenshot below. The section that is going to be changed in the next step is highlighted in yellow.



6. In the Notepad file change the highlighted section above from "requireAdministrator" to "asInvoker" as seen below and save and close the file.



7. You need to add the following registry key, "PreferExternalManifest" and set it to "1" to get this to work.

You can add it manually as seen below or copy and paste the following into an elevated cmd prompt.

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide" /v PreferExternalManifest /t REG_DWORD /d 1 /f




8. Restart Windows and try the app again in question. It should work and not display an UAC prompt or fail.


Conclusion:

In this weird case this will fix this issue and will be immune to the developers updates to the actual "backup.exe" file if there are any. There are a lot of apps that behave in a similar way and this should work for them.



๐Ÿ‘ฝ

No comments: