How to force Vista to NOT elevate an application

Andrew Arnott

User Account Control, the feature in Vista that causes installers and some applications to require "elevation" to administrator privileges to run, cuts both ways.  It’s designed to protect users from apps that try to make system-level changes by giving the user the heads up that it’s about to happen and gives the user the chance to abort the operation.  The flip-side is that since this is an inconvenience to users, software writers are motivated to write their software so that it doesn’t require admin privileges, further improving security on the system.

While there are problems with UAC, the most aggravating (for me) is that Vista insists on elevating some apps that don’t need elevation.  For example, all setup.exe programs always elevate, since most users don’t want setup programs failing halfway through.  Other programs, like regedit.exe, have manifests that say to Vista, in effect, "I can run in user mode or admin mode, but give me admin mode if it’s available".  So when a non-admin account launches regedit.exe, regedit comes up without requesting elevation.  But if an admin account launches regedit, the UAC dialog comes up.  Fair enough. 

But what if I don’t want to elevate an app that wants it?  For example, if I didn’t want regedit.exe to have admin privileges to help protect me from myself when I only intended to modify HKEY_CURRENT_USER, which doesn’t require admin rights. 

But the more common scenario I find myself in is when I download software I do not entirely trust.  The software comes with a setup program, which I have to run in order to use the software.  I intend to install the program in a private user area rather than Program Files in order to avoid having to elevate the program or its setup program.  But Vista always insists on elevating setup.exe programs. 

There is a way to coerce Vista to not elevate a process that it otherwise would. 

REM The next command MUST be run from an elevated command window.
REM It launches regedit.exe WITHOUT elevated privileges.
runas /trustlevel:0x20000 regedit.exe

Ironically, starting a program explicitly without elevation requires an elevated command prompt.  Go figure.

So next time an untrusted program prompts for elevation that you don’t want to give, try this nifty command.


Discussion is closed.

Feedback usabilla icon