5

I have an application that Windows 2008 would always run "as administrator" (i.e. the blue/yellow shield overlay icon is always visible).

However, the "run this program as an administrator" flag is not set in the file properties.

Where does this implicit flag come from and how can I get rid of it?

Background: I do not want to run this program as an administrator, it should run in a scheduled task with an unprivileged account. Currently UAC would not allow running this program, though.

Tomalak
  • 1,605
  • 4
  • 17
  • 32
  • My understanding is that this can happen if the application is trying to access something in the system that is restricted. What is the application and what does it do? – Bart Silverstrim Apr 19 '11 at 13:29
  • @Bart: It is an auto-updater. To be clear: The program is *not* trying to access something restricted and that triggers UAC. Somehow it is marked by the OS that it should *always* run elevated. *I cannot even start it as unprivileged*, which is what I would like to change. – Tomalak Apr 19 '11 at 13:33
  • Did you write the application? Check http://www.edbott.com/weblog/2007/02/what-triggers-user-account-control-prompts/ – Bart Silverstrim Apr 19 '11 at 14:03
  • @Bart, you do not understand me. The app does not *trigger* UAC. And no, I didn't write it. – Tomalak Apr 19 '11 at 15:39
  • Autoupdaters typically write to %programfiles% or %systemroot% (if they're badly written). These actions will trigger UAC. Can you please review the link that @Bart posted and verify that none of this is happening? If you could explicitly name the app, we'd be able to check out the behavior. – MDMarra Apr 19 '11 at 15:49
  • Additionally, it might be trying to write to a HKLM registry subkey. Some of those are privileged locations in later versions of Windows. – Ben Pilbrow Apr 19 '11 at 15:53
  • @Mark. I'm not sure how else I could possibly put it. This program *does not trigger* UAC. It shows up in Explorer *with the blue-yellow shield overlay icon* even if it is not running. This means, that it will be started as elevated or not at all. This happens *before* the program could possibly do anything itself. It is what you normally get when you configure it as "always run as administrator", just that this isn't the case. Really, guys, read what I wrote, because I only seem to be repeating myself here. – Tomalak Apr 19 '11 at 16:21
  • That IS NOT how it reads. It reads like "I have this program that is always prompting and I don't want it to". – Ben Pilbrow Apr 19 '11 at 16:22
  • @Ben, you might notice that I did not even use the word "prompting" and that I quite thoroughly described what I'm facing. – Tomalak Apr 19 '11 at 16:25

1 Answers1

7

You may be tripping one of Windows several heuristics to determine if an application needs administrative privileges. If it determines an application needs administrative privileges, it will trigger a UAC prompt. It's not perfect and not always right, but it's all in an effort for backwards compatibility.

One of the most common ones is simply by file name. If the file contains install or setup (and possibly update) then it will prompt unless explicitly told not to by means of an embedded manifest file. That's nothing you'll be able to change, the developer will have to make this change.

It could be writing to a privileged location, such as somewhere off C:/Windows or C:/Program Files or even a privileged registry location (specifically somewhere off HKEY_LOCAL_MACHINE). A standard user cannot write (or even access in some cases) these locations, and as such Windows must trigger a UAC prompt for the application to function correctly.

You might check if there are any updates available from the publisher of this application. They may be able to provide you with an update that enables compatibility with Windows Server 2008. If not, maybe try contacting them and asking them if they're aware of any issues and see if they have a resolution.

This program could also be listed in the built in compatibility database as requiring elevation to function correctly. I'm not sure if you can influence this list or not, but you'd probably be best off with a more recent version from the software publisher that they have confirmed compatibility with Windows Server 2008.

It might just be that the app is old and does something weird that trips one of the heuristics. I had an application that I wrote that worked fine on Windows XP, but on Vista and later it triggered a UAC prompt. It did not read or write to any of the privileged locations I mentioned earlier. Changing no code whatsoever and simply recompiling it in Visual Studio 2010 (as opposed to Visual Studio 2005 that it was originally compiled in) fixed that problem.

Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57
  • Thanks Ben, that's the first sensible response to what I actually asked. – Tomalak Apr 19 '11 at 16:22
  • I just read your clarification in your comment. My answer is really based on my (now seemingly wrong) understanding of your problem. All these things should trigger a UAC prompt proper, not just the icon but no prompt. – Ben Pilbrow Apr 19 '11 at 16:24
  • 2
    You were right, it's the term "update" in the file name. Kudos to you, I would never have thought of that. What an annoying half-smart heuristic. Thanks for giving the right hint! – Tomalak Apr 19 '11 at 16:29
  • Yes, if it would have *triggered* the prompt (otherwise running un-elevated) I'd know what's going on. Maybe I wasn't 100% clear, but some of the comments clearly where of the "Oh, UAC, I know what he's asking" variety, and it kinda irritates me if folks seemingly don't even read the question from top to bottom. – Tomalak Apr 19 '11 at 16:33
  • PS: Whooohoo! My scheduled task runs under an unprivileged account! If I could up-vote you twice, I would. :-) I make a copy of the original `update.exe` to `u.exe` before I begin and run the `u.exe`. Et voilà, the batch file runs right to the end. Thanks again! – Tomalak Apr 19 '11 at 16:46