32

I'm having a problem with good ol' bdeadmin.exe in Vista. First, let's get the predictable responses out of the way:

"You should not require your application to be elevated."
This one does. C'est la vie.

"You need to embed a manifest file."
It is already compiled, it is many years old, the company that created it has no intention of doing it again, and it is installed from a Merge Module (MSM file).

"BDE is obsolete, you should be using dbExpress"
One and a half million lines of code. 'Nuff said.

"Drop a manifest file next to the EXE."
Tried that, did nothing. As a test, that same manifest file was able to make several other EXE files require elevation, just not the one I wanted. Something in there is preventing the external manifest from being read.

"Create a shortcut and set SLDF_RUNAS_USER."
Can't do that, it's a Control Panel applet.

The only thing that worked was setting "Run this program as an administrator" under the Compatibility tab of its Properties window. I shouldn't have to tell users to do this. Bad for business. I need to have the installer do this. The MSM file uses a static path.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Patrick
  • 1,766
  • 1
  • 15
  • 27
  • The accepted answer has the registry locations to read for the values you want. – Patrick Aug 29 '14 at 13:50
  • No need to recompile (or relink) just to embed a manifest. It's a regular resource you can add like any other resource. Unless the binary is digitally signed and cannot be changed, this would be the straight forward solution. Re-packaging this into a new Merge Module should be doable as well. – IInspectable Mar 20 '16 at 17:30
  • Regarding the ~ for Win 8: I notice on my Win 7 that there it's a # (hash sign) followed by space followed by RUNASADMIN, so indeed most likely it's a ~ (tilda) on Win 8. And (who knows which new symbol) on windows 10... – Peter Vanroose Jul 30 '15 at 10:15

7 Answers7

39

You can programmatically set the "Run this program as an administrator" flag (the option you find in the Compatibility tab of an EXE's properties), by setting a simple registry key. You need to create a string value (REG_SZ) under one of these keys (if you want the setting to be per user or per machine, respectively):

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

or

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

The name of the value needs to be the full path to your executable (if the path contains spaces, do not surround the path with quotes) and the data of the value must contain the string RUNASADMIN.

For sample:

reg.exe Add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Program Files\MyApp\Test.exe" /d "PUT__VALUE__HERE"

Compatibility Modes

WIN95 Windows 95
WIN98 Windows 98
WIN4SP5 Windows NT 4.0 SP5
WIN2000 Windows 2000
WINXPSP2 Windows XP SP2
WINXPSP3 Windows XP SP3
VISTARTM Vista
VISTASP1 Vista SP1
VISTASP2 Vista SP2
WIN7RTM Windows 7
WINSRV03SP1 Windows Server 2003 SP1
WINSRV08SP1 Windows Server 2008 SP1

Privilege Level

RUNASADMIN Run program as an administrator

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\temp\compatmodel\iconsext.exe" /t REG_SZ /d "WINXPSP3 RUNASADMIN" /f

References: http://www.verboon.info/2011/03/running-an-application-as-administrator-or-in-compatibility-mode/

Kiquenet
  • 14,494
  • 35
  • 148
  • 243
Allon Guralnek
  • 15,813
  • 6
  • 60
  • 93
  • This looks promising. Now to get that into [COMMONFILESFOLDER] in an msi – Patrick Apr 30 '10 at 12:44
  • The only sticky bit is using the MSI variable in the registry value name. That is showing up blank. But you answered my question, thank you. I'm going to use %commonprogramfiles% and %commonprogramfiles(x86)% in two different values until that part is solved. – Patrick Apr 30 '10 at 13:22
  • You might want to open up a separate question for your MSI conundrum. I know from my dealings with MSI that I'm pretty clueless about it, especially since I find its documentation to be rather lackluster. When I hit a wall, I usually just throw whatever I need to do into a custom action (which is ridiculously easy to do, at least with .NET). – Allon Guralnek Apr 30 '10 at 16:58
  • 1
    I have to use data value "~ RUNASADMIN" for Windows 8.1 – Sith2021 Dec 20 '13 at 14:38
  • 1
    @harveyt: Thanks. Is that `RUNASADMIN`? Do you know if that applies to Windows 8.0 as well? Since this 'feature' is undocumented, the implementation may change at any time and without notice. Hopefully it will only change with new releases of Windows, but I could image it changing with just a simple Windows update (although unlikely). – Allon Guralnek Dec 21 '13 at 12:46
  • You may need `/reg:64` parameter on 64Bit machines if you run the command from 32Bit app. – S.M.Mousavi Nov 25 '15 at 17:35
  • Are those registry keys officially documented? – IInspectable Mar 20 '16 at 17:27
  • @IInspectable: I couldn't find any documentation from Microsoft about this. – Allon Guralnek Mar 21 '16 at 09:21
  • In that case, don't you think this is important information? In other words: Your proposed solution can stop working at any time, without prior notice. And apparently, [it just did stop working](http://stackoverflow.com/q/36116489/1889329). You should consider adding a respective disclaimer to your answer, along the lines of *"Works on my machine"*... – IInspectable Mar 28 '16 at 19:56
6

This is a long shot, but if you have the word "setup" or "install" in the name of the EXE, Windows will prompt for elevation when running it. I don't know if that'll work with a control panel applet, though.

Allon Guralnek
  • 15,813
  • 6
  • 60
  • 93
  • 1
    OMG, hats off, and shields down to you. :) – John Sep 06 '11 at 23:03
  • also "update" ...this can be found in this article [Understanding and Configuring User Account Control in Windows Vista](http://technet.microsoft.com/en-us/library/cc709628(WS.10).aspx) under *Installer Detection Technology* (there are no anchors available) – Wolf Nov 20 '14 at 12:14
1

I have found that the .manifest file method doesn't work if the .exe is under C:\Program files\... and the .exe has previously been run without the .manifest file. Windows remembers the .manifest from the first time the .exe is run. This means you can't just send the manifest when users complain that their installations don't run. The manifest file has to be placed before or during the same installation that places the .exe.

Windows rechecks the .manifest if the .exe changes (e.g. new release or different number of bytes)

Wolf
  • 9,679
  • 7
  • 62
  • 108
  • Seems interesting, I could find some more information about it here:[Find Out Why Your External Manifest is Being Ignored.](http://csi-windows.com/blog/all/27-csi-news-general/245-find-out-why-your-external-manifest-is-being-ignored) – Wolf Nov 20 '14 at 12:22
1

Use a wrap program which uses ShellExcute that uses "runas" as its "verb" to run the program you want.

Barrypp.zzx
  • 41
  • 3
0

Have you tried Microsoft's Application Compatibility Toolkit? It analyses your app and provides compatibility shims that might be able to help resolve your problem.

Aaron Klotz
  • 11,287
  • 1
  • 28
  • 22
0

Pack your app into WinRar SFX with silent mode + admin request mode.

Much simpler than messing with .MSI variables.

Benji
  • 11
  • 1
-2

I'd be surprised if this was possible. It would be an ideal way for malicious code to abuse the system. You're probably going to have tell the user the administrator must install or they must have admin rights (like all the other programs on windows do).

Jay
  • 13,803
  • 4
  • 42
  • 69
  • 9
    It doesn't appear like you took the time to understand the question. He is trying to get his application to run as an administrator with a user that has admin rights on a machine has UAC enabled. In its current state, his app doesn't prompt for elevation and runs without admin rights, and fails. He is trying to get it to prompt for elevation, not bypass Windows' security. – Allon Guralnek Apr 29 '10 at 17:49