DESKTOP

Windows 8 : Managing Application Virtualization and Run Levels (part 2) - Setting Run Levels, Optimizing Virtualization and Installation Prompting for Elevation

10/2/2013 3:26:58 AM

3. Setting Run Levels

By default, only applications running with a user’s administrator access token run in elevated mode. Sometimes you’ll want an application running with a user’s standard access token to be in elevated mode. For example, you might want to open the Command Prompt window in elevated mode so that you can perform administration tasks.

In addition to application manifests (discussed in the previous section), Windows 8 provides two different ways to set the run level for applications:

  • Run an application once as an administrator.

  • Always run an application as an administrator.

To run an application once as an administrator, press and hold or right-click the application’s shortcut or menu item, and then tap or click Run As Administrator. If you are using a standard account and prompting is enabled, you are prompted for consent before the application is started. If you are using a standard user account and prompting is disabled, the application will fail to run. If you are using an administrator account and prompting for consent is enabled, you are prompted for consent before the application is started.

Windows 8 also enables you to mark an application so that it always runs with administrator privileges. This approach is useful for resolving compatibility issues with legacy applications that require administrator privileges. It is also useful for UAC-compliant applications that normally run in standard mode but that you use to perform administration tasks. As examples, consider the following:

  • A standard application written for Windows 8 is routinely run in elevated mode and used for administration tasks. To eliminate the need to press and hold or right-click the application shortcut and choose Run As Administrator before running the application, you can mark it to always run as an administrator.

  • An application written for Windows XP or an earlier version of Windows requires administrator privileges. Because this application is configured to use standard mode by default under Windows 8, the application isn’t running properly and is generating numerous errors. To resolve the compatibility problem, you could create an application compatibility shim using the Windows Application Compatibility Toolkit (ACT) version 5.5 or later. As a temporary solution, you can mark the application to always run as an administrator.

Note

You cannot mark system applications or processes to always run with administrator privileges. Only nonsystem applications and processes can be marked to always run at this level.

Note

REAL WORLD The Windows Application Compatibility Toolkit (ACT) is a solution for administrators that requires no reprogramming of an application. ACT can help you resolve common compatibility problems. For example, some applications run only on a specific operating system or when the user is an administrator. Using ACT, you can create a shim that responds to the application inquiry about the operating system or user level with a True statement, which allows the application to run. ACT also can help you create more in-depth solutions for applications that try to write to protected areas of the operating system or use elevated privileges when they don’t need to. ACT can be downloaded from the Microsoft Download Center (http://download.microsoft.com).

You can mark a program to always run as an administrator by following these steps:

  1. On the desktop, or in File Explorer, locate the program that you want to always run as an administrator.

  2. Press and hold or right-click the program’s shortcut, and then tap or click Properties.

  3. In the Properties dialog box, tap or click the Compatibility tab, shown in Figure 1.

  4. Do one of the following:

    • To apply the setting to the currently logged-on user, select the Run This Program As An Administrator check box, and then tap or click OK.

    • To apply the setting to all users on the computer and regardless of which shortcut is used to start the application, tap or click Change Settings For All Users to display the Properties dialog box for the application’s .exe file, select the Run This Program As An Administrator check box, and then tap or click OK twice.

Access the Compatibility tab.

Figure 1. Access the Compatibility tab.

Note

If the Run This Program As An Administrator option is unavailable, it means that the application is blocked from always running at an elevated level, the application does not require administrator credentials to run, or you are not logged on as an administrator.

The program will now always run using an administrator access token. Keep in mind that if you are using a standard account and prompting is disabled, the program will fail to run.

4. Optimizing Virtualization and Installation Prompting for Elevation

With regard to applications, several areas of UAC can be customized, including:

  • Automatic installation detection and prompting

  • Virtualization of write failures

In Group Policy, you can configure these features by using settings for Computer Configuration under Windows Settings\Security Settings\Local Policies\Security Options. The security settings are as follows:

  • User Account Control: Detect Application Installations And Prompt For Elevation Determines whether Windows 8 automatically detects application installation and prompts for elevation or consent. (This setting is enabled by default in Windows 8.) If you disable this setting, users are not prompted, so they will not be able to elevate permissions by supplying administrator credentials.

  • User Account Control: Virtualize File And Registry Write Failures To Per-User Locations Determines whether file and registry virtualization is on or off. Because this setting is enabled by default, error notifications and error logging related to virtualized files and registry values are written to the virtualized location rather than the actual location to which the application was trying to write. If you disable this setting, the application will silently fail when trying to write to protected folders or protected areas of the registry.

Note

In a domain environment, you can use Active Directory–based Group Policy to apply the security configuration you want to a particular set of computers. You can also configure these settings on a per-computer basis by using local security policy. To do this, follow these steps:

  1. Open Local Security Policy. One way to do this is by pressing the Windows key, typing secpol.msc, and then pressing Enter. If you’ve enabled Show Administrative Tools as a Start setting, you’ll also see a related tile on the Start screen.

  2. In the console tree, under Security Settings, expand Local Policies, and then select Security Options.

  3. Double-tap or double-click the setting you want to work with, make any necessary changes, and then tap or click OK.

Other  
  •  Windows 8 : Installing and Maintaining Applications - Managing Desktop Apps
  •  Windows Server 2003 : Managing Software Deployment with Group Policy (part 2) - Software Deployment Approaches, Distributing Windows Installer Packages
  •  Windows Server 2003 : Managing Software Deployment with Group Policy (part 1) - Software Installation Extension
  •  Windows Server 2003 : Managing Special Folders with Group Policy (part 3) - Folder Redirection Best Practices
  •  Windows Server 2003 : Managing Special Folders with Group Policy (part 2) - Policy Removal Considerations, Folder Redirection and Offline Files
  •  Windows Server 2003 : Managing Special Folders with Group Policy (part 1) - Folder Redirection, Setting Up Folder Redirection
  •  Windows 7 : Computer Management (part 2) - Shared Folders,Services
  •  Windows 7 : Computer Management (part 1) - Task Scheduler, Event Viewer
  •  Windows Server 2012 : Active Directory Domain Services Primer - Understanding Domain Trusts
  •  Windows Server 2012 : Active Directory Domain Services Primer - Outlining AD DS Components
  •  
    Top 10
    3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
    3 Tips for Maintaining Your Cell Phone Battery (part 1) - Charge Smart
    OPEL MERIVA : Making a grand entrance
    FORD MONDEO 2.0 ECOBOOST : Modern Mondeo
    BMW 650i COUPE : Sexy retooling of BMW's 6-series
    BMW 120d; M135i - Finely tuned
    PHP Tutorials : Storing Images in MySQL with PHP (part 2) - Creating the HTML, Inserting the Image into MySQL
    PHP Tutorials : Storing Images in MySQL with PHP (part 1) - Why store binary files in MySQL using PHP?
    Java Tutorials : Nested For Loop (part 2) - Program to create a Two-Dimensional Array
    Java Tutorials : Nested For Loop (part 1)
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    VIDEO TUTORIAL
    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS