3. Setting Run Levels
By default, only applications running with a user’s administrator access token run
in elevated mode. Sometimes you’ll want an application running with a
user’s standard access token to be in elevated mode. For example, you
might want to open the Command Prompt window in elevated mode so that
you can perform administration tasks.
In addition to application manifests (discussed in the previous
section), Windows 8 provides two different ways to set the run level
for applications:
To run an application once as an administrator, press and hold or
right-click the application’s shortcut or menu item, and then tap or
click Run As Administrator. If you are using a standard account and
prompting is enabled, you are prompted for consent before the
application is started. If you are using a standard user account and
prompting is disabled, the application will fail to run. If you are
using an administrator account and prompting for consent is enabled,
you are prompted for consent before the application is started.
Windows 8 also enables you to mark an application so that it always
runs with administrator privileges. This approach is useful for
resolving compatibility issues with legacy applications that require
administrator privileges. It is also useful for UAC-compliant
applications that normally run in standard mode but that you use to perform administration tasks. As examples, consider the following:
-
A standard application written for Windows 8 is routinely run
in elevated mode and used for administration tasks. To eliminate the
need to press and hold or right-click the application shortcut and
choose Run As Administrator before running the application, you can
mark it to always run as an administrator.
-
An application written for Windows XP or an earlier version of Windows requires administrator
privileges. Because this application is configured to use standard mode
by default under Windows 8, the application isn’t running properly and
is generating numerous errors. To resolve the compatibility problem,
you could create an application compatibility shim using the Windows Application Compatibility Toolkit (ACT) version 5.5 or later. As a temporary solution, you can mark the application to always run as an administrator.
Note
You cannot mark system applications or processes to always run with
administrator privileges. Only nonsystem applications and processes can
be marked to always run at this level.
Note
REAL WORLD The Windows Application
Compatibility Toolkit (ACT) is a solution for administrators that
requires no reprogramming of an application. ACT can help you resolve
common compatibility problems. For example, some applications run only
on a specific operating system or when the user is an administrator.
Using ACT, you can create a shim that responds to the application
inquiry about the operating system or user level with a True statement,
which allows the application to run. ACT also can help you create more
in-depth solutions for applications that try to write to protected
areas of the operating system or use elevated privileges when they
don’t need to. ACT can be downloaded from the Microsoft Download Center
(http://download.microsoft.com).
You can mark a program to always run as an administrator by following these steps:
-
On the desktop, or in File Explorer, locate the program that you want to always run as an administrator.
-
Press and hold or right-click the program’s shortcut, and then tap or click Properties.
-
In the Properties dialog box, tap or click the Compatibility tab, shown in Figure 1.
-
Do one of the following:
-
To apply the setting to the currently logged-on user, select the Run This Program As An Administrator check box, and then tap or click OK.
-
To apply the setting to all users on the computer and regardless of
which shortcut is used to start the application, tap or click Change
Settings For All Users to display the Properties dialog box for the
application’s .exe file, select the Run This Program As An
Administrator check box, and then tap or click OK twice.
Note
If the Run This Program As An Administrator option is unavailable, it means that the application is blocked from always running at an elevated level, the application does not require administrator credentials to run, or you are not logged on as an administrator.
The program will now always run
using an administrator access token. Keep in mind that if you are using
a standard account and prompting is disabled, the program will fail to
run.
4. Optimizing Virtualization and Installation Prompting for Elevation
With regard to applications, several areas of UAC can be customized, including:
In Group Policy, you can configure these features by using settings
for Computer Configuration under Windows Settings\Security
Settings\Local Policies\Security Options. The security settings are as
follows:
-
User Account Control: Detect Application Installations And Prompt For Elevation
Determines whether
Windows 8 automatically detects application installation and prompts
for elevation or consent. (This setting is enabled by default in
Windows 8.) If you disable this setting, users are not prompted, so
they will not be able to elevate permissions by supplying administrator
credentials.
-
User Account Control: Virtualize File And Registry Write Failures To Per-User Locations Determines whether file and registry virtualization
is on or off. Because this setting is enabled by default, error
notifications and error logging related to virtualized files and
registry values are written to the virtualized location rather than the
actual location to which the application
was trying to write. If you disable this setting, the application will
silently fail when trying to write to protected folders or protected
areas of the registry.
Note
In a domain environment, you can use Active Directory–based Group
Policy to apply the security configuration you want to a particular set
of computers. You can also configure these settings on a per-computer
basis by using local security policy. To do this, follow these steps:
-
Open Local Security Policy. One way to do this is by pressing the Windows key, typing secpol.msc,
and then pressing Enter. If you’ve enabled Show Administrative Tools as
a Start setting, you’ll also see a related tile on the Start screen.
-
In the console tree, under Security Settings, expand Local Policies, and then select Security Options.
-
Double-tap or double-click the setting you want to work with, make any necessary changes, and then tap or click OK.