Enterprise Mobility and Security Blog


We’ve had a few customers tell us that they would really like to not be prompted in application launch scenarios with some applications.  There are some valid reasons why this may not be entirely helpful and reduction in clickage can be good when it doesn’t lessen security.


Say you logon with Group Policy Creator Owner domain security group privileges.  If that is the only elevated, or most privileged, security group you have membership to then opening regedit.exe with your standard credentials (saying “don’t elevate” essentially) shouldn’t be a big concern right?  Since the security group that got UAC to give you a split token logon doesn’t give you additional privileges to do things with the registry.  But you get prompted anyway, every time you open regedit.exe with UAC enabled.


So you may want to make it so that you aren’t prompted for that application and maybe some others.  Barring turning off User Account Control what option do you have?


Well, here it is.  You’ve got to create a little “shim” and apply it.  It’s not difficult and it does the job nicely.  Keep in mind that if you do this you will need to right-click the program and choose “Run as administrator” ever after if you want that application to run with high privileges-so this could really impair an application that must have those credentials to run properly.  So choose wisely on when to do this, and test it first before deploying to your users!


Here are the steps:


1)      Download and install the Application Compatibility Toolkit (link below).

2)      Open the Compatibility Administrator application with elevated credentials.

3)      In the left hand pane, right-click on the database under Custom Databases and select Create NewàApplication Fix

4)      Enter the name and other details of the application you want to alter behavior on and then browse to it to select it.

5)      Click Next until you are in the Compatibility Fixes screen.

6)      To prevent being prompted to elevate an application (which means that it will always use the less privileged credential to run) place a checkmark next to RunAsInvoker.

7)      Click Next and then Finish.

8)      Select File and Save As.  Save the file as a filename.SDB type file in a directory you will easily find it.

9)      Copy the <filename>.sdb file to the Vista computer you want to alter the elevation prompt behavior on.

10)   Open an elevated command prompt.

11)   Run the command (without the quotes, assuming you copied the file to the Windows directory on C:): “sdbinst c:windows<filename>.sdb” and then press enter.


Microsoft Application Compatibility Toolkit 5.0



More info on the other options you have in altering application launch behavior are available at the URL below:


Application Compatibility Feature Guide



I’ve got some really interesting (at least I think so) posts coming up folks-so stay tuned and as always let me know if you have any questions.