Discussion:
Have you ever successfully turned off User Account Control (UAC) for just a given executable?
(too old to reply)
Arlen Holder
2018-06-07 22:04:41 UTC
Permalink
How can we best turn off User Account Control (UAC) for just an executable?
https://msdn.microsoft.com/en-us/library/bb756993.aspx

The executable I want to turn UAC off for is the OpenVPN Daemon (aka
OpenVPN.exe).

The reason I want to turn it off is that I generally select a score of
config files and then right click to open them, where only one of the score
wins the battle, the rest close on their own (either because they didn't
work, or they weren't the first one to connect, so they're slower).

I don't want to turn off UAC globally if I don't have to.

Have you ever successfully turned off UAC for just a given executable?
How did you accomplish that feat?

Searching the Microsoft web site for UAC help...
https://support.microsoft.com/en-us/products/windows?os=windows-10

This suggests using the "task scheduler".
UAC message "Do you want to allow the following program from an unknown
publisher to make changes to your computer?
https://answers.microsoft.com/en-us/windows/forum/windows_7-security/uac-message-do-you-want-to-allow-the-following/bea30ad8-9ef8-4897-aab4-841a65f7af71

This is the task scheduler reference but that link doesn't exist.
http://www.msfn.org/board/faq-uac-part2-t135472.html

Searching for how the task scheduler does this, I find it's a lousy hack.
https://answers.microsoft.com/en-us/windows/forum/windows_10-security/disabling-uac-approval-for-specific-programs-in/745a3740-679a-42f9-9c51-59475c9cd2ff
which, in effect, runs the program every time when you boot up.
http://www.winhelponline.com/blog/run-programs-elevated-without-getting-the-uac-prompt/

Here is a task-scheduler UAC-shutoff tutorial - but it's not going to work
for this method of just doubleclicking on an openvpn config file to start
the OpenVPN Daemon (aka openvpn.exe) without the UAC control kicking in.
https://www.sevenforums.com/tutorials/11949-elevated-program-shortcut-without-uac-prompt-create.html

I don't want to turn off UAC altogether, with or without WinAero.
https://winaero.com/blog/how-to-turn-off-and-disable-uac-in-windows-10/

I just want to turn UAC off for the one executable, openvpn.exe.

Googling more, this says you can only do it using the special MS tool:
https://superuser.com/questions/99286/selectively-disabling-uac-for-specific-programs-on-windows-7
o Microsoft Application Compatibility Toolkit:
http://www.microsoft.com/en-us/download/details.aspx?id=7352
But the comments show that's a 2-day job (in the end).

Have you ever successfully turned off UAC for just a given executable?

This suggests a third-party program called "UAC Trust Shortcut".
http://www.door2windows.com/how-to-turn-off-user-account-control-uac-for-a-specific-application/

This also suggests a third-party tool called "UAC Pass".
https://www.techgainer.com/disable-uac-prompts-specific-programs-windows/
Where UAC Pass can be found here:
https://sites.google.com/site/freeavvarea/UACPass-en

But that site also suggested "Elevated Shortcut" which is superceded.
https://winaero.com/comment.php?comment.news.152

So I'm not sure what's the most current way to eliminate the query for UAC
in the latest Windows 10 nowadays that works.

Have you successfully turned off UAC for just a given executable?
How did you accomplish that feat?
Stan Brown
2018-06-07 22:38:52 UTC
Permalink
Post by Arlen Holder
How can we best turn off User Account Control (UAC) for just an executable?
https://msdn.microsoft.com/en-us/library/bb756993.aspx
The executable I want to turn UAC off for is the OpenVPN Daemon (aka
OpenVPN.exe).
Why not just right-click the shortcut and in Properties » Shortcut »
Advanced set it to run as administrator?
--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...
Arlen Holder
2018-06-07 23:15:55 UTC
Permalink
Post by Stan Brown
Post by Arlen Holder
The executable I want to turn UAC off for is the OpenVPN Daemon (aka
OpenVPN.exe).
Why not just right-click the shortcut and in Properties » Shortcut »
Advanced set it to run as administrator?
Thanks for that idea to set a shortcut to "run as administrator"!

It "might" work, but it didn't work (yet) in the first pass, or even in the
second pass (yet) ... but maybe the idea can be made to work in the end?

First pass:
- There is no shortcut to openvpn.exe (aka the OpenVPN Daemon).
- I just doubleclick on any *.ovpn file and the OpenVPN Daemon runs it.
- That single step connects me to VPN (i.e., there is no shortcut).
- Or, more often, I select a few dozen *.ovpn files & right click "Open".
- That runs as many files as I selected in the same spot until one wins.
- Hence, there is no shortcut.

BTW, I already had set "run as administrator" in two places for openvpn.exe
- Right click on "openvpn.exe" > properties > Compatibility >
- Settings > [x]Run this program as an administrator
If that's all you do, then when you doubleclick on a config file,
Windows file associations runs it in openvpn.exe but then the
window just goes away and a curlme.bat shows that you are not
connected to the VPN.
- But I can fix that by going back to that step above, also hitting:
Settings > [x]Run this program as an administrator
and where, this time, I also hit the button to change for all users:
- Change settings for all users > [x]Run this program as an administrator
- Now when I doublick on an openvpn config file, the window stays open,
and the VPN connection is made through the OpenVPN Daemon (openvpn.exe).

Second pass:
- I have a shortcut to a related program called "killgw.bat".
- It's just this batch file below renamed to "killgw.bat".
<https://www.liquidvpn.com/billing/dl.php?type=d&id=49>
- This kill-gateway batch script has a shortcut named "killgw.bat.lnk".
- I just right clicked on that shortcut & set it to run as administrator.
- But it *still* popped up the UAC query when I doubleclicked the shortcut.

I do very much appreciate the idea as I'm seeking something that everyone
would want, which is to turn off UAC for selected programs when...
a. There is no shortcut since the program runs from file associations, &
b. I don't want the program running at boot (from the task scheduler), &
c. I don't want to globally turn off UAC for everything.

I think those are reasonable requirements, and I love the idea of just
running a "shortcut" as Administrator ... but there is no shortcut ... and,
even when I ran a shortcut as administrator, the UAC query still came up.

I'm running the latest Windows 10 (version 1803).
Anyone can run the test where the killgw.bat.lnk shortcut still popped up
the UAC query - so maybe Microsoft broke something recently?

Did Microsoft recently break that "run as administrator" tweak?
Big Al
2018-06-07 23:22:58 UTC
Permalink
Post by Arlen Holder
How can we best turn off User Account Control (UAC) for just an executable?
https://msdn.microsoft.com/en-us/library/bb756993.aspx
The executable I want to turn UAC off for is the OpenVPN Daemon (aka
OpenVPN.exe).
The reason I want to turn it off is that I generally select a score of
config files and then right click to open them, where only one of the score
wins the battle, the rest close on their own (either because they didn't
work, or they weren't the first one to connect, so they're slower).
I don't want to turn off UAC globally if I don't have to.
Have you ever successfully turned off UAC for just a given executable?
How did you accomplish that feat?
Searching the Microsoft web site for UAC help...
https://support.microsoft.com/en-us/products/windows?os=windows-10
This suggests using the "task scheduler".
UAC message "Do you want to allow the following program from an unknown
publisher to make changes to your computer?
https://answers.microsoft.com/en-us/windows/forum/windows_7-security/uac-message-do-you-want-to-allow-the-following/bea30ad8-9ef8-4897-aab4-841a65f7af71
This is the task scheduler reference but that link doesn't exist.
http://www.msfn.org/board/faq-uac-part2-t135472.html
Searching for how the task scheduler does this, I find it's a lousy hack.
https://answers.microsoft.com/en-us/windows/forum/windows_10-security/disabling-uac-approval-for-specific-programs-in/745a3740-679a-42f9-9c51-59475c9cd2ff
which, in effect, runs the program every time when you boot up.
http://www.winhelponline.com/blog/run-programs-elevated-without-getting-the-uac-prompt/
Here is a task-scheduler UAC-shutoff tutorial - but it's not going to work
for this method of just doubleclicking on an openvpn config file to start
the OpenVPN Daemon (aka openvpn.exe) without the UAC control kicking in.
https://www.sevenforums.com/tutorials/11949-elevated-program-shortcut-without-uac-prompt-create.html
I don't want to turn off UAC altogether, with or without WinAero.
https://winaero.com/blog/how-to-turn-off-and-disable-uac-in-windows-10/
I just want to turn UAC off for the one executable, openvpn.exe.
https://superuser.com/questions/99286/selectively-disabling-uac-for-specific-programs-on-windows-7
http://www.microsoft.com/en-us/download/details.aspx?id=7352
But the comments show that's a 2-day job (in the end).
Have you ever successfully turned off UAC for just a given executable?
This suggests a third-party program called "UAC Trust Shortcut".
http://www.door2windows.com/how-to-turn-off-user-account-control-uac-for-a-specific-application/
This also suggests a third-party tool called "UAC Pass".
https://www.techgainer.com/disable-uac-prompts-specific-programs-windows/
https://sites.google.com/site/freeavvarea/UACPass-en
But that site also suggested "Elevated Shortcut" which is superceded.
https://winaero.com/comment.php?comment.news.152
So I'm not sure what's the most current way to eliminate the query for UAC
in the latest Windows 10 nowadays that works.
Have you successfully turned off UAC for just a given executable?
How did you accomplish that feat?
Crap Cleaner does it. Not sure how but you can see it in the
scheduler. Or with autoruns.
Arlen Holder
2018-06-08 00:27:12 UTC
Permalink
Post by Big Al
Post by Arlen Holder
Have you successfully turned off UAC for just a given executable?
How did you accomplish that feat?
Crap Cleaner does it. Not sure how but you can see it in the
scheduler. Or with autoruns.
Thanks for the idea to turn off UAC queries for the openvpn.exe executable
using Ccleaner.

Are you talking about the Piriform CCleaner program?

I just looked and didn't see anything inside of it that disables UAC for
executables on Windows.
Big Al
2018-06-08 08:16:30 UTC
Permalink
Post by Arlen Holder
Post by Big Al
Post by Arlen Holder
Have you successfully turned off UAC for just a given executable?
How did you accomplish that feat?
Crap Cleaner does it. Not sure how but you can see it in the
scheduler. Or with autoruns.
Thanks for the idea to turn off UAC queries for the openvpn.exe executable
using Ccleaner.
Are you talking about the Piriform CCleaner program?
I just looked and didn't see anything inside of it that disables UAC for
executables on Windows.
Yes, but I'm talking about it doing it for itself not other programs.
When installed, it puts a scheduler task in your system that keeps UAC
from hitting you when you launch CC.
You might be able to see what it's doing?
Arlen Holder
2018-06-09 03:56:00 UTC
Permalink
Post by Big Al
Post by Arlen Holder
I just looked and didn't see anything inside of it that disables UAC for
executables on Windows.
Yes, but I'm talking about it doing it for itself not other programs.
When installed, it puts a scheduler task in your system that keeps UAC
from hitting you when you launch CC.
You might be able to see what it's doing?
Oh. Yes. I understand now.
Sorry for ditzing on your original suggestion.

I know about what CCleaner sets as I keep a log file of what *every*
program adds to the system (see my prior thread where Paul answered how to
list services, for example, to a log file from the command line).

Here is a snippet from my Ccleaner installation log file.
1. Open an Admin command prompt & start the Windows Task Scheduler.
%windir%\system32\taskschd.msc /s
2. Go to the "Task Scheduler Library"
3. Delete the hidden tasks
CCleaner Update
CCleanerSkipUAC
Opera scheduled Autoupdate 1518071176

Notice that CCleaner sets something it calls "CCleanerSkipUAC".

What it seems to do is Start a Program:
"C:\app\cleaner\ccleaner\CCleaner.exe" $(Arg0)
It's set to "Run with highest priveleges".

This seems to be how they get around the UAC prompts.
I will keep trying solutions until I have a cut-and-paste solution that
works.

Thanks for this suggestion to tailor the solution after what CCleaner does!
JJ
2018-06-08 05:58:50 UTC
Permalink
Post by Arlen Holder
How can we best turn off User Account Control (UAC) for just an executable?
https://msdn.microsoft.com/en-us/library/bb756993.aspx
The executable I want to turn UAC off for is the OpenVPN Daemon (aka
OpenVPN.exe).
The reason I want to turn it off is that I generally select a score of
config files and then right click to open them, where only one of the score
wins the battle, the rest close on their own (either because they didn't
work, or they weren't the first one to connect, so they're slower).
I don't want to turn off UAC globally if I don't have to.
Have you ever successfully turned off UAC for just a given executable?
How did you accomplish that feat?
I'd use a scheduled task which is a VBScript (e.g. OvpnLauncher.vbs), and is
configured to run elevated. The script would open and read a text file (e.g.
OvpnFile.txt) which contains the name of the *.ovpn file, then executes
OpenVPN.exe using the *.ovpn file as it commandline. Each time you need to
open a *.ovpn file without UAC prompt, put the *.ovpn file path into the
OvpnFile.txt, then use SCHTASKS to run the scheduled task.
Arlen Holder
2018-06-08 06:27:40 UTC
Permalink
Post by JJ
I'd use a scheduled task which is a VBScript (e.g. OvpnLauncher.vbs), and is
configured to run elevated. The script would open and read a text file (e.g.
OvpnFile.txt) which contains the name of the *.ovpn file, then executes
OpenVPN.exe using the *.ovpn file as it commandline. Each time you need to
open a *.ovpn file without UAC prompt, put the *.ovpn file path into the
OvpnFile.txt, then use SCHTASKS to run the scheduled task.
Thank you for that suggestion of using a scheduled task that is configured
to run elevated which simply reads a one-line text file to figure out what
*.ovpn file to open in the OpenVPN Daemon (aka openvpn.exe).

And then use SCHTASKS to run the scheduled task.

I haven't ever used the task scheduler, so I may not respond immediately,
and I don't write visual basic, so it will have to be a batch file.

I saw something like that earlier, over here, I think:
https://superuser.com/questions/547396/arguments-to-connect-using-open-vpn-windows-client

They started the GUI from the command line, not the daemon, using this:
openvpn-gui-1.0.3 --connect config.ovpn

That thread also contained a script to start the GUI.
taskkill.exe /F /IM openvpn.exe
taskkill.exe /F /IM openvpn-gui.exe
timeout 1
start /b "" "C:\Program Files\OpenVPN\bin\openvpn-gui.exe" --connect nas_at_home.ovpn

They showed how to specifiy a hundred ovpn files, which is what I need:
openvpn-gui.exe --connect "client.ovpn" --config_dir "C:\Users\Foo\Documents\protected_crypto_data"

Do you think a batch file will work?
J. P. Gilliver (John)
2018-06-08 17:04:19 UTC
Permalink
Post by Arlen Holder
Post by JJ
I'd use a scheduled task which is a VBScript (e.g. OvpnLauncher.vbs), and is
[]
Post by Arlen Holder
Thank you for that suggestion of using a scheduled task that is configured
to run elevated which simply reads a one-line text file to figure out what
*.ovpn file to open in the OpenVPN Daemon (aka openvpn.exe).
[]
I've been following this thread with interest, but ALL the suggestions
seem far too complex - certainly I find Task Scheduler too complex for
such a simple requirement.

Since the answer to the question posed in the title seems to be "no", or
at least "no _simple_ method", I am not surprised people just turn off
UAC altogether. Which is fine for those like most here who are competent
enough to be careful, but not for the majority of users.

I find it inconceivable - no, not inconceivable, I can easily imagine
Microsoft might not have made it possible; just depressing - that there
_isn't_ a _simple_ way to turn off the UAC prompt for a single
application. (And by simple, I mean something involving no more than
five or ten mouse clicks, or at worst adding a line - of fairly simple
format, such as the path to an executable - to a text file somewhere.
Not having to write a batch, script, or whatever.)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

Nunc Tutus Exitus Computarus (It is now safe to turn off your computer).
Arlen Holder
2018-06-09 02:37:49 UTC
Permalink
Post by J. P. Gilliver (John)
I find it inconceivable - no, not inconceivable, I can easily imagine
Microsoft might not have made it possible; just depressing - that there
_isn't_ a _simple_ way to turn off the UAC prompt for a single
application.
Hi J.P. Gilliver,
I agree with you.

I'm setting up a new system, so I am setting up the open-source OpenVPN
client to work *perfectly* on Windows 10, which is a dozen steps, and I'm
writing up the tutorial on how to do that so others can follow in my
footsteps.
<https://groups.google.com/forum/#!topic/microsoft.public.windowsxp.general/1PzeGP4KMTU>

If I wasn't so efficient, I'd be done long ago, since the *default*
installation method uses the OpenVPN GUI to *manually* select individual
config files.

But there are *huge* efficiency problems with using the default model.
For one, there is a severe limitation on the *number* of OpenVPN config
files you can have, and worse, it won't automatically choose the *best*
(i.e., fastest connecting) VPN out of, oh, say twenty or thirty config
files.

Plus, it doesn't have any capability whatsoever to *organize* your config
files by identity or action. All config files are equal to the OpenVPN GUI.

That's a *terrible* use model when it comes to efficiency and reliability.

So that's why I select as many config files as I want to just "open" them
in the OpenVPN Daemon (aka openvpn.exe), which takes a few more setup steps
which aren't part of the normal default OpenVPN client Windows setup:

1. You have to tell Windows to use the OpenVPN Daemon for ovpn files.
2. You have to tell Windows to open more than 15 files at once.
3. You have to tell Windows to exactly overlap each window.
4. You have to tell OpenVPN to kill the window if it loses the race.
And, for finesse...
5. You need to test your WLAN IP address outside a privacy-leaking browser
6. You need to add a VPN killswitch since OpenVPN doesn't come with one.
7. You need to add the commands to the taskbar, startmenu, & cascade menu.
And, the Windows bitch is...
8. You need to turn off the UAC query for each of those hundred configs!

I'll solve this problem.
We'll solve this problem.

We *always* solve *all* our Windows problems.
We've been solving all Windows problems for decades.

We almost never fail.
But it won't be easy.

I'm confident, in the end, it will be conspicuously clever, and elegant.
I just don't know what the solution is yet.

But, since *everyone* needs the solution, it's worth working together on.
It's just stupid to turn off UAC altogether - even thout that would work.

So that's why I asked for a solution after googling for solutions first.

It may take me a while to come up with the solution since I don't write
code like Mayayana does, and I don't have the training that Paul has, for
example.

So my methods are all trial and error - and that takes time.
I often screw up the system (which is why I had to rebuilt it last week).

I'm not afraid of trying things - but I do get burned a *lot*.
This will be no different.

I'll try *all* the reasonable suggestions.
Right now, I'm working on this tool:
o Microsoft Application Compatibility Toolkit:
http://www.microsoft.com/en-us/download/details.aspx?id=7352

But I don't know if it will be a dead end or not.
But, like you, the whole Task Scheduler idea seems too much of a hack.

But, in the end, if that's the *only* way to get the job done, then that's
what I'll find out by trial and error.

Until then, any and all suggestions are welcome because *everyone* has this
problem and nobody seems to have solved it satisfactorily yet.
JJ
2018-06-09 15:07:49 UTC
Permalink
Post by Arlen Holder
Post by JJ
I'd use a scheduled task which is a VBScript (e.g. OvpnLauncher.vbs), and is
configured to run elevated. The script would open and read a text file (e.g.
OvpnFile.txt) which contains the name of the *.ovpn file, then executes
OpenVPN.exe using the *.ovpn file as it commandline. Each time you need to
open a *.ovpn file without UAC prompt, put the *.ovpn file path into the
OvpnFile.txt, then use SCHTASKS to run the scheduled task.
Thank you for that suggestion of using a scheduled task that is configured
to run elevated which simply reads a one-line text file to figure out what
*.ovpn file to open in the OpenVPN Daemon (aka openvpn.exe).
And then use SCHTASKS to run the scheduled task.
I haven't ever used the task scheduler, so I may not respond immediately,
and I don't write visual basic, so it will have to be a batch file.
https://superuser.com/questions/547396/arguments-to-connect-using-open-vpn-windows-client
openvpn-gui-1.0.3 --connect config.ovpn
That thread also contained a script to start the GUI.
taskkill.exe /F /IM openvpn.exe
taskkill.exe /F /IM openvpn-gui.exe
timeout 1
start /b "" "C:\Program Files\OpenVPN\bin\openvpn-gui.exe" --connect nas_at_home.ovpn
openvpn-gui.exe --connect "client.ovpn" --config_dir "C:\Users\Foo\Documents\protected_crypto_data"
Do you think a batch file will work?
It can work. e.g.

[code]
@echo off
setlocal
ovpnfiletxt="C:\OVPN Configs\OvpnFile.txt"
for /f "delim=" %%A in ('type %ovpnfiletxt%') do set ovpnfilecfg=%%A
openvpn-gui.exe --connect "%ovpnfilecfg%"
[/code]

Make sure the *.ovpn file name in the OvpnFile.txt file is not surrounded
with quotes.

Loading...