UAC will prompt you for escalation of privileges.

You could try this:

whatever.exe /runas:Administrator your_pasword

It just depends on what the exe is trying to do. If it is trying to access something that requires UAC confirmation, then you can enter admin login information or disable UAC (Definitely a bad thing to do)

Here's my situation: I will have many users and all will be coming to my server via remote desktop. They will run just one .exe file, stored on their desktop (this .exe connects with MS SQL and is doing several other things). Nothing else is allowed for those users... they don't have admin password.

Depending on the OS, the firewall may block an outgoing attempt by your exe, otherwise as long as it's not making changes to the registry, it will run without triggering UAC. You may want to remove the ADS (alternate data streams) from the file if it prompts them that this file "may be dangerous" every time, you can use "streams.exe" from microsoft/sysinternals to remove ADS streams from files IF they're prompted every time they try to run it.
-rich

Putting the .EXE on the desktop is bad practice, a link on the otherwise blank desktop is better.

If the program is written to follow the Microsoft programming guidelines it should not require escalation of user privileges and should run as a standard user.

If it is requesting administrative access then one must troubleshoot the reasons why.. Actually one can create a compiled script that will launch the application as an administrator with the pertinent security credentials hidden from the user using security by obscurity.

If it is an in-house program then it needs to be modified to run properly.. if it is from an outside vendor then go after the vendor to make a properly designed version.

Have you tried it?  Like everyone has said it depends upon what it does and what you allow the user to do, and then the file system and SQL permissions come into play for the users too.  If it needs more rights to run then for some reason then that can be looked at an amended.

I've created a simple 'Hello World' program in Console, C#, Visual Studio 2010. Same thing happens as with my original program - it doesn't run. For a very brief moment I see a sand hour and that's it - nothing happens when I click the .exe.

What can possibly cause this? Is there a way where I can see log of that?

I've also created a path rule in AppLocker to 'allowed' and path to my application. Again, with no result. Exe file simply doesn't run.

path rule in AppLocker to 'allowed'

did you not believe that your use of applocker might be important???

I didn't know what else to do - so I've created a rule in AppLocker and hoping that this will solve it. What should I do? Disable AppLocker? Remove the rule?

You added another complication that is very relevant.  We have been investigating why the UAC was kicking in and it may be Applocker that is causing the problem.

I have UAC maxed out, created a console app and a forms app "Hello World", copied these files to a subdirectory in Drive C:

logged in as a standard user AND as a Guest user and was able to execute both programs without a prompt.

Ergo: I believe it is applocker that is your problem.

I've disabled app locker process (appidsvc). Before that I've deleted all the rules and enforced new rules via console. Then I disabled app locker service...

I've also disabled dep, via console. Same result... is there a way I can see log of blocked files?

I mean, is there a log which can tell me why the application is being blocked?

Are you copying the files from another computer on the network? if so , then you have to right click and 'unblock' the executable.

Good one, ve3ofa. Yes, I am copying files from my local computer via remote desktop shared drives.

I've read: http://dosysadminsdream.wordpress.com/2012/01/18/windows-2008-unblock-executable-button/

What is said here is logical, but I don't see 'unblock' button:



From the article, it says that once file is unblocked, the button dissapears (in fact, it was never there because I haven't pressed it, for sure). So it should be unblocked, but I still can not run it as non-administrator. I can run the same file as administrator.

I've tried to run the program from the network drive (as administrator) - it works without problem. Then I copied the program to Administrator's desktop and run it - it worked again.

When I sign in as non-administrator, the program works neither from network drive, neither if I copy-paste it to server's disc. So it seems that only non-admins can not run .exe files. But, where should I set the rule to allow some .exe files to be run by non-admins?

It's hello world program, written in C#. I wrote this program just because testing what kind of programs run / doesn't run -> and figured it out that no .exe runs on my server, if I am logged in as non-admin.

I've turned off UAC and DEP.

I've even tried with the firewall turned off. The .exe's on desktop doesn't run if I am not signed in as administrator.

can the user run notepad or other microsoft built in software?


On the server check the applocker event log http://technet.microsoft.com/en-us/library/ee791749%28v=ws.10%29.aspx

Yes, user can run notepad or calc.

Is your AV blocking, is it ZoneAlarm or another app blocking it? You can turn on event logging of processes(http://technet.microsoft.com/en-us/library/dd277403.aspx) and see if anyuthing registers in the event log. For a local policy just use "secpol.msc" on the run line and got to local policies and change the process creation tracking to success/failure.
-rich

I don't have antivirus installed. I've also turned off firewall.

add helloworld.exe to your applocker permitted programs and see if a user can run it.

With process monitor I was able immediately to see what was the problem. I didn't understand what 'sysinternals procmon' is, but that was the key to solve the problem. From my other post:

https://www.experts-exchange.com/questions/27738516/Windows-Server-logging-blocked-execution-of-the-exe-file.html