Improve company productivity with a Business Account.Sign Up


UAC prompting on startup program with “asInvoker” on the “requestedExecutionLevel”

Posted on 2014-04-09
Medium Priority
Last Modified: 2014-04-11
I am developing a very simple C# Windows Application (it only displays a message box saying "UACtest") that I want it to run at startup without prompting UAC.

For that I created a registry key for it under HKCU, and in the machine that I compiled it (Windows 8 64-bit using Visual Studio 2013) it runs at startup without promping UAC, as expected.

However, if I run the executable on a Windows 7 machine and do exactly the same thing, a UAC prompt is shown at startup.

Please note that the manifest of the executable has "asInvoker" on the "requestedExecutionLevel", the whole manifest is this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="" name=""/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
     <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
      <requestedExecutionLevel level="asInvoker" uiAccess="false"/>

Also when I directly double click the executable, it never prompts UAC neither on Windows 7 32-bit or in the Windows 8 64-bit, the UAC prompting problem is only at startup.

I also tried to compile the executable on the Windows 7 32-bit machine (to maybe bypass some compatibility issues) and a strange thing happened, in that machine now UAC is not prompted at startup as expected, however, when I make the test on another machine (Windows 7 64-bit under Virtual Box) it prompted UAC at startup.

This has now really puzzled me, can someone please tell me a way to compile it so that it never prompts UAC at startup on all versions of Windows?

The project properties I used on Visual Studio 2013 are the default ones, except: *Target framework: 2.0 *Platform target: x86

And the UAC settings on all machines where the default one: "Notify me only when applications try to make changes on my computer (default)"

Also the name of the executable does not contain words like "install" or "update" to not trigger UAC installer heuristics.
Question by:miguelanjelo
  • 2
  • 2
LVL 66

Expert Comment

ID: 39991862
I was suspecting  you can't access the HKCR (or HKLM) hives in Vista and newer versions of Windows unless you have administrative privileges. Therefore, you'll either need to be logged in as an Administrator before you run your utility, give it a manifest that says it requires Administrator level (which will prompt the user for Admin login info), or quit changing things in places that non-Administrators shouldn't be playing.

Also from

Why do I need administrator privileges? Means, what are the resources that are protected? The answer is very simple. Most operations that may affect the system or other users on the machine are access protected. For example, writing a file on the system drive requires admin approval, reading from the registry requires admin approval, and changing file association requires admin approval.

Author Comment

ID: 39992124
But I am writing my key to HKCU to not trigger UAC. And actually it doesn't, when a client downloads my program and double-clicks it, it copies itself to the user's %appdata% folder and adds itself to HKCU, all without triggering UAC.

The problem is when my clients restarts their machines, UAC is prompted at startup asking them if they want to run my application (which can be run as a standard user as it never tries to access restricted areas like %programfiles% or HKLM, and should be run as a standard user because in its manifest it requests to be run "asInvoker".

Maybe there is some problem with the "zone identifier"? I.e. Windows thinks that the program was downloaded from a dangerous place in the internet? How could I make Windows to run my program at startup without never prompting UAC? Because it could be very annoying to my clients :(
LVL 66

Accepted Solution

btan earned 2000 total points
ID: 39993367
I was thinking if this past tool can help in troubleshooting with log generated or event viewer surface any useful log to aid isolation of issue for this symptom

This is a good article on UAC - the integrity level also impact UAC trigger, maybe we can find out the IL on the registry - rightfully as you say should not matter. I also do not see ZoneID should impact it

Windows assigns every process an IL that it places in the process’s token alongside the SIDs of the groups to which the user running the process belongs. Figure 16 lists examples of processes assigned to different ILs. Processes usually inherit the IL of their parent, but a process can also launch a process at a different IL, as AIS does when it launches an elevated process. You can view process integrity levels with the built-in Whoami utility by specifying the /all option, or with Sysinternals Process Explorer or AccessChk. Process Explorer can display process ILs with the addition of the Integrity Level column.

Every securable object has an IL that’s either explicit or implicit. Process, thread, and token objects always have an explicitly assigned IL that’s usually the same as the IL stored in the corresponding process token. Most objects have no explicit IL and so default to an IL of Medium. The only objects created with an IL other than Medium are the objects created by a process running at Low IL, which therefore have a Low IL. You can use the built-in iCacls tool (%SystemRoot%\System32\iCacls.exe) to view the ILs of files and the Sysinternals AccessChk utility to view the ILs of files, registry keys, services and processes.

Author Comment

ID: 39994949
Yes the problem was the zone identifier, I just downloaded and deleted it.
Now it startups without prompting UAC :D

Thanks a lot !!!

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

A question that many companies need to answer until May 25th of 2018... Is your company ready for GDPR?
This is the conclusion of the review and tests for using two or more Password Managers so you don't need to rely on just one. This article describes the results of a lot of testing in different scenario's to reveal which ones best co-exist together.…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

605 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question