Windows 10: native way to allow standard user to run an application that asks for admin permission?

Hi! I have Windows 10 professional installed on a laptop. I used admin account to install a software on the laptop, and want to let people use it under standard account (without admin permission). However, when I login with standard account and double click the executable, I am always asked for admin user name and password, such that a standard account wouldn't able to execute it.

I made the following attempt, but didn't work: change the file folder of the installed software to give the specific standard user full control, and find the related folder in registry then give full control to the specified user.

I notice that there is third party tool like this that may make it work: http://www.robotronic.de/runasspcEn.html 
However, I am wondering: is there native way in Windows 10 to allow standard user to run this application?

Thank you!
huangs3Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
There is no native way to do this at all.

Try your above approach or Power Broker which is an extension of group policies.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
Evergreen question…

We don't know the application, so it cannot be answered. For example: if the application requires debugging permissions, it really needs elevation, while other programs might simply be setup unclever (to say the least), like Microsoft's media creation tool, which at once requires administrative rights although you don't really need those for most of what it does. I hope this example was understandable.

So you should ask the manufacturer of the application if it can do without administrative rights and how to proceed.
0
William FulksSystems Analyst & WebmasterCommented:
Have you tried turning off UAC prompts and then running it? Could be the program checks for updates at startup and is defaulting to needing admin rights.

Without know the specific app, it's hard to give you much help here, though.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

huangs3Author Commented:
Hi McKnife, attached screenshot shows the software I installed. It is not an English software. It is a stock trading client, which I don't think the functionality needs admin permission.
cczq.PNG
0
huangs3Author Commented:
Hi William, I changed UAC to "Never Notified", but it didn't help.
0
JohnBusiness Consultant (Owner)Commented:
No that will not help you with software installs
0
McKnifeCommented:
Your screenshot shows what (sorry, I don't speak chinese)? That is no UAC prompt, so what was the screenshot good for?
You need to ask the manufacturer anyway, he will know.
0
Peter HutchisonSenior Network Systems SpecialistCommented:
You need to find out what specific rights are required - access to filing system (NTFS permissions), OS priviledges (see Local Security Policies) or some other rights required. A tool such as Microsoft's Process Explorer or Process Monitor may be able to help what it is trying to access.

See articles:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings 
https://docs.microsoft.com/en-us/sysinternals/
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
Use the Great Wall Securities Online Trading Flash Edition
0
huangs3Author Commented:
I created a short cut as solution. The command in the shortcut is like:
RUNAS /user:<machine_name>\<admin_user_name> /savecred "CMD /C START /B <executable_path_and_file>"

The use of RUNAS command and /savecred refers to the article:
https://community.spiceworks.com/how_to/86844-create-a-shortcut-that-lets-a-standard-user-run-an-application-as-administrator

In additional, I found that only if I use the CMD command together with the program executable, the application can start.

To use this solution I created a local admin user just for this shortcut. It is being used in one single machine, such that it cannot be used to influence other computer in network, in case anything happens.
0
McKnifeCommented:
runas /savecred has a dangerous aspect that you should not forget: it saved the admin credentials and keeps it accessible for any process the user starts, including malware. This is not limited to your executable, the user (and malware) may start any application as admin now. Don't use it if security matters.
0
huangs3Author Commented:
I found my own solution, but I feel that's not a general nice solution, even though it fits my personal situation.
The most "right" answer I feel maybe John's "no native way". The easiest solution maybe Shaun Vermaak's (using alternative flash program from the same company). McKnife/William/Peter provided some ways to look at the problem, which sound reasonable.
0
McKnifeCommented:
I hope you read my previous comment in time. You placed this question in the security section, which suggests that you try to make it a secure solution. However savecred is all but that. For confirmation, read this oldie article: http://www.derkeiler.com/Mailing-Lists/NT-Bugtraq/2003-07/0069.html (still applicable).
0
huangs3Author Commented:
Thanks McKnife, I realize this cons of using RUNAS /SAVECRED, but still using it because it fits my situation. I also make a unique local account for the command, such that the account cannot be used to do anything else in network.
0
McKnifeCommented:
It is an admin account, so it can potentially harvest credentials of network accounts used on that pc pretty easily.

Don't use savecred, that is a foolish idea. Use a local admin account, if there is no other way to use your program, yes, but not savecred, but simply use UAC to switch accounts. See my article for a comfortable way: https://www.experts-exchange.com/articles/24599/Free-yourself-of-your-administrative-account.html
0
huangs3Author Commented:
Don't worry I have firewall in local network, and I know the user well that he wouldn't know how to harvest. The PC is just near me and I know that nobody else will touch it. Once I push the application provider to update their code to avoid needing admin permission, I can remove the savecred.
0
McKnifeCommented:
Look, it's sad to see good advice rejected, so I show you one last approach, which is by far better than savecred and has the same comfort:
1 download psexec
2 activate the local administrator and set a complex password (you need the built-in admin even for savecred because of the elevation)
3 run it like this: psexec -u administrator -p complexpassword yourapp

That works the same way, but makes credentials only accessible to yourapp and not to anything.

4 now you can delete the savecred credentials by opening (on the run prompt):
rundll32.exe keymgr.dll, KRShowKeyMgr
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.