Windows 10: native way to allow standard user to run an application that asks for admin permission?

huangs3
huangs3 used Ask the Experts™
on
Hi! I have Windows 10 professional installed on a laptop. I used admin account to install a software on the laptop, and want to let people use it under standard account (without admin permission). However, when I login with standard account and double click the executable, I am always asked for admin user name and password, such that a standard account wouldn't able to execute it.

I made the following attempt, but didn't work: change the file folder of the installed software to give the specific standard user full control, and find the related folder in registry then give full control to the specified user.

I notice that there is third party tool like this that may make it work: http://www.robotronic.de/runasspcEn.html 
However, I am wondering: is there native way in Windows 10 to allow standard user to run this application?

Thank you!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
There is no native way to do this at all.

Try your above approach or Power Broker which is an extension of group policies.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition
Distinguished Expert 2018
Commented:
Evergreen question…

We don't know the application, so it cannot be answered. For example: if the application requires debugging permissions, it really needs elevation, while other programs might simply be setup unclever (to say the least), like Microsoft's media creation tool, which at once requires administrative rights although you don't really need those for most of what it does. I hope this example was understandable.

So you should ask the manufacturer of the application if it can do without administrative rights and how to proceed.
William FulksSystems Analyst & Webmaster
Commented:
Have you tried turning off UAC prompts and then running it? Could be the program checks for updates at startup and is defaulting to needing admin rights.

Without know the specific app, it's hard to give you much help here, though.
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Author

Commented:
Hi McKnife, attached screenshot shows the software I installed. It is not an English software. It is a stock trading client, which I don't think the functionality needs admin permission.
cczq.PNG

Author

Commented:
Hi William, I changed UAC to "Never Notified", but it didn't help.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
No that will not help you with software installs
Distinguished Expert 2018

Commented:
Your screenshot shows what (sorry, I don't speak chinese)? That is no UAC prompt, so what was the screenshot good for?
You need to ask the manufacturer anyway, he will know.
Peter HutchisonSenior Network Systems Specialist
Commented:
You need to find out what specific rights are required - access to filing system (NTFS permissions), OS priviledges (see Local Security Policies) or some other rights required. A tool such as Microsoft's Process Explorer or Process Monitor may be able to help what it is trying to access.

See articles:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings 
https://docs.microsoft.com/en-us/sysinternals/
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
Use the Great Wall Securities Online Trading Flash Edition

Author

Commented:
I created a short cut as solution. The command in the shortcut is like:
RUNAS /user:<machine_name>\<admin_user_name> /savecred "CMD /C START /B <executable_path_and_file>"

The use of RUNAS command and /savecred refers to the article:
https://community.spiceworks.com/how_to/86844-create-a-shortcut-that-lets-a-standard-user-run-an-application-as-administrator

In additional, I found that only if I use the CMD command together with the program executable, the application can start.

To use this solution I created a local admin user just for this shortcut. It is being used in one single machine, such that it cannot be used to influence other computer in network, in case anything happens.
Distinguished Expert 2018

Commented:
runas /savecred has a dangerous aspect that you should not forget: it saved the admin credentials and keeps it accessible for any process the user starts, including malware. This is not limited to your executable, the user (and malware) may start any application as admin now. Don't use it if security matters.

Author

Commented:
I found my own solution, but I feel that's not a general nice solution, even though it fits my personal situation.
The most "right" answer I feel maybe John's "no native way". The easiest solution maybe Shaun Vermaak's (using alternative flash program from the same company). McKnife/William/Peter provided some ways to look at the problem, which sound reasonable.
Distinguished Expert 2018

Commented:
I hope you read my previous comment in time. You placed this question in the security section, which suggests that you try to make it a secure solution. However savecred is all but that. For confirmation, read this oldie article: http://www.derkeiler.com/Mailing-Lists/NT-Bugtraq/2003-07/0069.html (still applicable).

Author

Commented:
Thanks McKnife, I realize this cons of using RUNAS /SAVECRED, but still using it because it fits my situation. I also make a unique local account for the command, such that the account cannot be used to do anything else in network.
Distinguished Expert 2018

Commented:
It is an admin account, so it can potentially harvest credentials of network accounts used on that pc pretty easily.

Don't use savecred, that is a foolish idea. Use a local admin account, if there is no other way to use your program, yes, but not savecred, but simply use UAC to switch accounts. See my article for a comfortable way: https://www.experts-exchange.com/articles/24599/Free-yourself-of-your-administrative-account.html

Author

Commented:
Don't worry I have firewall in local network, and I know the user well that he wouldn't know how to harvest. The PC is just near me and I know that nobody else will touch it. Once I push the application provider to update their code to avoid needing admin permission, I can remove the savecred.
Distinguished Expert 2018

Commented:
Look, it's sad to see good advice rejected, so I show you one last approach, which is by far better than savecred and has the same comfort:
1 download psexec
2 activate the local administrator and set a complex password (you need the built-in admin even for savecred because of the elevation)
3 run it like this: psexec -u administrator -p complexpassword yourapp

That works the same way, but makes credentials only accessible to yourapp and not to anything.

4 now you can delete the savecred credentials by opening (on the run prompt):
rundll32.exe keymgr.dll, KRShowKeyMgr

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial