Removing Application UAC Requirements with Shims
This guide will show you how to create shims that allow regular users to run applications that normally require local admin. Shims should only be used as a measure of last resort. In many cases simply granting users to certain folders or reg keys eliminates the need to create a shim. You can use LUA Buglight to identify what those reg keys/files are.
How it works
The shim will force the application to use "RunAsInvoker" when it is launched. RunAsInvoker tells the application to open with the privilege level of whatever launched it.
For example, if a regular user opens the application through explorer.exe (a non admin process) then the application will open with regular user permissions.
Things to keep in mind:
- Shims should be installed after the application
- Shims might need to be re-installed if an application is updated
- Not all apps play well with shims. Make sure to test the application before putting it into production
Pre-Requisites
Install the Microsoft Application Compatibility Toolkit on the test machine. The latest version can be found here.
Running the command below will only install the MACT component
adksetup.exe /features OptionId.ApplicationCompatibilityToolkit
You need to have access to the exe you are trying to shim. You can copy it from another computer if you do not want to install the entire application locally.
Creating the Shim
In the steps below we will create and install a shim that will remove the local admin requirement to run the Veeam backup console.
- Open the Compatibility Administrator
- Click on New Database
- Right Click and select Create New
- Select Application Fix
- For name enter "%ApplicationName% Shim"
- Browse for the path of the exe
- Under compatibility modes select "RunAsInvoker"
- Click next and finish on all other prompts until it takes you back to the main screen
- Click Save at the top
- For Name enter "%ApplicationName% Shim"
- For the .sdb file give it whatever name is appropriate
Installing the Shim
Now that the shim has been created its time to install it on the computers. This will need to be done on every computer that has the application.
Running the command below will install the shim
sdbinst -q VeeamVBRShim.sdb
A reboot should not be required and you can now test the application. It is a good idea to test use cases that you think could require elevation.
For large deployments, logon scripts, PDQDeploy, and automate can be leveraged to push out the shim.
Comments
Post a Comment