Removing Application UAC Requirements with Shims

This guide will show you how to create shims that allow regular users to run applications that normally require local admin. Shims should only be used as a measure of last resort. In many cases simply granting users to certain folders or reg keys eliminates the need to create a shim. You can use LUA Buglight to identify what those reg keys/files are. 

 How it works

The shim will force the application to use "RunAsInvoker" when it is launched. RunAsInvoker tells the application to open with the privilege level of whatever launched it.

For example, if a regular user opens the application through explorer.exe (a non admin process) then the application will open with regular user permissions. 

Things to keep in mind:

  • Shims should be installed after the application
  • Shims might need to be re-installed if an application is updated
  • Not all apps play well with shims. Make sure to test the application before putting it into production

Pre-Requisites

Install the Microsoft Application Compatibility Toolkit on the test machine. The latest version can be found here.

Running the command below will only install the MACT component 
adksetup.exe /features OptionId.ApplicationCompatibilityToolkit

You need to have access to the exe you are trying to shim. You can copy it from another computer if you do not want to install the entire application locally.

Creating the Shim

In the steps below we will create and install a shim that will remove the local admin requirement to run the Veeam backup console.

  1. Open the Compatibility Administrator

  2. Click on New Database
  3. Right Click and select Create New
  4. Select Application Fix

  5. For name enter "%ApplicationName% Shim"

  6. Browse for the path of the exe
  7. Under compatibility modes select "RunAsInvoker"

  8. Click next and finish on all other prompts until it takes you back to the main screen
  9. Click Save at the top
  10. For Name enter "%ApplicationName% Shim"

  11. For the .sdb file give it whatever name is appropriate

Installing the Shim

Now that the shim has been created its time to install it on the computers. This will need to be done on every computer that has the application.

Running the command below will install the shim
sdbinst -q VeeamVBRShim.sdb

A reboot should not be required and you can now test the application. It is a good idea to test use cases that you think could require elevation.

For large deployments, logon scripts, PDQDeploy, and automate can be leveraged to push out the shim.

Removal

If you need to remove the shim you can do so through Add/Remove programs in control panel

Comments

Popular posts from this blog

FSLogix Troubleshooting guide

Best Practices for Deploying User Profile Disks