UAC and App-V 5.0 Demystified

There are some methods through which we can suppress UAC prompts when virtualizing using
App-V 5.0. You can try the below methods which ever suits your need.

1. SET __COMPAT_LAYER:

Edit the sequenced shortcut and add the below command.
cmd.exe /c “SET __COMPAT_LAYER=RunAsInvoker & START Appname.exe”



Note: There is a space in between SET and __COMPAT_LAYER. If you didn't leave any space it will throw an error.

"SET' is not recognized as an internal or external command.

2. Registry Method:

Right click on the shortcut and select properties-compatibility-privilege level- run as admin-apply. This will create a registry entry in the HKCU\HKLM based upon User/Machine selection.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers (or)

HKEY_Current_User\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers



Export the registry key and add it in the deployment config file and register it in the local machine.


NOTE: Enable script execution prior to adding the virtual package.

Set-AppVClientConfiguration –EnablePackageScripts 1

3. SHIMS:

Using Application compatibility toolkit, we can create shims to suppress the UAC prompt for an application.Install the ACT tool first and open the 32 bit compatibility administrator (since we are going to create shim for a 32 bit application).

Click on New Database - Create new- Application fix.


Select the required compatibility mode.In this example we have used RunAsInvoker.


Click Next.


Click finish to create the .sdb file.After creating open the package in the sequencer machine to add this .sdb file under scripts folder using package editor.



Save the package.Now edit the deployment config.xml file and add the script to trigger the shim database installation.




NOTE: Enable script execution prior to adding the virtual package.

Set-AppVClientConfiguration –EnablePackageScripts 1

4. Manifest File:( I usually go with this only at the worst case if none of the above methods helped me)

Usually developers create a manifest file which tells the executable as how to request the execution.
There are two types of manifest file. They are Internal/External manifest file.


If the application has an external manifest file then it is easy to edit it and suppress the UAC prompt.
Usually external manifest will have the same executable name ending with .manifest.

                           

We can edit the file using notepad and change the requestedExecutionLevel from "requireAdministrator"  to "asInvoker" or remove the requestedExecutionLevel tag completely.By this way we can easily suppress UAC.


If there is no external manifest file seen, then it will be an embedded one within the executable. Use Resource hacker or PEExplorer tool to open up the executable. After opening you can see the requestedExecutionLevel tag in the manifest. In the example below I used Resource hacker tool to open the shortcut exe.



Change the level to "asInvoker" or you can completely remove the  requestedExecutionLevel tag and compile it and save. After doing these steps manually,test once. Now your application should work fine without any UAC prompt.

If there is no external manifest file or embedded one, then you can create a new external manifest file with the same name as the executable ending with .manifest.
For example, if the main executable name is abc.exe, then the external manifest file name should be abc.exe.manifest and should be kept in the same folder. Edit the abc.exe.manifest file and create the <requestedExecutionLevel> with asInvoker as mentioned earlier.


NOTE: From vista or above if the .exe already has embedded manifest, then the external manifest will be ignored and embedded manifest is used. (This is opposite from XP case. on XP, external manifest is used and internal is ignored.)

5. SET__COMPAT_LAYER Environment Variable:

This is pretty old way. During monitoring with the sequencer, open up a elevated CMD and type in the below command.

setx __COMPAT_LAYER RunAsInvoker /m

setx = creates or modifies environment variables.
__COMPAT_LAYER = Variable.
RunAsInvoker = value.
/m = specifies that variable should be set for system wide(HKLM)

This creates an environmental variable in the package. In the configuration phase edit the shortcut and add c:\windows\system32\cmd.exe /c "START abc.exe" or c:\windows\system32\cmd.exe /c START "" abc.exe.

                 
      
After publishing, the shortcut will look like this. When launching, it will open up CMD which will have the environment variable loaded inside and then start the main exe. Now the shortcut will work without UAC.

                         
Thanks to Dan Gough and other App-V MVP's for providing different solutions which helped me to write up this blog.

Comments

Popular posts from this blog

MSIX - The future universal format

Exploring Advanced Installer Express free edition to convert legacy apps to UWP