UAC Whitelisting and the Application Compatibility Toolkit

UAC has some good and bad elements. When you are logged on as a standard user, being prompted for alternate credentials when needed is a great thing.

But the detection logic Windows uses to determine when these credentials are needed is sometimes faulty.

For example, UPS WorldShip updates itself pretty often. In Windows XP, allowing a standard user to do this was a simple matter of giving the user MODIFY permission over the UPS program folder.

In Vista and Windows 7 it's not so easy. Windows heuristics detects the update utility - RUNPATCH.EXE - as a file that requires elevated privileges. When it runs, the standard user is prompted for alternate credentials. It doesn't matter that the standard user has all the rights needed for the utility to do its thing.

Other admins would do one of three things, all of which suck:

1. Wait for UPS to make WorldShip logo compliant. Good luck on that one, see you in a few years.
2. Allow the user to run as administrator. Do you always give up so easily?
3. Downgrade the computer to Windows XP. Why don't you just give them an Amiga, you loser?

If these three options did not appeal to you (and they shouldn't) then you probably googled for some way to white list a program from UAC. At first you will see people say, "Well that defeats the purpose of UAC!" Idiots. There is a way and, as usual, Microsoft made it difficult to find.

And no, it is not by including a Side-by-Side Manifest, but you are close. Man, I wasted a lot of time on that dog.

The answer is the Application Compatibility Toolkit. If you follow the instructions I linked above, and choose "NoVirtualization" and "RunAsInvoker" as your fixes, Windows should no longer detect RUNPATCH.EXE as requiring alternate credentials.