Running applications on Windows often requires administrator privileges, especially during installation. However, there’s a lesser-known workaround using __COMPAT_LAYER=RunAsInvoker
that allows non-admin users to install or run applications without elevated permissions. This article will explain how this technique works, why it can be used successfully, the potential risks, how it can be saved in .bat
files for ease, and how system administrators can secure their systems against its misuse.
Overview: __COMPAT_LAYER=RunAsInvoker
The __COMPAT_LAYER=RunAsInvoker
environment variable is part of the Windows Compatibility Layer, which provides backward compatibility and helps applications run on different versions of Windows without modification. Setting this variable to RunAsInvoker
tells Windows to execute an application with the current user’s privileges, regardless of whether the executable usually requires elevation.
Basic Usage Example
- Open Command Prompt (no admin rights needed).
- Enter the following command:
set __COMPAT_LAYER=RunAsInvoker
Start application.exe
Replace application.exe
with the name of the program you want to run.
The application should now run as though it doesn’t require administrator privileges, allowing a standard user to bypass the User Account Control (UAC) prompt that would typically request admin credentials.
Automating with a .bat
File
To make this even easier, you can save these commands in a .bat
file, allowing you or others to simply double-click the file to run the application without needing admin rights. Here’s how:
- Open Notepad.
- Enter the following lines:
@echo off
set __COMPAT_LAYER=RunAsInvoker
Start application.exe
- Save the file with a
.bat
extension, for example,RunAppWithoutAdmin.bat
. - Now, double-clicking this
.bat
file will execute the application without requiring administrator privileges.
Using .bat
files to run applications with RunAsInvoker
can simplify the process, especially if you need to repeatedly bypass admin requirements.
How It Works
To understand why RunAsInvoker
works, we need to look into how Windows processes applications with compatibility layers.
- Compatibility Layers in Windows: Windows uses compatibility layers to adjust how programs behave based on compatibility issues observed with various applications across different Windows versions. By setting
__COMPAT_LAYER
toRunAsInvoker
, you’re telling Windows to ignore the program’s specified privilege level and simply run it with the permissions of the invoking user. - Privilege Control and UAC: Normally, applications needing higher privileges trigger a UAC prompt if the current user lacks sufficient permissions. However, when
RunAsInvoker
is applied, Windows skips the UAC prompt and runs the application without attempting to elevate it, respecting the user’s current privileges instead. - Environment Variable: The
set __COMPAT_LAYER=RunAsInvoker
command temporarily modifies the environment variable for the duration of that command prompt session, affecting only the application invoked within it. This variable is reset when the session closes.
Why This Technique Works
The reason this method works is due to Windows trusting the compatibility layer configuration provided by the user, as it assumes compatibility settings will be used responsibly. In this case, RunAsInvoker
essentially convinces Windows that the application should run without elevated privileges, even if it was coded to require them. For standard applications, this can be helpful, but it can also create a security vulnerability.
Use Cases
- Running Applications as a Standard User: This technique can be used by standard users to install or run applications without admin approval, as long as the application doesn’t depend on resources restricted to administrators (like certain system directories or registry keys).
- Testing Compatibility and Functionality: Developers and IT professionals might use this technique to test how applications behave under different privilege levels without needing admin access.
- Quick Bypass for Temporary Use: Saving the command in a
.bat
file allows users to quickly rerun applications without needing to re-enter commands in the Command Prompt.
Security Implications: How Hackers Can Exploit It
Unfortunately, the RunAsInvoker
trick can be exploited by malicious actors to circumvent restrictions set by system administrators. Here’s how:
- Bypassing Application Whitelisting: If an organization implements application whitelisting with elevation requirements, attackers might use
RunAsInvoker
to run unauthorized software under limited privileges, which could still allow harmful activity. - Running Potentially Malicious Installers: A user could inadvertently run an installer using
RunAsInvoker
that, under non-elevated rights, installs malware or spyware in a user’s profile directory (bypassing the need for admin directories). - Evading UAC Policies: By setting
RunAsInvoker
, users can bypass the UAC prompts that might otherwise prevent them from installing or running certain applications. This can lead to security vulnerabilities, especially if UAC prompts are configured to restrict certain software installations on corporate systems.
How System Administrators Can Secure Against RunAsInvoker
Since RunAsInvoker
is a legitimate feature in Windows, blocking it requires a multi-layered approach:
- Application Control Policies: Use AppLocker or Software Restriction Policies to tightly control which applications users can execute. Enforcing these policies can prevent unauthorized software from being run, even if
RunAsInvoker
is used. - Monitoring Environment Variables: Although monitoring environment variables in real-time can be challenging, endpoint detection solutions can sometimes flag suspicious use of commands. Advanced monitoring tools can alert administrators to unusual patterns or use of
__COMPAT_LAYER=RunAsInvoker
. - Restrict Command Prompt and PowerShell Access: Prevent non-admin users from running Command Prompt or PowerShell scripts unless necessary, which reduces the chance of them using the
RunAsInvoker
trick. - User Education and Policies: Inform users about the risks of running unauthorized software and the importance of UAC prompts. Users educated on best practices are less likely to misuse features like
RunAsInvoker
. - Third-Party Security Solutions: Endpoint protection platforms and behavioral analysis tools may detect and respond to suspicious activity associated with privilege elevation workarounds like
RunAsInvoker
.
Conclusion
Using set __COMPAT_LAYER=RunAsInvoker
offers a handy workaround to run applications without admin rights in environments where UAC prompts are common. While it can be helpful for running non-critical applications without requiring admin credentials, it also poses security risks when misused. By creating a .bat
file with this command, users can easily rerun applications without admin intervention. System administrators should be aware of the potential exploitation vectors and apply layered security measures to mitigate risks.
Disclaimer: This guide is for educational purposes. Use the RunAsInvoker
technique responsibly, and always comply with your organization’s security policies.