Running applications on Windows often requires administrator privileges, especially during installation. However, there’s a lesser-known workaround using __COMPAT_LAYER=RunAsInvoker that allows non-admin users to install or run applications without elevated permissions. This article will explain how this technique works, why it can be used successfully, the potential risks, how it can be saved in .bat files for ease, and how system administrators can secure their systems against its misuse.


Overview: __COMPAT_LAYER=RunAsInvoker

The __COMPAT_LAYER=RunAsInvoker environment variable is part of the Windows Compatibility Layer, which provides backward compatibility and helps applications run on different versions of Windows without modification. Setting this variable to RunAsInvoker tells Windows to execute an application with the current user’s privileges, regardless of whether the executable usually requires elevation.

Basic Usage Example

  1. Open Command Prompt (no admin rights needed).
  2. Enter the following command:
set __COMPAT_LAYER=RunAsInvoker
Start application.exe

Replace application.exe with the name of the program you want to run.

The application should now run as though it doesn’t require administrator privileges, allowing a standard user to bypass the User Account Control (UAC) prompt that would typically request admin credentials.

Automating with a .bat File

To make this even easier, you can save these commands in a .bat file, allowing you or others to simply double-click the file to run the application without needing admin rights. Here’s how:

  1. Open Notepad.
  2. Enter the following lines:
@echo off
set __COMPAT_LAYER=RunAsInvoker
Start application.exe
  1. Save the file with a .bat extension, for example, RunAppWithoutAdmin.bat.
  2. Now, double-clicking this .bat file will execute the application without requiring administrator privileges.

Using .bat files to run applications with RunAsInvoker can simplify the process, especially if you need to repeatedly bypass admin requirements.


How It Works

To understand why RunAsInvoker works, we need to look into how Windows processes applications with compatibility layers.

  1. Compatibility Layers in Windows: Windows uses compatibility layers to adjust how programs behave based on compatibility issues observed with various applications across different Windows versions. By setting __COMPAT_LAYER to RunAsInvoker, you’re telling Windows to ignore the program’s specified privilege level and simply run it with the permissions of the invoking user.
  2. Privilege Control and UAC: Normally, applications needing higher privileges trigger a UAC prompt if the current user lacks sufficient permissions. However, when RunAsInvoker is applied, Windows skips the UAC prompt and runs the application without attempting to elevate it, respecting the user’s current privileges instead.
  3. Environment Variable: The set __COMPAT_LAYER=RunAsInvoker command temporarily modifies the environment variable for the duration of that command prompt session, affecting only the application invoked within it. This variable is reset when the session closes.

Why This Technique Works

The reason this method works is due to Windows trusting the compatibility layer configuration provided by the user, as it assumes compatibility settings will be used responsibly. In this case, RunAsInvoker essentially convinces Windows that the application should run without elevated privileges, even if it was coded to require them. For standard applications, this can be helpful, but it can also create a security vulnerability.


Use Cases

  1. Running Applications as a Standard User: This technique can be used by standard users to install or run applications without admin approval, as long as the application doesn’t depend on resources restricted to administrators (like certain system directories or registry keys).
  2. Testing Compatibility and Functionality: Developers and IT professionals might use this technique to test how applications behave under different privilege levels without needing admin access.
  3. Quick Bypass for Temporary Use: Saving the command in a .bat file allows users to quickly rerun applications without needing to re-enter commands in the Command Prompt.

Security Implications: How Hackers Can Exploit It

Unfortunately, the RunAsInvoker trick can be exploited by malicious actors to circumvent restrictions set by system administrators. Here’s how:

  1. Bypassing Application Whitelisting: If an organization implements application whitelisting with elevation requirements, attackers might use RunAsInvoker to run unauthorized software under limited privileges, which could still allow harmful activity.
  2. Running Potentially Malicious Installers: A user could inadvertently run an installer using RunAsInvoker that, under non-elevated rights, installs malware or spyware in a user’s profile directory (bypassing the need for admin directories).
  3. Evading UAC Policies: By setting RunAsInvoker, users can bypass the UAC prompts that might otherwise prevent them from installing or running certain applications. This can lead to security vulnerabilities, especially if UAC prompts are configured to restrict certain software installations on corporate systems.

How System Administrators Can Secure Against RunAsInvoker

Since RunAsInvoker is a legitimate feature in Windows, blocking it requires a multi-layered approach:

  1. Application Control Policies: Use AppLocker or Software Restriction Policies to tightly control which applications users can execute. Enforcing these policies can prevent unauthorized software from being run, even if RunAsInvoker is used.
  2. Monitoring Environment Variables: Although monitoring environment variables in real-time can be challenging, endpoint detection solutions can sometimes flag suspicious use of commands. Advanced monitoring tools can alert administrators to unusual patterns or use of __COMPAT_LAYER=RunAsInvoker.
  3. Restrict Command Prompt and PowerShell Access: Prevent non-admin users from running Command Prompt or PowerShell scripts unless necessary, which reduces the chance of them using the RunAsInvoker trick.
  4. User Education and Policies: Inform users about the risks of running unauthorized software and the importance of UAC prompts. Users educated on best practices are less likely to misuse features like RunAsInvoker.
  5. Third-Party Security Solutions: Endpoint protection platforms and behavioral analysis tools may detect and respond to suspicious activity associated with privilege elevation workarounds like RunAsInvoker.

Conclusion

Using set __COMPAT_LAYER=RunAsInvoker offers a handy workaround to run applications without admin rights in environments where UAC prompts are common. While it can be helpful for running non-critical applications without requiring admin credentials, it also poses security risks when misused. By creating a .bat file with this command, users can easily rerun applications without admin intervention. System administrators should be aware of the potential exploitation vectors and apply layered security measures to mitigate risks.

Disclaimer: This guide is for educational purposes. Use the RunAsInvoker technique responsibly, and always comply with your organization’s security policies.

Last Update: November 5, 2024

Tagged in:

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,