I whitelisted a legacy app via the RunAsInvoker registry key, which works fine.
However, when the user selects the repair option offered by the app, the whitelisted app actually executes msiexec /fa installer.msi, which requires admin rights.
What would be the best option to whitelist msiexec when called from another app?
1 Answer
To force a program that requires elevation to run without elevation, use this command:
cmd.exe /c "set __COMPAT_LAYER=RunAsInvoker && msiexec /fa installer.msi"However, the installer might in this case not be able to do its job if it requires access to admin-only folders.
An alternative is to use the Nirsoft toolRunWithoutElevationwith a command like:
RunWithoutElevation.exe msiexec /fa installer.msiThe values for __COMPAT_LAYER are:
RunAsInvoker: The application should run with the same privileges and user rights as the parent process.
RunAsHighest: The application should run with the highest Windows privileges and user rights the current user can obtain, but not necessarily require the user to be an administrator.
RunAsAdmin: The application should run only for administrators, must be launched with a full administrator access token, and will not run correctly in a standard user context.
