windowsbatch-filecompatibilityadministratoradmin-rights

What does '__COMPAT_LAYER' actually do?


Recently, i was trying to give my application administrator rights without system asking for "Do you want to give administrator rights?" and i found a way which is working perfectly.

Solution I Found

I created a bat file named nonadmin.bat and wrote the below code in it

cmd min C set __COMPAT_LAYER=RunAsInvoker && start "" %1

and if we drag any exe on it, it gives them administrator rights (before it was not letting me access environment variables without it but after draging the file on bat it did work).

Question

Now my question is:-

  1. What actually '__COMPAT_LAYER' means and what does it do?
  2. How do i remove such a thing so that it asks for administrator rights again?
  3. Does this reduce system security?

Solution

  • __COMPAT_LAYER, and How To Use It
    __COMPAT_LAYER is a system environment variable that allows you to set compatibility layers, which are the settings you can adjust when you right-click on an executable, select Properties, and go to the Compatibility tab.

    Imgur

    There are several options to choose from in addition to the one you know about:

    You can use multiple options by separating them with a space: set "__COMPAT_LAYER=Win98 640x480"

    Unsetting the __COMPAT_LAYER Variable
    These settings persist for as long as the variable exists. The variable stops existing when either the command prompt in which the variable was set is closed, or when the variable is manually unset with the command set __COMPAT_LAYER=.

    Since you are setting the variable via batch script, the variable is automatically unset once the executable you drag onto it completes and the script closes. It is important to note that the variable settings persist to any child processes that are spawned by the executable you select.

    The Security of Using __COMPAT_LAYER
    Setting __COMPAT_LAYER to RunAsInvoker does not actually give you administrator privileges if you do not have them; it simply prevents the UAC pop-up from appearing and then runs the program as whatever user called it. As such, it is safe to use this since you are not magically obtaining admin rights.

    You can also set the variable to RunAsHighest (only triggers UAC if you have admin rights, but also does not grant admin rights if you do not have them) or RunAsAdmin (always triggers UAC).