Run At Startup + Always Run As Administrator does not work if Admin User is different user

[MichaelPeter]

ℹ Computer information: Windows 10 1909 Build 18363.959

Following Problem: I have two users, user1 and user1admin. user1 does not have admin rights on the maschine, user1admin does.

1. I am working as user1 - my windows boots as user1

2. I start Power Toys I can check Run At Startup

3. But for Always Run as Administrator I have restart - it is greyed out.

4. I click restart and enter the credentials for user1admin.

5. PowerToys restarts now in admin mode (as user1admin process).

6. I can set AlwysRunAs Administrator to true.

7. I can drag admin windows.

8. I restart the Maschine, now PowerToys has Always run as Administrator false and doesn't run as administrator.

Now why I belive what is the error: When I check the settings.json: C:\Users\user1\AppData\Local\Microsoft\PowerToys\settings.json "is_admin":false C:\Users\user1admin\AppData\Local\Microsoft\PowerToys\settings.json "is_admin":true

Since I restarted as a differnt user (user1admin) the setting.json was just updated for user1admin. But when I boot windows I am user1. And user1 has still is_admin: false.

Now my question is can you solve this? Or is there a solution for me? I wanted to set the startup.exe to always run as user1admin but so far I did not find where the autostart is for power toys (registry?), just found this issue.: https://github.com/microsoft/PowerToys/issues/5810

I would like to set that the autostart of powertoys is always executed as admin1user. Maybe you can add a paragraph in the adminmode section.

• Windows build number: [run "winver"] Windows 10 1909 Build 18363.959
• PowerToys version: 20.0
• PowerToy module: Fancy Zones

Why is it like that: My company has a serious security concept as it should be. Our normal users have no admin privileges. If I need admin privileges I need to start the application with my admin account. Now I am a developer and if I want to debug a webpage I need to run visual studio in admin mode to allow the process to register an url. This visual studio window then cannot be moved by Fancy Zones since it runs in admin mode.

Thank you very much Greetings Michael

[enricogior]

This is actually a bug in the new Settings app that doesn't hide the option if the user account is not a member of the Administrators group. Reference https://github.com/microsoft/PowerToys/issues/2002

[MichaelPeter]

So the bug is that the setting is acutally shown? But I want the setting to be shown - otherwise I have no way of running as Administrator.

So if I understand you correctly, fixing the Setting-Editor bug would not solve my problem?

What I want to achive is that powertoys.exe is run as user1admin if user1 is logged in. Wouldn't that require a system wide setting.json?

I would also be ok with a workarround. By manually setting that the powertoys.exe is run as user1admin for example

[enricogior]

@MichaelPeter currently we don't support running PT as a different user, so running as Administrator if the user account is not a member of the Administrators groups is also not working (it's a special case of run as different user). There are a few things that are currently preventing this scenario, let's use this issue to sort them out.

[MichaelPeter]

Hello @enricogior,

thank you very for assisting me in this.

Greetings Michael

[enricogior]

Removed the Issue-Bug label, since this is currently by design and we don't have plans to change it.

[ThermoMan]

While the implementation may not be bugged I believe that the design IS bugged. Perhaps instead of running as admin the program should run as SYSTEM. It should not be a user program but run at a higher level. The UI might be able to run with lower permissions and just request actions of the portion of the program running as SYSTEM.

[NapAlot]

Why is this not run as a service or in some way we can leave it as "always" admin. Basically we have to run it at startup every time and enter creds. Which, I have found, never works. I just starts as the standard user.

[daneasley]

This is a really lousy design flaw. I shouldn't need to give my user administrative privileges just so the Control key can go back to where it doesn't cause physical pain.

[ghost]

PowerToys are so good and simple, but I am switching to another software - I am tired of giving adm privileges to it on every windows boot.

[DustbinK]

I wanted to echo that I have similar troubles with this and I would appreciate some sort of solution even if it's something to setup in the Task Scheduler. I login as a standard user for security purposes rather than using my administrator account for daily use. The main function I use in PowerToys is FancyZones which needs administrator access to work correctly. I have to open the app, okay access via admin account, then re-setup my zones as I prefer them each time. I've tried the new built-in zones features in Windows 11 on another system and they're better but don't address my use case of overlapping zones in a vertical monitor.

[Yuugen64]

I would also like to second the motion of re-thinking this design if at all possible. PowerToys really became a collection of utilities that exemplify function without forced tinkering for me, at least before this issue.

I too now run a separate account that is NOT an admin account for the purposes of security, and having to re-enter the credentials every login for my personal account is tedious. To hear that its accidental to begin with doesn't really inspire hope either; these tools are super useful and are one of the better parts of modern WIndow's IMO, but requiring me to run a USER with admin privileges is a tall ask.

If at all possible down the line, I hope any developers on this project re-consider the security trade-offs for utility, and hope that this could be fixed to allow for non-admin users to run this suite as something like a WIndow's service instead of an admin-level application. Solid work everywhere else, though!

[samsong]

I have same problem. My user account is not administrator (security reason). I have access to administrator account & can manually run as administrator.

Is there a way to start powertoys at boot as administrator if the default user is not administrator? Perhaps just make it a scheduled task manually? Couldn't this be done in the settings implementation of powertoys?

[hrdflt]

I have the same issue. I have to manually restart powertoys as administrator each time to get my fancyzones working again. I am pretty much using powertoys exclusively for this feature -- as such this is extremely annoying and pretty much a deal breaker.

Many applications can just always run in administrator mode (vpn applications come to mind) at the very least just have an option to allow this, or run it as a service as others have stated.

[winklerrr]

Same problem here! Are any workarounds available in the meantime?

[andrewgrasman]

Workaround: https://community.spiceworks.com/how_to/86844-create-a-shortcut-that-lets-a-standard-user-run-an-application-as-administrator

[derivativeoflog7]

Workaround: https://community.spiceworks.com/how_to/86844-create-a-shortcut-that-lets-a-standard-user-run-an-application-as-administrator

runas /savecred is RIDICOULUSLY unsecure. If you use it, anyone can change that shortcut to point to any other program and Windows will happily run it as admin without prompting for credentials

[derivativeoflog7]

The annoying thing about this is, I too have a separate admin account and several applications that need to run as admin to work properly. So I made a batch file that elevates via UAC and asks for authentication at every boot; whatever, no big deal. But after I authenticate, all the applications start elevated... except PoweToys that starts in user mode anyway!

[daneasley]

I swap the Control and Caps Lock keys due to a repetitive stress injury. Every time my computer restarts, I get the impression that Microsoft, by design, doesn't care whether I'm in physical pain or not. Coming from the Linux world, I'm dumbfounded that such a simple and useful accessibility tool is referred to as a "PowerToy". It's not a toy, and calling it that doesn't excuse bad design.

[derivativeoflog7]

I swap the Control and Caps Lock keys due to a repetitive stress injury. Every time my computer restarts, I get the impression that Microsoft, by design, doesn't care whether I'm in physical pain or not. Coming from the Linux world, I'm dumbfounded that such a simple and useful accessibility tool is referred to as a "PowerToy". It's not a toy, and calling it that doesn't excuse bad design.

There are other key remapping tools that don't require to be running, iirc all they do is change some keys (ha ha) in the registry because it's natively supported (eg KeyTweak)

[daneasley]

There are other key remapping tools that don't require to be running, iirc all they do is change some keys in the registry because it's natively supported (eg KeyTweak)

Thanks so much for the tip! I've manually edited the registry, and uninstalled PowerToys.

[jackharro]

I'm surprised that PowerToys runs as users and admins rather than being a service. Smells like jank city.

[ThermoMan]

Services are not typically interactive. This is 100% a UI/Interactive type application. Perhaps if a portion of it ran as a service providing root access with a UI that does not need elevated privileges - but I think it's not a monolithic app, I think it's a skin placed on top of 100 unrelated programs that probably don't even share a common architecture.

Perhaps there is a code refactor in the future that might take under advisement all the suggestions from this user community?

[derivativeoflog7]

No matter how many times I toggle the autostart & autostart as admin settings, after not a long time the app stops starting, making it basically useless!

[Andrew-J-Larson]

The annoying thing about this is, I too have a separate admin account and several applications that need to run as admin to work properly. So I made a batch file that elevates via UAC and asks for authentication at every boot; whatever, no big deal. But after I authenticate, all the applications start elevated... except PowerToys that starts in user mode anyway!

@derivativeoflog7 Disable the native setting "Run at startup" in PowerToys, and put this in %appdata%\Microsoft\Windows\Start Menu\Programs\Startup:

PowerToysRunAsAdmin.bat (Click to show code)

```bat :::::::::::::::::::::::::::::::::::::::::::: :: Elevate.cmd - Version 5 :: Automatically check & get admin rights :: see "https://stackoverflow.com/a/12264592/1016343" for description :::::::::::::::::::::::::::::::::::::::::::: @echo off CLS ECHO. ECHO ============================= ECHO Running Admin shell ECHO ============================= :init setlocal DisableDelayedExpansion set cmdInvoke=1 set winSysFolder=System32 set "batchPath=%~dpnx0" rem this works also from cmd shell, other than %~0 for %%k in (%0) do set batchName=%%~nk set "vbsGetPrivileges=%temp%\OEgetPriv_%batchName%.vbs" setlocal EnableDelayedExpansion :checkPrivileges NET FILE 1>NUL 2>NUL if '%errorlevel%' == '0' ( goto gotPrivileges ) else ( goto getPrivileges ) :getPrivileges if '%1'=='ELEV' (echo ELEV & shift /1 & goto gotPrivileges) ECHO. ECHO ************************************** ECHO Invoking UAC for Privilege Escalation ECHO ************************************** ECHO Set UAC = CreateObject^("Shell.Application"^) > "%vbsGetPrivileges%" ECHO args = "ELEV " >> "%vbsGetPrivileges%" ECHO For Each strArg in WScript.Arguments >> "%vbsGetPrivileges%" ECHO args = args ^& strArg ^& " " >> "%vbsGetPrivileges%" ECHO Next >> "%vbsGetPrivileges%" if '%cmdInvoke%'=='1' goto InvokeCmd ECHO UAC.ShellExecute "!batchPath!", args, "", "runas", 1 >> "%vbsGetPrivileges%" goto ExecElevation :InvokeCmd ECHO args = "/c """ + "!batchPath!" + """ " + args >> "%vbsGetPrivileges%" ECHO UAC.ShellExecute "%SystemRoot%\%winSysFolder%\cmd.exe", args, "", "runas", 1 >> "%vbsGetPrivileges%" :ExecElevation "%SystemRoot%\%winSysFolder%\WScript.exe" "%vbsGetPrivileges%" %* exit /B :gotPrivileges setlocal & cd /d %~dp0 if '%1'=='ELEV' (del "%vbsGetPrivileges%" 1>nul 2>nul & shift /1) :::::::::::::::::::::::::::: ::START :::::::::::::::::::::::::::: start "" /d "C:\Program Files\PowerToys\" "C:\Program Files\PowerToys\PowerToys.exe" ```

But, like you noted here:

runas /savecred is RIDICOULUSLY unsecure. If you use it, anyone can change that shortcut to point to any other program and Windows will happily run it as admin without prompting for credentials

Technically, anyone could modify that file to point to a malicious program, and then you'd be in the same situation as the "savecred" guy, since this is all that's shown in the UAC prompt:

Show image


[Andrew-J-Larson]

A safer way may be to just modify the config file at %localappdata%\Microsoft\PowerToys\settings.json, as noted here:

• https://github.com/microsoft/PowerToys/issues/20457#issuecomment-1270066497

  I changed "is_elevate", "run_elevated", and "is_admin" to true.

And just make a normal shortcut to PowerToys in the Startup folder (also requiring the native "Run at startup" option disabled in the app), which is noted to be working here:

• https://github.com/microsoft/PowerToys/issues/20457#issuecomment-1272346798

  As a standard user, the above fix worked. As admin the startup setting also worked after I placed a shortcut in the C:\Program data\Microsoft\Windows\Programs\Startup folder. I should be able to replicate this for the standard user.

I can also confirm that a proper UAC elevation prompt works on my end when modifying my settings and creating the shortcut in the Startup folder.

[derivativeoflog7]

A safer way may be to just modify the config file at %localappdata%\Microsoft\PowerToys\settings.json, as noted here:

* [Run as admin and run at startup options do not persist after restart #20457 (comment)](https://github.com/microsoft/PowerToys/issues/20457#issuecomment-1270066497)

I changed "is_elevate", "run_elevated", and "is_admin" to true.

And just make a normal shortcut to PowerToys in the Startup folder (also requiring the native "Run at startup" option disabled in the app), which is noted to be working here:

* [Run as admin and run at startup options do not persist after restart #20457 (comment)](https://github.com/microsoft/PowerToys/issues/20457#issuecomment-1272346798)

As a standard user, the above fix worked. As admin the startup setting also worked after I placed a shortcut in the C:\Program data\Microsoft\Windows\Programs\Startup folder. I should be able to replicate this for the standard user.

I can also confirm that a proper UAC elevation prompt works on my end when modifying my settings and creating the shortcut in the Startup folder.

In the end I kept using the .bat file in conjunction with gsudo to run it elevated... not safe, but I was optimist since I ran most sketchy apps inside a sandbox or VM
And for the other solution you proposed... well since writing that comment I switched to Linux as my daily driver, so I can't exactly try it here