Expert help requested for removing UAC user account control task scheduler syntax

My question is how to get removal of UAC to work for ANY VPN config file?
o openvpn.exe anyfile.ovpn == I want this to run without UAC popups

What I simply want is any command below to run without the UAC popup:
a. openvpn.exe file1.ovpn
b. openvpn.exe file2.ovpn
c. openvpn.exe file3.ovpn
etc. (where the only difference is in the configuration file name)

This is what happens if you do NOT turn off UAC popups:
1. I doubleclick on any of six thousand openvpn config files
2. The *.ovpn default file type is set to open using openvpn.exe
3. Openvpn.exe is set to [x]Run this program as an administrator
But the UAC account control form always pops up first.

All I want is for that UAC popup to go away when I connect to VPN.
o These are experiments I've made, all of which remove the UAC popup:

A. I can turn UAC off globally which, of course, is the easy way out:
Win+R UserAccountControlSettings.exe Never notify me

Then I just doubleclick on any one of six thousand openvpn files,
each of which opens in openvpn.exe, which is set to
[x]Run this program as an administrator (which is required to work)
and then I'm connected to VPN.

But in that case, UAC is completely turned off for everything.
So there must be a better way.

B. I can turn off UAC for just one command in the task scheduler:

Win+R taskschd.msc /s Create Task OpenVPN Daemon
[x]Run with highest privileges == this is what bypasses the UAC prompt
Actions New Start a program C:\app\network\openvpn\bin\openvpn.exe
Arguments = C:\app\network\openvpn\config\file_1.ovpn

But that task circumvents UAC for only that one vpn configuration file.

C. I can create a link to run that one VPN config file without UAC
C:\path\file_1.lnk
TARGET = C:\Windows\System32\schtasks.exe /run /TN "OpenVPN Daemon"

Where I can then create a new "StartVPN" command in the AppPaths key:
Win+R StartVPN
Which connects to VPN without UAC if the following key is created:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\StartVPN.exe
Default = C:\path\file_1.lnk
(Note there is never an executable of that name; it's just a keyword.)

Notice all this works just fine but it only works for one VPN config file.
o My question is how to get removal of UAC to work for ANY VPN config file?

What I simply want is any command below to run without the UAC popup:
a. openvpn.exe file1.ovpn
b. openvpn.exe file2.ovpn
c. openvpn.exe file3.ovpn
etc.
--
Usenet allows people to find solutions that aren't generally on the net.

On Tue, 18 Aug 2020 19:37:33 -0000 (UTC), Arlen Holder wrote:

What I simply want is any command below to run without the UAC popup:
a. openvpn.exe file1.ovpn
b. openvpn.exe file2.ovpn
c. openvpn.exe file3.ovpn
etc. (where the only difference is in the configuration file name)

Note that the problem is only one of syntax since it's trivial to remove UAC for a command that has no arguments.

As an example of removing UAC for a command that has no arguments, consider running "regedit" on Windows (let's call the new command "regopen") without UAC.

Here's a tutorial you can test right now for running "regopen" without UAC.

Win+R taskschd.msc /s Task Scheduler Library Create Task
Name = Regedit Task
Description = Run regedit without UAC popup (let's call it "regopen")
[x]Run with highest privileges == this is what bypasses the UAC prompt
Actions New Start a program C:\Windows\regedit.exe
Arguments = blank
Start in = blank
[OK]

This then works without UAC; but it's too complicated to easily remember:
Win+R C:\Windows\System32\schtasks.exe /run /TN "Regedit Task"

To use an easily remembered command, just create a shortcut with an easy name:
Name = C:\data\sys\apppath\link\regopen.lnk
TARGET = C:\Windows\System32\schtasks.exe /run /TN "Regedit Task"
Startin = %windir%\system32

To simplify execution, point to that shortcut with the AppPaths key, e.g., "regopen"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
New Key = regopen.exe (note this is just a keyword; the exe doesn't exist!)
default = C:\data\sys\apppath\link\regopen.lnk

Now, to edit the registry with UAC popping up all the time, you can still type:
Win+R regedit
But, if you do NOT want UAC to pop up all the time, now you can type just:
Win+R regopen

Voila!
To open the registry without UAC popups, you just type "regopen".

There are two SYNTAX problems I'm trying to solve in this thread:

1. I'm trying to get the AppPaths SYNTAX to work WITHOUT requiring the shortcut.
For example, this syntax doesn't work (but I don't know why):
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
New Key = regopen.exe (note this is just a keyword; the exe doesn't exist!)
default = C:\Windows\System32\schtasks.exe /run /TN "Regedit Task"

It seems to me that syntax should work; but it doesn't work. (Dunno why not.)

I also tried the comspec syntax:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
New Key = regopen.exe (note this is just a keyword; the exe doesn't exist!)
default = %comspec% /k C:\Windows\System32\schtasks.exe /run /TN "Regedit Task"

I'm also testing out some of this batch-command syntax as we speak:
https://www.autoitscript.com/forum/topic/9358-examples-of-comspec-formatting/

2. I'm trying to remove UAC for commands that have arbitrary arguments, e.g.,
While I can easily get _one_ command to work (e.g., regopen above)...
And while I can easily get a _specific_ command to work (e.g., openvpn file.ovpn)

What I can't yet figure out is how to get _any_ command option to work sans UAC!
a. openvpn.exe file1.ovpn
b. openvpn.exe file2.ovpn
c. openvpn.exe file3.ovpn
etc. (where the only difference is in the configuration file name)

It's a SYNTAX problem that I'm hoping someone on this newsgroup knows how to solve.

On Tue, 18 Aug 2020 22:11:55 -0000 (UTC), Arlen Holder wrote:

It's a SYNTAX problem that I'm hoping someone on this newsgroup knows how to solve.

As another useful example that others may benefit from, try this:
o Summary: [Note: Use any paths you like; I'm just pasting below from my logs.]

To kill your network (e.g., when installing programs), just run "killgw".
o Here is how to set up that "killgw" kill-gateway command in minutes:

1. Obtain the LiquidVPN network-kill-switch batch file:
https://www.liquidvpn.com/vpn-kill-switches/

The batch text file can be downloaded with this URL:
https://my.liquidvpn.com/dl.php?type=d&id=49
Name: LiquidVPN-Kill-Switch.bat
Size: 2747 bytes (2 KiB)
SHA256: 933B7BD76EECB04D57A1A55E972C868D0460EB21021C16ED0A BC0B02EBD532A7

2. Rename the file to killgw.bat and put into your system directory, e.g.,
c:\data\sys\batch\killgw.bat

Manually edit the default gatway from 192.168.0.1 to whatever yours is
(e.g., 192.168.1.1, or whatever).

3. Remove UAC by setting up a scheduled task, shortcut, & app paths:
Win+R taskschd.msc /s Task Scheduler Library RMB Create Task
Name = Killgw Task
Description = Kill the network gateway without UAC popups
[x]Run with highest privileges == this is what bypasses the UAC prompt
Actions New Start a program c:\data\sys\batch\killgw.bat
Arguments = blank
Start in = blank
[OK][OK][File Exit]

Test that your task now runs without those annoying UAC popups:
Win+R C:\Windows\System32\schtasks.exe /run /TN "Killgw Task"

To use an easily remembered command, just create a shortcut with a simple name:
Name = C:\data\sys\apppath\link\killgw.lnk
TARGET = C:\Windows\System32\schtasks.exe /run /TN "Killgw Task"
Startin = %windir%\system32

To simplify execution, point to that shortcut with any desired AppPaths key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
New Key = killgw.exe (note this is just a keyword; the exe doesn't exist!)
default = c:\data\sys\batch\killgw.bat

Voila!

Now, to kill the network gateway without the UAC popups, just type:
Win+R killgw

(Re-establishing the gateway is as simple as re-running the command.)

That works great; but the two syntax problems I'm having with this method a
a. How do we create a usable AppPaths WITHOUT having to also create a shortcut?
b. What is the syntax for commands that have arbitrary file name options, e.g.,
openvpn.exe file1.ovpn
openvpn.exe file2.ovpn
openvpn.exe file3.ovpn
--
Any help on those two syntax problems would be greatly appreciated.

On Wed, 19 Aug 2020 05:53:24 -0000 (UTC), Arlen Holder wrote:

Voila!
Now, to kill the network gateway without the UAC popups, just type:
Win+R killgw

Here's a tutorial for disabling "Secure Desktop" if you're interested.

I almost always solve all Windows problems and annoyances (often with your
expert help), where I have been searching deeper and deeper to find how to
turn off the UAC prompts for any given executable that can have any given
number of arguments.

Note: It's trivial to turn off the UAC prompt for any given executable:
o Win+R regedit == inokes regedit only after you accept the UAC prompt
o Win+R regopen == runs regedit without the UAC prompt

And, it's trivial to turn off the UAC prompt for a given command+option
o Win+R openvpn.exe given-a-specific-config-file.ovpn

But what I'm trying to turn off the UAC prompt is for the executable (in
this case, openvpn.exe) and _any_ of thousands of free VPN service files.

I'm not there yet, but in the quest, I did just now turn off the UAC
dimming of the screen, which Microsoft calls "Secure Desktop".

Here's a quick tutorial of how to turn off "Secure Desktop" from taking
over your screen, both dimming it and disallowing your use of the screen
while the UAC prompt is active:

1. First test UAC prompt dimming (aka "Secure Desktop") actions:
Win+R regedit
Notice that the screen dims when the UAC prompt is active.
Notice that you can't do anything else on that "secure desktop".

2. Then see if you already have the 32-bit DWORD for SecureDesktop:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System
DWORD (32-bit) Value
Value name: PromptOnSecureDesktop
Value data = 1
Base = Hexadecimal

Note: 1 means run "Secure Desktop"; 0 means don't disable the desktop.

3. My registry already had the key so I simply changed the value.

It's common to then add a "log" to that change in the "Favorites" menu:
Regedit: Favorites Add to Favorites
"20200820 modified PromptOnSecureDesktop (0 = no prompt, 1 = prompt)"

Voila!

Now test UAC prompt dimming (aka "Secure Desktop") actions:
Win+R regedit

Your UAC will still pop up, but "Secure Desktop" won't occur;
this way you can do other things (if that's what you want)
while that UAC popup is active.
--
Every time I try to solve one problem, I end up solving more than one.

UPDATE: This _almost_ works!
a. The tutorial below runs openvpn on _any_ of thousands of config files
b. Without popping up the UAC consent prompt (so that problem is solved)
c. But, unfortunately, openvpn.exe doesn't run as administrator yet

So we've solved _two_ of the three problems, where if this wasn't openvpn
(which has a special requirement to run as administrator), we'd be done.

The tutorial below is based on using the Windows Assessment & Deployment Kit
o How To Disable UAC Prompt For Specific Applications In Windows 10
https://zamarax.com/2020/02/10/how-to-disable-uac-prompt-for-specific-applications-in-windows-10/

Unfortunately, that ADK tutorial uses regedit.exe as the example
o Regedit.exe is different from openvpn.exe in two key ways:
a. Regedit.exe doesn't generally run with arbitrary arguments (openvpn.exe always does),
b. Regedit.exe doesn't require administrator execution to work (openvpn.exe always does).

Nonetheless, it "almost" worked so I'm sure only a tweak to
the instructions below are needed to get openvpn to work without
the UAC consent prompt on thousands of files using the Windows ADK.

Here is the step by step tutorial I wrote up using the Windows ADK:

1. Completely independent of UAC issues, this step is required for
openvpn to work when you doubleclick on any of thousands of freely
obtained ovpn configuration files to connect to VPN:

RMB on C:\app\network\openvpn\bin\openvpn.exe Properties Compatibility
[x]Run this program as an administrator
[Change settings for all users]
[x]Run this program as an administrator
[OK][OK]
https://hide.me/en/vpnsetup/windows10/openvpn/

Note: If you skip that "run as administrator" step, you'll connect to the VPN
server but your IP address will still be that of your ISP, which you can test using:
curl icanhazip.com

2. Set a doubleclick on any ovpn file to run in the OpenVPN Daemon (openvpn.exe):

Open up the "Default apps" section of Windows 10 settings:
Win+R ms-settings:defaultapps Choose default apps by file type .ovpn
Choose an app OpenVPN Daemon

Or manually set Windows default file associations to open *.ovpn files:
- Right click on any *.ovpn text configuration file in Windows 10
Notice it doesn't yet say "Open With "OpenVPN Daemon".
- Select "Open with" and then "Choose another app".
- Also set "[x]Always use this app to open *.ovpn files".
- Change from: *.ovpn starts with the OpenVPN GUI
- Change to: *.ovpn starts with the OpenVPN Daemon
If you don't see that as a selection, navigate to:
c:\app\network\openvpn\bin\openvpn.exe == that's the OpenVPN daemon

Now, if you doubleclick on any ovpn file, it will connect to the VPN server.
o You can test your IP address with "curl icanhazip.com".

3. The only problem is that the UAC consent prompt pops up, which is a PITA,
particularly when you select a dozen ovpn files at a time to run (where the
connection is for the first one that works - the rest will fall off).

You can easily turn off UAC consent prompst altogether, but that's too much:
Win+R UserAccountControlSettings.exe Never notify me

4. You can also easily turn off UAC for a "specific" ovpn file, e.g.,
Win+R taskschd.msc /s Create Task OpenVPN Daemon
[x]Run with highest privileges == this is what bypasses the UAC prompt
Actions New Start a program C:\app\network\openvpn\bin\openvpn.exe
Arguments = C:\app\network\openvpn\config\file_1.ovpn

But that task circumvents UAC for only that one vpn configuration file.

Note: You can create an easily remembered shortcut command to that task:
C:\data\sys\apppath\ovpn_0001.lnk
TARGET = C:\Windows\System32\schtasks.exe /run /TN "OpenVPN Daemon"

Where you can also create a new "vpn0001" command using the AppPaths key:
Win+R vpn0001
This connects to VPN without UAC if the following key is also created:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vpn0001.exe
(Note ending the keyword with 'exe' is a requirement for AppPaths keys.)
Default = C:\data\sys\apppath\ovpn_0001.lnk

This works fine to connect to the VPN server and to skip UAC; but you
have to set this up for _every_ one of your thousands of ovpn files!

5. Maybe this tutorial will work on all six thousand ovpn config files?
o How To Disable UAC Prompt For Specific Applications In Windows 10
https://zamarax.com/2020/02/10/how-to-disable-uac-prompt-for-specific-applications-in-windows-10/

Download & install the Windows Windows Assessment and Deployment Kit (ADK):
https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install
https://go.microsoft.com/fwlink/?linkid=2120254
https://download.microsoft.com/download/8/6/c/86c218f3-4349-4aa5-beba-d05e48bbc286/adk/adksetup.exe
Name: adksetup.exe
Size: 1934336 bytes (1889 KiB)
SHA256: 64313BBB8D087328DEEECEC76F6B52648A42924E7CA64D16A2 A0D75FA8442EFA

6. While on the network, run the adksetup.exe stub and do NOT elect to download the full 1.1 GB installer:
(o)Install the Windows Assessment and Deployment Kit - Windows 10 to this computer
Install Path (default) = C:\Program Files (x86)\Windows Kits\10\
Note: I put it where it belongs, which, for me, is: C:\app\os\adk\

Note you don't want to download the entire ADK which is 1.1 GB & many cab files!
(_)Download the Windows Assessment and Deployment Kit - Windows 10 for installation on a separate computer
Download Path (default) = C:\Users\{uname}\Downloads\Windows Kits\10\ADK

7. Accept the license and decline the usage statistics and then you will have the choice of:
Select the features you want to install
[x]Application Compatibility Tools == this is the only checkbox you need for this tutorial
[_]Deployment Tools
[_]Imaging And Configuration Designer (ICD)
[_]Configuration Designer
[_]User State Migration Tool (USMT)
[_]Volume Activation Management Tool (VAMT)
[_]Windows Performance Toolkit
[_]Windows Assessment Toolkit
[_]Microsoft User Experience Virtualization (UE-V) Template
[_]Microsoft Application Virtualization (App-V) Sequencer
[_]Microsoft Application Virtualization (App-V) Auto Sequencer
[_]Media eXperience Analyzer
[_]Windows IP Over USB

Check only the Application Compatibility Tools item & press [Install][Close].

This will install (among other things) a 32-bit & 64-bit compatability mode utility:
"C:\app\os\adk\Assessment and Deployment Kit\Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"
"C:\app\os\adk\Assessment and Deployment Kit\Application Compatibility Toolkit\Compatibility Administrator (64-bit)\Compatadmin.exe"

8. Check if the command you want it to run on is 32 bit or 64 bit:
Right click on openvpn.exe & select "Properties" "Compatibility"
Temporarily check the Compatibility Mode option of [x]Run this program in compatibility mode for:
[Windows Vista] == if this is the first entry, then your executable is 64-bit
[Windows Vista (Service Pack 1)
[Windows Vista (Service Pack 2)
[Windows 7]
[Windows 8]

Note: If Windows XP is on the list, then your executable is 32-bit,
where you will likely also see even older Windows versions listed:
[Windows 95]
[Windows 98 / Windows Me]
[Windows XP (Service Pack 2)
[Windows XP (Service Pack 3)

Doublecheck with 7zip which returns either "CPU = x64" or "CPU = x86":
C:\app\archiver\7zip\7z.exe l "C:\app\network\openvpn\bin\openvpn.exe" | findstr CPU
CPU = x64

For example, with SRWare Iron:
C:\Windows\system32C:\app\archiver\7zip\7z.exe l "C:\app\browser\iron\chrome.exe" | findstr CPU
CPU = x64
C:\Windows\system32C:\app\archiver\7zip\7z.exe l "C:\app\browser\iron\iron.exe" | findstr CPU
CPU = x86

For regedit, I seem to have two executables:
C:\app\archiver\7zip\7z.exe l "C:\Windows\regedit.exe" | findstr CPU
CPU = x64
C:\app\archiver\7zip\7z.exe l "C:\Windows\System32\regedt32.exe" | findstr CPU
CPU = x64

Does anyone know what the difference is between these two regedit executables?

9. Run the appropriate Compatadmin (64bit or 32bit) for your command:
Win+R "C:\app\os\adk\Assessment and Deployment Kit\Application Compatibility Toolkit\Compatibility Administrator (64-bit)\Compatadmin.exe"

RMB "New Database(1) [Untitled_1]" Create New Application Fix

Up pops a "Create new Application Fix" form asking:
Name of program to be fixed: OpenVPN
Name of the vendor for this program: openvpn.net
Program file location: C:\app\network\openvpn\bin\openvpn.exe
[Next]

Up pops a "Compatibility Modes" form, with many checkboxes.
The tutorial says to check only the one checkbox: [x]RunAsInvoker
[Next]

Note: Other potential checkboxes which may be useful abound, e.g.,
[_]RunAsAdmin == you'd think this would work - but it didn't work.
[_]RunAsHighest == you'd think this would work - but it didn't work.
[_]RunAsInvoker == you'd think this would work - but it didn't work.
(I tried all three separately, and together.)

Up pops a message saying "Selected 1 of 158"...
Hit [Next] again when that summary form shows up of what you checked.

Up pops a "Matching Information" form, with many checkboxes.
I kept the defaults such as:
[x]COMPANY_NAME
[x]PRODUCT_NAME
[x]ORIGINAL_FILENAME
etc., to avoid the recreation of the compatibility patch file after each Windows 10 update.
[Finish]

Note: To protect against hackers, you can request additional checks when running the file
(e. g., CHECKSUM, FILE_VERSION or FILE_SIZE verification, etc.).

This gets you back to the "Compatibility Administrator" form with "regedit" selected:
[File][Save as][OpenVPN db]
Press [OK]

Up pops a "Save Database: "OpenVPN db"" form asking where to save the AppCompat Database file.
Name the file "openvpn"
Press the [Save] button to save the AppCompat Database file as C:\data\sys\apk\openvpn.sdb

10. Apply the compatibility fix package to the application either by the GUI or command prompt:
CompatibilityAdministrator: RMB on "OpenVPN db [C:\data\sys\apk\openvpn.sdb]"
[File][Install]
You should see a popup saying:
Compatibility Administrator (64-bit): The database 'OpenVPN db' was successfully installed.
Press [OK] to dismiss that form.

Dismiss the "Compatibility Administrator" form by pressing [File][Exit]

Or you can install via an admin command window:
Win+R cmd {ctrl+shft+enter] sdbinst -q C:\data\sys\apk\openvpn.sdb
Which should report: Installation of openvpn complete.

Note: To remove the compatibility fix, run this command:
sdbinst ¡Vu C:\data\sys\apk\openvpn.sdb

11. Check that the newly installed package has a record in Windows programs & features:
Win+R control Programs Uninstall a program OpenVPN db

12. Test that the command now works without popping up the UAC consent prompt:
Win+R C:\app\network\openvpn\bin\openvpn.exe C:\app\network\openvpn\config\file_0001.ovpn

Notice this runs WITHOUT the UAC access control prompt popping up! (woohoo!)
o Unfortunately, a "curl icanhazip.com" shows the ISP IP address - not the VPN IP address.
This is what happens when openvpn.exe is run as a user, and not as an administrator.
--
So there's a tweak, somewhere, that needs to be made additionally for this to work.

UPDATE:

Here is documented yet another supposed solution for avoiding UAC popups:
o Add context menu item: "Run as user without UAC privilege elevation".
http://woshub.com/run-program-without-admin-password-and-bypass-uac-prompt/

Windows Registry Editor Version 5.0
[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker]
@="Run as user without UAC privilege elevation"
[HKEY_CLASSES_ROOT\*\shell\forcerunasinvoker\comman d]
@="cmd /min /C \"set __COMPAT_LAYER=RUNASINVOKER && start \"\" \"%1\"\""

What's frustrating is that _all_ the "supposed" solutions work just fine
for something like "regedit.exe", but not for "openvpn.exe", which has
the special problem that it must run "route.exe" as administrator, and yet,
most of the solutions to avoid the UAC consent popups is to "invokeAsUser".

When I try these "invokeAsUser" solutions to avoid the UAC popup, they
avoid the UAC consent form perfectly; but the "route.exe" fails.

What happens is the OpenVPN Daemon "connects" to the VPN service; but since
the route fails, the IP address that "curl icanhazip" shows, is that of my
ISP and not of the public VPN service.
--
It may be that only a batch file can solve this specific problem set.

On Tue, 18 Aug 2020 18:28:24 -0700 (PDT), James Davis wrote:

3. Openvpn.exe is set to [x]Run this program as an administrator

Having this checked causes the UAC popup. Uncheck it!

Hi James Davis,

Thanks for trying to help out as, so far, the only solution that
has any hope of working is some kind of batch file solution (AFAICT).

Everything works with rededit.exe; but that's a simple case.

But what I'm trying to accomplish in this thread is a mechanism that
a. Allows the user to doubleclick on _any_ arbitrary OpenVPN config file
b. That will open up in the default of openvpn.exe as the invoking user
c. But which will modify the routing table using "route.exe" as administrator
d. WITHOUT also popping up the UAC consent prompt.

That checkbox may hold the clue as to the solution, as not only is
the openvpn.exe "[x]Run this program as an administrator" checked
for the invoking user, but it's also checked for all users.
o https://i.postimg.cc/Vk6VDRHN/uac01.jpg

That need to check that box is described in a lot of places, e.g.,
o https://hide.me/en/vpnsetup/windows10/openvpn/
Where they show this graphic:
o https://hide.me/resources/285/images/setup/en/windows10/openvpn/step4.png
But maybe I don't have to do it twice for the openvpn.exe daemon
o So I will try it by not clicking the [Change settings for all users] button.

The problem, of course, is, without administrator, the "route.exe" fails
where the openvpn.exe daemon requires that route to make the connection.
o C:\Windows\system32\route.exe ADD 220.100.37.115 MASK 255.255.255.255 192.168.0.1
o ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=5]
o Route addition via IPAPI failed [adaptive]
o Route addition fallback to route.exe
o env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\Sys tem32\Wbem
o ERROR: Windows route add command failed [adaptive]: returned error code 1

When I set the openvpn.exe "[x]Run this program as an administrator" checkbox,
then it executes the "route.exe" command without failure when I doubleclick
on an openvpn config file (which I set as the default for openvpn.exe).
o C:\Windows\system32\route.exe ADD 220.100.37.114 MASK 255.255.255.255 192.168.0.1
o ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
o Route addition via IPAPI succeeded [adaptive]
o C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.xxx.xx.xx
o ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
o Route addition via IPAPI succeeded [adaptive]
o C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.xxx.xx.xx
o ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
o Route addition via IPAPI succeeded [adaptive]

So the reason we _need_ to run openvpn.exe as an administrator is that
when I don't set that "[_]Run this program as an administrator" checkbox,
then, it _tries_ to execute the "route.exe" but fails because it needs
administrator privileges to set the route (this is how it's different
from a "regedit.exe", which all the UAC consent prompt examples use).

I might be able to play with removing the need for the route.exe to be run
as an administrator though, where I might make use of these batch scripts:
o How to Run Program without Admin Privileges and to Bypass UAC Prompt?
http://woshub.com/run-program-without-admin-password-and-bypass-uac-prompt/

That tutorial suggests this one-line batch file method, for example:
REM You drag your executable on top of this "run-as-non-admin.bat"
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %1"

That tutorial works for regedit, but it didn't work for me on openvpn.exe.
o However, they did suggest that it could work on an arbitrary app:
REM This is "run-as-non-admin.bat" for any arbitrary executable
Set ApplicationPath="C:\Program Files\SomeApp\testapp.exe"
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %ApplicationPath%"

In summary, all these examples work just fine for regedit.exe,
simply because they run the command as the person invoking the command,
but unfortunatly the openvpn.exe daemon _must_ run its "route.exe" command
as admin.

Once you run as admin, the UAC consent prompt pops up.
o Of course, I can globally turn off the UAC consent prompt (but that's bad)
o And, I can set up a _specific_ config file to not pop up the consent prompt

But what I'm trying to accomplish in this thread is a mechanism that
a. Allows the user to doubleclick on _any_ arbitrary OpenVPN config file
b. That will open up in the default of openvpn.exe as the invoking user
c. But which will modify the routing table using "route.exe" as administrator
d. WITHOUT also popping up the UAC consent prompt.

To your point, I'll turn off the [Change settings for all users]
and see if I can get one of the mechanisms in this thread to work.

If I turn off the user "[x]Run this program as an administrator", then I
still need a way for openvpn.exe to run "route.exe" as admin.

It's not easy or I wouldn't have asked.
--
Usenet is a wonderful way to find solutions to problems that others solved.