UPDATE: This _almost_ works!
a. The tutorial below runs openvpn on _any_ of thousands of config files
b. Without popping up the UAC consent prompt (so that problem is solved)
c. But, unfortunately, openvpn.exe doesn't run as administrator yet
So we've solved _two_ of the three problems, where if this wasn't openvpn
(which has a special requirement to run as administrator), we'd be done.
The tutorial below is based on using the Windows Assessment & Deployment Kit
o How To Disable UAC Prompt For Specific Applications In Windows 10
<
https://zamarax.com/2020/02/10/how-to-disable-uac-prompt-for-specific-applications-in-windows-10/>
Unfortunately, that ADK tutorial uses regedit.exe as the example
o Regedit.exe is different from openvpn.exe in two key ways:
a. Regedit.exe doesn't generally run with arbitrary arguments (openvpn.exe always does),
b. Regedit.exe doesn't require administrator execution to work (openvpn.exe always does).
Nonetheless, it "almost" worked so I'm sure only a tweak to
the instructions below are needed to get openvpn to work without
the UAC consent prompt on thousands of files using the Windows ADK.
Here is the step by step tutorial I wrote up using the Windows ADK:
1. Completely independent of UAC issues, this step is required for
openvpn to work when you doubleclick on any of thousands of freely
obtained ovpn configuration files to connect to VPN:
RMB on C:\app\network\openvpn\bin\openvpn.exe > Properties > Compatibility >
[x]Run this program as an administrator
[Change settings for all users]
[x]Run this program as an administrator
[OK][OK]
<
https://hide.me/en/vpnsetup/windows10/openvpn/>
Note: If you skip that "run as administrator" step, you'll connect to the VPN
server but your IP address will still be that of your ISP, which you can test using:
curl
icanhazip.com
2. Set a doubleclick on any ovpn file to run in the OpenVPN Daemon (openvpn.exe):
Open up the "Default apps" section of Windows 10 settings:
Win+R > ms-settings:defaultapps > Choose default apps by file type > .ovpn >
Choose an app > OpenVPN Daemon
Or manually set Windows default file associations to open *.ovpn files:
- Right click on any *.ovpn text configuration file in Windows 10
Notice it doesn't yet say "Open With "OpenVPN Daemon".
- Select "Open with" and then "Choose another app".
- Also set "[x]Always use this app to open *.ovpn files".
- Change from: *.ovpn starts with the OpenVPN GUI
- Change to: *.ovpn starts with the OpenVPN Daemon
If you don't see that as a selection, navigate to:
c:\app\network\openvpn\bin\openvpn.exe <== that's the OpenVPN daemon
Now, if you doubleclick on any ovpn file, it will connect to the VPN server.
o You can test your IP address with "curl
icanhazip.com".
3. The only problem is that the UAC consent prompt pops up, which is a PITA,
particularly when you select a dozen ovpn files at a time to run (where the
connection is for the first one that works - the rest will fall off).
You can easily turn off UAC consent prompst altogether, but that's too much:
Win+R > UserAccountControlSettings.exe > Never notify me
4. You can also easily turn off UAC for a "specific" ovpn file, e.g.,
Win+R > taskschd.msc /s > Create Task > OpenVPN Daemon
[x]Run with highest privileges <== this is what bypasses the UAC prompt
Actions > New > Start a program > C:\app\network\openvpn\bin\openvpn.exe
Arguments = C:\app\network\openvpn\config\file_1.ovpn
But that task circumvents UAC for only that one vpn configuration file.
Note: You can create an easily remembered shortcut command to that task:
C:\data\sys\apppath\ovpn_0001.lnk
TARGET = C:\Windows\System32\schtasks.exe /run /TN "OpenVPN Daemon"
Where you can also create a new "vpn0001" command using the AppPaths key:
Win+R > vpn0001
This connects to VPN without UAC if the following key is also created:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vpn0001.exe
(Note ending the keyword with 'exe' is a requirement for AppPaths keys.)
Default = C:\data\sys\apppath\ovpn_0001.lnk
This works fine to connect to the VPN server and to skip UAC; but you
have to set this up for _every_ one of your thousands of ovpn files!
5. Maybe this tutorial will work on all six thousand ovpn config files?
o How To Disable UAC Prompt For Specific Applications In Windows 10
<
https://zamarax.com/2020/02/10/how-to-disable-uac-prompt-for-specific-applications-in-windows-10/>
Download & install the Windows Windows Assessment and Deployment Kit (ADK):
<
https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install>
<
https://go.microsoft.com/fwlink/?linkid=2120254>
<
https://download.microsoft.com/download/8/6/c/86c218f3-4349-4aa5-beba-d05e48bbc286/adk/adksetup.exe>
Name: adksetup.exe
Size: 1934336 bytes (1889 KiB)
SHA256: 64313BBB8D087328DEEECEC76F6B52648A42924E7CA64D16A2A0D75FA8442EFA
6. While on the network, run the adksetup.exe stub and do NOT elect to download the full 1.1 GB installer:
(o)Install the Windows Assessment and Deployment Kit - Windows 10 to this computer
Install Path (default) = C:\Program Files (x86)\Windows Kits\10\
Note: I put it where it belongs, which, for me, is: C:\app\os\adk\
Note you don't want to download the entire ADK which is 1.1 GB & many cab files!
(_)Download the Windows Assessment and Deployment Kit - Windows 10 for installation on a separate computer
Download Path (default) = C:\Users\{uname}\Downloads\Windows Kits\10\ADK
7. Accept the license and decline the usage statistics and then you will have the choice of:
Select the features you want to install
[x]Application Compatibility Tools <== this is the only checkbox you need for this tutorial
[_]Deployment Tools
[_]Imaging And Configuration Designer (ICD)
[_]Configuration Designer
[_]User State Migration Tool (USMT)
[_]Volume Activation Management Tool (VAMT)
[_]Windows Performance Toolkit
[_]Windows Assessment Toolkit
[_]Microsoft User Experience Virtualization (UE-V) Template
[_]Microsoft Application Virtualization (App-V) Sequencer
[_]Microsoft Application Virtualization (App-V) Auto Sequencer
[_]Media eXperience Analyzer
[_]Windows IP Over USB
Check only the Application Compatibility Tools item & press [Install][Close].
This will install (among other things) a 32-bit & 64-bit compatability mode utility:
"C:\app\os\adk\Assessment and Deployment Kit\Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"
"C:\app\os\adk\Assessment and Deployment Kit\Application Compatibility Toolkit\Compatibility Administrator (64-bit)\Compatadmin.exe"
8. Check if the command you want it to run on is 32 bit or 64 bit:
Right click on openvpn.exe & select "Properties" > "Compatibility"
Temporarily check the Compatibility Mode option of [x]Run this program in compatibility mode for:
[Windows Vista] <== if this is the first entry, then your executable is 64-bit
[Windows Vista (Service Pack 1)
[Windows Vista (Service Pack 2)
[Windows 7]
[Windows 8]
Note: If Windows XP is on the list, then your executable is 32-bit,
where you will likely also see even older Windows versions listed:
[Windows 95]
[Windows 98 / Windows Me]
[Windows XP (Service Pack 2)
[Windows XP (Service Pack 3)
Doublecheck with 7zip which returns either "CPU = x64" or "CPU = x86":
C:\app\archiver\7zip\7z.exe l "C:\app\network\openvpn\bin\openvpn.exe" | findstr CPU
CPU = x64
For example, with SRWare Iron:
C:\Windows\system32>C:\app\archiver\7zip\7z.exe l "C:\app\browser\iron\chrome.exe" | findstr CPU
CPU = x64
C:\Windows\system32>C:\app\archiver\7zip\7z.exe l "C:\app\browser\iron\iron.exe" | findstr CPU
CPU = x86
For regedit, I seem to have two executables:
C:\app\archiver\7zip\7z.exe l "C:\Windows\regedit.exe" | findstr CPU
CPU = x64
C:\app\archiver\7zip\7z.exe l "C:\Windows\System32\regedt32.exe" | findstr CPU
CPU = x64
Does anyone know what the difference is between these two regedit executables?
9. Run the appropriate Compatadmin (64bit or 32bit) for your command:
Win+R > "C:\app\os\adk\Assessment and Deployment Kit\Application Compatibility Toolkit\Compatibility Administrator (64-bit)\Compatadmin.exe"
RMB "New Database(1) [Untitled_1]" > Create New > Application Fix
Up pops a "Create new Application Fix" form asking:
Name of program to be fixed: OpenVPN
Name of the vendor for this program:
openvpn.net
Program file location: C:\app\network\openvpn\bin\openvpn.exe
[Next]
Up pops a "Compatibility Modes" form, with many checkboxes.
The tutorial says to check only the one checkbox: [x]RunAsInvoker
[Next]
Note: Other potential checkboxes which may be useful abound, e.g.,
[_]RunAsAdmin <== you'd think this would work - but it didn't work.
[_]RunAsHighest <== you'd think this would work - but it didn't work.
[_]RunAsInvoker <== you'd think this would work - but it didn't work.
(I tried all three separately, and together.)
Up pops a message saying "Selected 1 of 158"...
Hit [Next] again when that summary form shows up of what you checked.
Up pops a "Matching Information" form, with many checkboxes.
I kept the defaults such as:
[x]COMPANY_NAME
[x]PRODUCT_NAME
[x]ORIGINAL_FILENAME
etc., to avoid the recreation of the compatibility patch file after each Windows 10 update.
[Finish]
Note: To protect against hackers, you can request additional checks when running the file
(e. g., CHECKSUM, FILE_VERSION or FILE_SIZE verification, etc.).
This gets you back to the "Compatibility Administrator" form with "regedit" selected:
[File][Save as][OpenVPN db]
Press [OK]
Up pops a "Save Database: "OpenVPN db"" form asking where to save the AppCompat Database file.
Name the file "openvpn"
Press the [Save] button to save the AppCompat Database file as C:\data\sys\apk\openvpn.sdb
10. Apply the compatibility fix package to the application either by the GUI or command prompt:
CompatibilityAdministrator: RMB on "OpenVPN db [C:\data\sys\apk\openvpn.sdb]"
[File][Install]
You should see a popup saying:
Compatibility Administrator (64-bit): The database 'OpenVPN db' was successfully installed.
Press [OK] to dismiss that form.
Dismiss the "Compatibility Administrator" form by pressing [File][Exit]
Or you can install via an admin command window:
Win+R > cmd {ctrl+shft+enter] > sdbinst -q C:\data\sys\apk\openvpn.sdb
Which should report: Installation of openvpn complete.
Note: To remove the compatibility fix, run this command:
sdbinst ĄVu C:\data\sys\apk\openvpn.sdb
11. Check that the newly installed package has a record in Windows programs & features:
Win+R > control > Programs > Uninstall a program > OpenVPN db
12. Test that the command now works without popping up the UAC consent prompt:
Win+R > C:\app\network\openvpn\bin\openvpn.exe C:\app\network\openvpn\config\file_0001.ovpn
Notice this runs WITHOUT the UAC access control prompt popping up! (woohoo!)
o Unfortunately, a "curl
icanhazip.com" shows the ISP IP address - not the VPN IP address.
This is what happens when openvpn.exe is run as a user, and not as an administrator.
--
So there's a tweak, somewhere, that needs to be made additionally for this to work.