- Elevated shortcut: always run with privileges without making the user an administrator.
- runas with /savecred avoids asking for the password after the first use by account.
- Setting read/execute access permissions protects your settings.
- Specific alternatives: “Run as a different user” or command line commands.
When working with applications that touch sensitive areas of the system, sooner or later you need to run them with Administrator privileges. Since the era of Windows In Vista, User Account Control (UAC) protects your system, but it can also get in the way if a program requires elevated permissions every time.
If you're tired of right-clicking on the icon and choosing "Run as administrator," there's a handy alternative: create an elevated shortcut to always launch that application with privileges, without having to repeatedly approve the prompt for each account on the computer. Below, you'll see how to configure it step by step and how to use "Runas" or "Run as a different user" as recommended by Microsoft.
What is an elevated shortcut and when is it appropriate?
The usual alternative of right-clicking and “Run as administrator” works fine from privileged accounts, but From a standard account it asks you for an administrator's credentials every timeMicrosoft also documents the option of holding down Shift, right-clicking, and using "Run as a different user." This opens the Windows Security window, allowing you to enter an administrator's username and password, as indicated in their official guide.
Why might this interest you? Imagine a user with a regular account needs to open a tool that fails due to permissions. You don't want to give him administrator rightsYou don't want to be constantly entering your password either. With elevated shortcuts, that user launches that specific program elevated, period, without full access to the rest of the system.
This approach is especially useful when the app lives in locations per user (for example, %localappdata%\APP\APP.exe) and is usually started with Windows. In environments with multiple users per computer, automation saves a lot of time and prevents repetitive UAC issues.
Enable the built-in local Administrator account
Before building elevated access, it is a good idea to have the built-in local administrator account enabled, because creating access from another account (even if it is admin) can cause problemsThis was already the case in Windows 8, and this approach remains valid in supported versions of Windows.
Open a console with elevated privileges (Windows + X and choose Symbol of the system (administrator), or Terminal/PowerShell as administrator) and run the command to activate the built-in account. On Spanish systems, the account is usually called "Administrador" (Administrator), on others, "Administrator." Use the one that corresponds to your installation:
net user administrador /active:yes
O well:
net user administrator /active:yes
After activating it, set a strong password. Go to User account, go to “Manage another account”, select the built-in administrator account and create a password. Then, log out and log in with that account to continue the setup without any problems.
Find out the exact name of the team
The runas command needs to know which computer the account is from. Therefore, take note of the host name of the PCYou can quickly find it by searching for “System” in the search bar (Windows + W or the magnifying glass), and then going to the classic settings where “Computer name, domain, and workgroup settings” appears.
There you will see something like “OFFICE TEAM” or “Leandro-W8”. This identifier is key because it will be part of the /user parameter of the command that you will enter in the elevated shortcut.
Create the shortcut that always runs as administrator
Already logged into the local administrator account, go to the Desktop, Right-click on an empty space and choose New > Shortcut. In the “Enter the location of the item” field, enter runas indicating the computer, built-in account, and the full path to the .exe file in quotation marks. The option /savecred allows the system to remember credentials after the first time on each account:
runas /user:NOMBRE-DE-EQUIPO\Administrator /savecred "RUTA\AL\PROGRAMA\aplicacion.exe"
In Spanish installations, if the built-in account is called “Administrator,” it would be:
runas /user:NOMBRE-DE-EQUIPO\Administrador /savecred "RUTA\AL\PROGRAMA\aplicacion.exe"
For example, for NetBeans on a 64-bit system the line could look like this (adjust the computer name and exact path to your case): It is just an example of a real route:
runas /user:Leandro-W8\Administrator /savecred "C:\\Program Files\\NetBeans 7.3.1\\bin\\netbeans64.exe"
If your application lives in the user profile, you can use environment variables. A typical case would be %localappdata%\APP\APP.exe (as some per-user installers do). The shortcut will accept variables, so something like this works fine:
runas /user:NOMBRE-PC\Administrator /savecred "%localappdata%\\APP\\APP.exe"
Complete the wizard, give the shortcut an identifiable name (for example, “My Tool (elevated)”), and then finish the wizard if you want. We're not done yet: We're going to polish the icon and security permissions so other users can use it without touching your content.
Customize icon and adjust security permissions of the shortcut
The created shortcut will appear with a generic icon. To change it, Right click > Properties > Change IconClick "Browse" if you want to choose an .ico or executable file containing icons, select it, and accept. This makes it more easily recognizable.
Now it's time to limit access to the shortcut file so that users can run it, but do not modify or delete it accidentally. Right click on the elevated access, enter Properties > Security > Advanced Options.
Select the user account(s) that will use this access and press “Disable inheritance”. When asked what to do with current inherited permissions, choose the first option, the one that converts inherited permissions to explicit permissions on this object. This allows you to fine-tune what each user can do with the shortcut without breaking the existing setup.
With the same account selected, press “Edit” at the bottom and leave only the Reading y Reading and execution. Make sure they don't have write, modify, or full control permissions. This way, the user will be able to launch the access (and therefore the elevated program) but you will not be able to change the destination or the command line.
Apply the changes and close all windows with OK. If there are more accounts that will use it, repeat this adjustment for each one. It is a critical step to prevent access from being altered.
For convenience, you can copy this shortcut and paste it onto the Desktop of each user who will be using it. The first time each user opens it, Windows will ask for the password for the local administrator account that you activated. After entering it once, thanks to /savecred, it will no longer prompt for it on subsequent runs for that user.
Please note that if that user has parental controls or other restrictions active, the app may still be blocked by policy, even with elevated access. In that case, review the family settings or applied policies.
If you need to start a tool with other credentials without creating access, there is a quick method documented by Microsoft: Hold down the Shift key, right-click on the .exe or its shortcut and choose “Run as a different user”. In the Windows Security window, enter the administrator user name and password and accept.
Another way is the command line with runas. The syntax is similar to that used in the shortcut, allowing you to specify the target user and, if applicable, save credentials to simplify subsequent use. Microsoft maintains reference documentation for this command.
For scenarios where the app is required to automatically start with elevation for multiple users on many computers, a common option is to combine elevated access with startup policies or Create a Scheduled Task “At Logon” executed with the highest privileges. This way you avoid manual interaction at each Boot, maintaining control over which users and under what conditions the program runs. If your executable resides in % localappdata%, remember that this path changes per user and you will have to consider this variable in the task or access.
As a safety note, when using /savecred remember that the credentials are stored on the computer and are reused for that purpose. Use it only in trusted environments and with the local administrator account protected by a strong password.
With these steps you have a functional and safe elevated shortcut, which allows standard users to launch a specific program with administrator permissions without granting them full system control or asking for a password on every launch.
- Controlled elevation for a specific program without making users administrators.
- Use of runes with /savecred to remember credentials after the first run.
- Access protection by means of read-only/execute permissions for the target users.
- Alternative methods such as “Run as a different user” documented by Microsoft.
Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.