Remove local admin rights without killing productivity. Users request elevation, you approve in seconds. Full audit trail, automatic rules, zero friction.
End user right-clicks the ElevateGuard tray icon, browses to the application they need to run elevated, and adds a justification.
The agent captures the file hash, publisher signature, and user details, then sends the request to the cloud. Auto-approve rules are checked instantly.
Pending requests appear in your web console in real-time. You see the app name, publisher, hash, user, machine, and justification. One click to approve or deny.
On approval, the agent receives the decision via MQTT in under a second and launches the process with admin privileges in the user's session. No passwords shared, no persistent admin rights.
Requests arrive in your console instantly via MQTT push. Approve or deny with one click and the agent acts within a second. No polling delays.
Create rules by SHA256 hash, publisher certificate, file path, or path prefix. Known-good apps get elevated automatically without admin intervention.
Every request, approval, denial, and execution is logged with timestamps, user identity, machine name, and file details. Complete compliance-ready history.
The agent extracts the digital publisher signature from executables so you can verify the software source before approving elevation.
Built for MSPs. Manage elevation policies across all your client companies from a single console with per-company rules and settings.
Single Windows executable runs as a SYSTEM service. Under 5MB, no dependencies, no PowerShell, no shell execution. Elevation only.
Free forever for up to 5 endpoints. No credit card required.
ElevateGuard installs a Windows service that runs as SYSTEM. When an elevation request is approved, the service launches the specified application with elevated privileges in the user's desktop session using Windows API calls (CreateProcessAsUser). The user never receives admin credentials or persistent admin rights — only the specific approved application runs elevated.
Without connectivity, new elevation requests cannot be submitted or approved. The agent will queue the request locally and submit it when connectivity returns. Previously approved auto-approve rules are cached locally, so matching applications can still be elevated offline.
No. Each approval is for a specific application identified by its SHA256 hash, file path, and publisher signature. The agent verifies the file hash before launching. If the file has been modified or replaced, the elevation will not proceed. Approvals are single-use by default.
UAC prompts can be clicked through by any local admin. Making users admins gives them permanent, unrestricted access. ElevateGuard provides just-in-time, just-enough privilege: specific apps, specific times, with approval, audit trail, and automatic rules. You maintain least-privilege while keeping users productive.
Yes. ElevateGuard is a standalone agent that works alongside any RMM tool. It doesn't conflict with existing management agents and can be deployed via your RMM's software deployment feature.