admin level nsis installer needs to create icons for unprivileged user - installation

I need to create an NSIS installer, which runs with administrator privileges. I request these privileges with
RequestExecutionLevel admin
So far this works. But I also need to place shortcut links on the users desktop. I do NOT want to create the shortcuts for all users but only for the currently logged in user. So I use
SetShellVarContext current
in the installer sections. If the current user has admin privileges, this works. If I have a normal user, Windows (7) asks for credentials for a privileged user, which is also correct. But the installer then creates the icons on the privileged users desktop, and not on current users.
So, how can I tell NSIS, that it should create desktop icons for the current user if she has no admin privileges?
FYI, if I omit both RequestExecutionLevel and SetShellVarContext, I am also prompted for administrative rights but the installer creates icons on the current user desktop as well as for the admin user. I think this is some kind of compatibility behavior.

You are not really supposed to do this (because of this exact issue) and you are basically asking how to create a installer that is broken by design. This is not a NSIS specific problem and not even UAC specific, it has existed since runas was added in Win2000! When you elevate with runas/UAC the new process is executed as that user and with their HKCU and shell folders...
If you need "RequestExecutionLevel admin" in your script then you are doing machine level things and should therefore call "SetShellVarContext all" and install the files in $ProgramFiles and write the uninstall registration under HKLM. This is true for any version of NT, not just Vista+/UAC. (Most people forget to test as non-admin on NT4 and NT5)
If creating shortcuts for all users is such a big problem then I suggest you enable the "Don't create shortcuts" checkbox on the startmenu page so the user can decide.
If you still want to force broken behavior then you need to use this plugin. (You should be able to find plenty of topics about this plugin on the NSIS forum)

Related

is there any option in windows registry that i can always run a program as admin without UAC and admin password

i am developing a desktop application.
how can i make it to always run as admin for non-admin user without UAC and admin password by making change in windows registry.
windows change registry option would be preferred but if there is any other option please tell.
any help will be appreciated
thanks
There is no such feature. The point of UAC is to ensure the user is aware that the program being started will have access to admin privileges. If there were a way to turn that off, then malware would do it.
The user can disable the UAC prompts via a control panel setting, but not for a particular program.
If your program always requires admin privileges to do what it needs to do, you should have an entry in its manifest. Modern versions of Visual Studio have options in the project settings for the executable for setting common items like this in the manifest automatically.

How do I have multiple windows users (non-admins) modify and save the same setting(s)?

Apologies if this is a really simple question...
We have a .NET application that is installed by an administrator, and then run by multiple staff on the same computer with their own login credentials (normal user - non-admin).
Application uses MSI installer and is installed to Program Files folder.
The application needs to have some settings about attached devices to the computer saved as preferences so when a user opens the app these settings are set and the user is not asked for preferences each time. These preferences should not be set per user, rather per computer.
However if user A changes one of these settings on the computer, then when user B logs in they should see the changed setting from user A.
Hence the settings need to be per computer, not per user.
Where in windows 7,8,10 etc. can an application save data that is computer specific not user specific, yet allow users without admin rights to change that data?
We have looked at system temp folder but the computers have GPO policy to regularly remove temp folder content.
Any other ideas?
It takes administrator rights to change the permissions on a registry key inside HKLM, but once that's done, anyone in the group given permission can make modifications.
Obviously don't change permissions on any of the standard keys (e.g. HKLM\Software or HKLM\Classes) but in your own application area (HKLM\Software\YouCorp\YouApp\Attached Devices) it's perfectly fine to adjust permissions the way you like.
You'll just have to include "grant write permission on HKLM\Software\YouCorp\YouApp\Attached Devices to the group Users" as one of the actions of your installer.
If you are allergic to the registry, you can do the same with a subdirectory of your application install (e.g. %ProgramFiles%\YouCorp\YouApp\Device Settings)
Given you are using a .Net application, you could store the information in the app.config file associated with the application.

How to make a folder UAC protected

Can someone tell me how (in Windows 7 PRO) I can create a folder, so when I try to open it, User Account Control will ask for a Administrator's password. I need to restrict a folder on the C: drive, only be opened by administrators, and if a normal user tries to open it, he will need the Administrator's password.
You could go to Control Panel, then you go to User Account and Family Safety. Then go to Parental Control and unable it, or get your user off the list. After that, you should be able to do it.
(AT LEAST IT WORKS FOR ME!)

Is there a way to install software that prompts for privilege escalation(UAC) programmatically?

Basically I either need to Click the UAC button with my program(which i don't believe is possible) or somehow make it so I don't need to click the button to install the software. I will also need to click buttons during the install with my program but I know how to do that. I am only concerned with the UAC things.
One way or the other, the user is going to have to click that button to give you permission to proceed. That's the whole point of UAC, if there were a way to work around it, it would serve absolutely no purpose.
You can either ask for permission sooner (at the beginning of your installation) or later (at the point in the installation when the privileges are first actually required), but you have to do it one of those times.
The standard course of action is to embed a manifest in your application that indicates you require administrative privileges. The applicable line looks like this:
<requestedExecutionLevel level="requireAdministrator" />
Alternatively, you could choose to rely on UAC's "Installer Detection" functionality:
The first application compatibility technology that is part of UAC is called Installer Detection. Because most installers write binaries to the Program Files directory, they overwhelmingly need administrator privileges. Installer Detection is designed to scan the name and the resources of the EXE to determine whether an application is an installer. For example, an executable would be marked as an installer if the executable name or description contained the strings "install" or "setup". So an application named setup.exe, without an application manifest, would trigger a UAC elevation if launched by a token without administrator privileges.
Clicking buttons during your install isn't a very good idea, either. If this is an installer that you're writing, code in some "silent install" flags that you can specify when executing the installer app. If this is a third-party installer that you're using, check the documentation; chances are such flags already exist. The point of these flags is that interactive UI is not displayed at all during setup, meaning that no one has to bother clicking any buttons (which is very hard to get right).
you can install your program in the user's home directory or any other directories which is writable without administrator privilege.
if you're writing an installer wrapper, you can ask for UAC on the wrapper and the wrapper can start the real installer(s) with administrator privilege. Most installers also provides command line options for unattended installations, so you might want to check those instead of scripting button clicks.
You can't click button on UAC consent dialog.
Your other options depend on what you really try to achieve. So give us more details on the your task: there could be better design choices than clicking installer buttons from an application.
To avoid UAC, you can install a service which will start the installation. But user has to consent when you install the service.

Windows 7 - How to gain full admin rights when already part of administrators group?

I have a Windows 7 development machine and I am constantly encountering the "you do not have enough permissions" when running certain programs or trying to access log files. I am the only user on the machine and my account is part of the administrators group. Is this part of Microsoft's UAC "protection"? If so, is there a way to remove it so that an administrator account has full admin rights.
Usually, you can right click and select "Run as Administrator" to elevate the privilege. I believe, You can also turn it off from control panel (search for "User access control" in control panel). I would not recommend it though. If you have applications to start up with that privilege, you might want to modify the shortcut to have "Run as Administrator" set so that it will challenge you as soon as it starts.

Resources