I'm have written an msi file that offers a choice of "per-user" or "for all" installation in the UI phase, and now find that the installer fails on Vista:
if I just reuse the installer that works for XP, Vista will trigger a UAC prompt even for the "per-user" installation, making that installation pointless
if I turn off UAC in bit 3 of PID_WORDCOUNT, Vista won't invoke UAC at all anymore, so even if the user would have permission to install into the machine registry (say), the privilege raising doesn't happen, so the installation fails.
So: how can I prevent installer from invoking UAC when it isn't really needed? Alternatively, how can I programmatically request UAC even if bit 3 is set?
Unfortunately, the Windows Installer does not provide a way to create a single package that can install per-machine and per-user but only prompt for UAC on the per-machine case. The issue is that the bit that can suppress the UAC prompt is stored in the SummaryInformation stream and is not modifiable while the package is executing.
Try this reference: UAC in MSI Notes: How to Build Packages that work for both Standard User and Per-Machine?
I turned off UAC by setting the bit 3 of PID_WORDCOUNT in my MSI package. I can able to install it for "ALLUSERS" and "PER-USER", and also write in for HKLM in both the modes on VISTA machines.
Is it mandatory for you to get UAC popup for privileged user during installation?
Related
When users try to uninstall their own single user installation (for example installed using lowestprivileges none and HKCU entries) with 'Add/Remove Programs' in the Control Panel, everything works fine (that is, non-admin users can uninstall their own non-admin installation).
However the uninstaller will be elevated, when users start it from 'Apps & features' (Windows 10).
This seems to be a known Windows 10 bug:
How to prevent uninstaller elevating for Standard Windows 10 user?
Is there a way to work-around this issue when the Inno Setup uninstaller is started from 'Apps & features'?
Link this NSIS Workaround for Windows uninstaller elevation bug.
You will have to do exactly what that NSIS hack does.
Find out what is the Windows GUI user (and assume that you should uninstall as that user). Alternatively, you can store the username into some file in the installation folder.
Re-execute the installer as that user. That hack uses StdUtils NSIS plug-in with its ExecShellAsUser function. Maybe the DLL can be used from Inno Setup. If not, you can at least reuse its code.
All this is imo to much to ask in a single question. If you have specific problems, consider asking more specific questions.
Simpler alternative would be to prevent the uninstallation, when executed as different user, and show a suggestion to the user to go to Control panel instead.
For a similar question, see Uninstaller trouble with standard Windows user.
I have a msi file when I install it writes instructions to HKEY_LOCAL_MACHINE;and give UAC to user to do it or not I want to edit this behaviour I mean prompting for a UAC in a way that it will do all the installation without prompting to user for a UAC in windows 7.My question is what needs to be modify in a file.
When UAC is enabled an elevation dialog is always required to get the privileges to write to HKLM. There isn't anything you can modify to prevent this requirement for elevated privilege. You could run the MSI as administrator, or start it from an exe (but the exe will require an elevation dialog anyway), but again these are just ways to get the required elevated privileges.
So you could open the MSI file with Orca, View Summary Information, and then check the UAC compliant box, but if the install really requires elevation then the install will fail with "You do not have sufficient privileges...."
We have legacy desktop native app with custom setup. The setup is signed and must be run as administrator. Current prod setup EXE that was built and signed 5 years ago is automatically elevated and run as admin on Windows 7 or 8. The setup we rebuilt now and is also signed with different cert and has the same name as old one is not automatically elevated to admin and therefore fails.
What makes Windows to run the setup EXE automatically as admin?
Signing is not related to admin privileges, so don't worry about it in that respect.
To expand on Harry Johnson's comment (which is correct), early versions of UAC on Windows used to automatically elevate programs that looked like setup programs. I don't know the exact algorithm used, but programs with setup or install in the names or descriptions were elevated. That doesn't happen any more, and on UAC programs run by admins are not elevated unless they explicitly elevate with a manifest or a run as administrator.
Without knowing where that setup.exe comes from, if you build it. or it comes with a version of a setup tool (Visual Studio?) then it's hard to say how to fix it.
If this happens to be an MSI-based install then the MSI will ask for elevation if it's marked that way. It's not clear from the question which part of the setup requires elevation, but if it's setup.exe that actually does the install, then all of it needs elevation and it needs an elevation manifest.
I have an Inno Setup installer that needs to restart the explorer (in order to install a shell extension). During installation, I can start explorer.exe with ShellExecAsOriginalUser so that it doesn't start with admin privileges; this is important on Windows 8, because running explorer with admin privileges prevents Metro apps from running.
The trouble is that this function can't be called during uninstall, as stated in the documentation (I tried to do it anyway, but of course it fails). I don't understand why it's not possible. Any clue? Is there a workaround?
It cannot be called during uninstall because the Programs and Features control panel always starts the uninstaller with elevated permissions (when running a per-machine uninstaller, anyway); the "original user" is therefore still the admin user.
In this situation, probably the correct thing to do is to just use the latest version of Inno -- this includes Restart Manager functionality which should automatically sort Explorer out without you having to do anything.
I'm marking this as a community wiki because I'm not really looking for one complete answer. So if you feel like posting one or two things that will activate the UAC prompt instead of a comprehensive list then go ahead.
What actions in Windows will activate UAC? I'd like to avoid it as much as possible because my application doesn't need admin privileges. And I'm sure many other people want to avoid it.
Specifically, I would like to know if reading from the registry would activate it. Or writing to it?
You don't need to address the above question, just anything that will activate it is fair game.
It's really hard to Google anything about UAC because you get bombarded with articles about how to disable it. And I'd rather not have my application make the assumption UAC is disabled.
Nothing "activates" UAC.
If your application would fail to run as a standard user under Windows XP it will fail to run under Windows Vista or Windows 7 as a standard user.
What you are really asking is: what actions can a standard user not perform under Windows?
The things a standard user cannot do are pretty well known (they've been the same since Windows 2000). The main ones are:
modify anything in HKEY_LOCAL_MACHINE
modify anything in the Windows directory
modify anything in the Program Files folder
If you try to do any of those they will fail on:
Windows 2000
Windows XP
Windows Vista
Windows 7
Nobody should have been running as an administrator for day-to-day computer use. If your application did any of those bad things in Windows XP it would fail. The user would have to:
logon (or fast user switch) to an administrator
perform the administrative task
switch back to their real account
UAC is a convience mechanism, allowing you to easily temporarily switch to an administrator. Nothing you do will "trigger" it; you have to make it happen.
If you know your code needs to modify a file in C:\Program Files\My App\Data, then you should add a button on your form that will trigger the elevation.
You then need to launch an (elevated) copy of your program, do the thing, and close.
I created a launch4j installer (an exe-wrapper for java programs) and named it "MyApp.exe". It doesn't need any admin authentication. It just runs fine without any UAC prompt.
BUT: If I rename this installer to "install.exe" or "setup.exe", the UAC icon appears and I get a UAC promp when starting the installer.
Seems as if there are some "reserved words" in filenames that cause windows to start a program with elevated rights (UAC).