UAC Elevation Clarification
Posted: Wed Jun 15, 2011 4:12 pm
Hey folks,
We recently encountered numerous questions regarding UAC elevation in InstallAware. This thread was written to address some of these common questions.
Let me start off by saying that UAC elevation is a Windows Installer feature. By selecting either UAC elevation option in InstallAware, you are really passing the values down to the installer manifest which is stored in the setup.exe file.
A little bit about User Account Control (UAC) - its a technology and security infrastructure introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems (and a more "relaxed" version also present in Windows 7 and Windows Server 2008 R2) . It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it.
Taking this into account, there are three options for UAC elevation as far as Windows Installer is concerned:
asInvoker (Never Elevate) - The application runs with the same access token as the parent process (Windows Explorer if you clicked on the installer in Windows Explorer). This option is recommended for standard user applications. Put simply, this option means do not show the UAC dialog even if the installer was run by an admin. This way, the setup is forced to run without any privileges.
highestAvailable (Elevate Administrators Only) - The application runs with the highest privileges the current user can obtain. Recommended for mixed-mode applications. Put simply, this option means show the UAC dialog only if the installer was run by an admin. If the installer wasn't run by an admin, the installer wont bother even showing the UAC dialog.
requireAdministrator (Always Elevate) - The application runs only for administrators and requires that the application be launched with the full access token of an administrator. Recommended for administrator only applications. Put simply, this option means always show the UAC dialog, forcing non-admin users to "find" an admin that can elevate for them. This option guarantees maximum privileges for the installer.
Please note that further manipulation of the UAC elevation status is also available at runtime using the Run Program As command.
For example, you might want to run your installer with the highestAvailable UAC elevation, but run an external executable within it with de-elevated privileges. This might be, for example, because you want to limit that application's privileges. Another example would be to make sure that documents or other files from an elevated application don't end up in elevated folders, but in standard user folders.
To de-elevate a program run from an elevated setup, check the "Run under limited user account when UAC is enabled and setup is elevated (de-elevation)" checkbox in the Run Program As command dialog:
You could also run program "as an administrator" from a non-elevated installer at runtime by using the Run Program As command and providing a user name and password for an elevated-credentials user. That being said, its important to remember that although you can automatically de-elevate an elevated setup (in the manner explained above), you cannot do it the other way around. In other words, if a setup is not run elevated, calling Run Program As with admin credentials will cause the UAC dialog to be shown!
We recently encountered numerous questions regarding UAC elevation in InstallAware. This thread was written to address some of these common questions.
Let me start off by saying that UAC elevation is a Windows Installer feature. By selecting either UAC elevation option in InstallAware, you are really passing the values down to the installer manifest which is stored in the setup.exe file.
A little bit about User Account Control (UAC) - its a technology and security infrastructure introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems (and a more "relaxed" version also present in Windows 7 and Windows Server 2008 R2) . It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it.
Taking this into account, there are three options for UAC elevation as far as Windows Installer is concerned:
asInvoker (Never Elevate) - The application runs with the same access token as the parent process (Windows Explorer if you clicked on the installer in Windows Explorer). This option is recommended for standard user applications. Put simply, this option means do not show the UAC dialog even if the installer was run by an admin. This way, the setup is forced to run without any privileges.
highestAvailable (Elevate Administrators Only) - The application runs with the highest privileges the current user can obtain. Recommended for mixed-mode applications. Put simply, this option means show the UAC dialog only if the installer was run by an admin. If the installer wasn't run by an admin, the installer wont bother even showing the UAC dialog.
requireAdministrator (Always Elevate) - The application runs only for administrators and requires that the application be launched with the full access token of an administrator. Recommended for administrator only applications. Put simply, this option means always show the UAC dialog, forcing non-admin users to "find" an admin that can elevate for them. This option guarantees maximum privileges for the installer.
Please note that further manipulation of the UAC elevation status is also available at runtime using the Run Program As command.
For example, you might want to run your installer with the highestAvailable UAC elevation, but run an external executable within it with de-elevated privileges. This might be, for example, because you want to limit that application's privileges. Another example would be to make sure that documents or other files from an elevated application don't end up in elevated folders, but in standard user folders.
To de-elevate a program run from an elevated setup, check the "Run under limited user account when UAC is enabled and setup is elevated (de-elevation)" checkbox in the Run Program As command dialog:
You could also run program "as an administrator" from a non-elevated installer at runtime by using the Run Program As command and providing a user name and password for an elevated-credentials user. That being said, its important to remember that although you can automatically de-elevate an elevated setup (in the manner explained above), you cannot do it the other way around. In other words, if a setup is not run elevated, calling Run Program As with admin credentials will cause the UAC dialog to be shown!