Page 1 of 2

UAC Elevation Clarification

Posted: Wed Jun 15, 2011 4:12 pm
by giaviv
Hey folks,

We recently encountered numerous questions regarding UAC elevation in InstallAware. This thread was written to address some of these common questions.

Let me start off by saying that UAC elevation is a Windows Installer feature. By selecting either UAC elevation option in InstallAware, you are really passing the values down to the installer manifest which is stored in the setup.exe file.

A little bit about User Account Control (UAC) - its a technology and security infrastructure introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems (and a more "relaxed" version also present in Windows 7 and Windows Server 2008 R2) . It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it.

Taking this into account, there are three options for UAC elevation as far as Windows Installer is concerned:
asInvoker (Never Elevate) - The application runs with the same access token as the parent process (Windows Explorer if you clicked on the installer in Windows Explorer). This option is recommended for standard user applications. Put simply, this option means do not show the UAC dialog even if the installer was run by an admin. This way, the setup is forced to run without any privileges.
highestAvailable (Elevate Administrators Only) - The application runs with the highest privileges the current user can obtain. Recommended for mixed-mode applications. Put simply, this option means show the UAC dialog only if the installer was run by an admin. If the installer wasn't run by an admin, the installer wont bother even showing the UAC dialog.
requireAdministrator (Always Elevate) - The application runs only for administrators and requires that the application be launched with the full access token of an administrator. Recommended for administrator only applications. Put simply, this option means always show the UAC dialog, forcing non-admin users to "find" an admin that can elevate for them. This option guarantees maximum privileges for the installer.

Please note that further manipulation of the UAC elevation status is also available at runtime using the Run Program As command.

For example, you might want to run your installer with the highestAvailable UAC elevation, but run an external executable within it with de-elevated privileges. This might be, for example, because you want to limit that application's privileges. Another example would be to make sure that documents or other files from an elevated application don't end up in elevated folders, but in standard user folders.

To de-elevate a program run from an elevated setup, check the "Run under limited user account when UAC is enabled and setup is elevated (de-elevation)" checkbox in the Run Program As command dialog:
runprogramas.png
runprogramas.png (28.58 KiB) Viewed 62607 times


You could also run program "as an administrator" from a non-elevated installer at runtime by using the Run Program As command and providing a user name and password for an elevated-credentials user. That being said, its important to remember that although you can automatically de-elevate an elevated setup (in the manner explained above), you cannot do it the other way around. In other words, if a setup is not run elevated, calling Run Program As with admin credentials will cause the UAC dialog to be shown!

Re: UAC Elevation Clarification

Posted: Thu Jun 16, 2011 3:12 pm
by Steve
Aviv,
Thank you very, very much!
This is an excellent post and immediately clarifies the confusion I had around the choice of UAC elevation options within InstallAware.
I hope that this will be added verbatim to the IA Help file!

Thanks again,
-Steve

Re: UAC Elevation Clarification

Posted: Thu Jun 16, 2011 3:42 pm
by giaviv
:)

Re: UAC Elevation Clarification

Posted: Wed Aug 03, 2011 1:40 pm
by shenjige
How do you load this "Run Program As" window to tick off the "Run under limited user account when UAC is enabled and setup is elevated (de-elevation)" checkbox? I couldn't find out anywhere to load this window.

Re: UAC Elevation Clarification

Posted: Wed Aug 03, 2011 2:08 pm
by Steve
Shenjige,
You need to be in the MSICode window...
On the right hand side of the MSICode screen is the 'Drag and Drop' column of commands categories.
Locate and expand the 'All' category, then locate 'Run Program As' from the list.
Drag and Drop 'Run Program As' into your the appropriate place in your code where you want the action to occur.

Re: UAC Elevation Clarification

Posted: Wed Aug 03, 2011 2:45 pm
by shenjige
Hi, Steve,

I am not sure if you really understand my problem now. Let me try to get my problem straight: my application needs to be installed on clients' computers, ideally to the default folder c:\program files\my application folder. The executable file EXE needs to write some files (say text.txt file) in the same folder where the exe file is on the target machine. The process of building the setup file is ok, after I installed the application and ran it. It said "the assess to the file text.txt is denied." It seems that my installed application doesn't have full access of the target folder. I did look at the Run Program As, it seems that is for an extra external program you might need for your application. That is not my case. My question is how I can get full access of my target folder for my application. It didn't have any problem on XP, now I try to make it on win7. I couldn't get it to work. Anything you might be able to take a look?

Thanks!

Gene.

Re: UAC Elevation Clarification

Posted: Wed May 02, 2012 3:33 am
by Piet
Hi Gene

Have you solved your problem yet? I'm having exactly the same problem with writing data files and updating an ini file. I specifically want ALL users to access the same data and ini file.

Thanks
Piet

Re: UAC Elevation Clarification

Posted: Tue May 08, 2012 6:58 am
by FrancescoT
Dear Users,

why do you not use ProgramData folder to store your file?

Regards

Re: UAC Elevation Clarification

Posted: Wed May 09, 2012 4:42 am
by Piet
Thanks Fransesco. I'm probably just stuck in XP mindset, but I would prefer the installer to choose whichever dir he wants to. I will consider your suggestion for Win 7 users.

Piet

Re: UAC Elevation Clarification

Posted: Thu May 10, 2012 9:15 am
by FrancescoT
:D

Re: UAC Elevation Clarification

Posted: Wed Jul 23, 2014 9:14 am
by jdeleon7010
is it possible to create an installer that is ran by a standard user, without prompting for an administrator password? All while UAC is enabled?

Re: UAC Elevation Clarification

Posted: Wed Jul 23, 2014 11:19 am
by FrancescoT
I suggest you to have a look at the link below;

http://windows.microsoft.com/en-us/windows-vista/what-is-a-standard-user-account

Regards

Re: UAC Elevation Clarification

Posted: Wed Jul 23, 2014 2:31 pm
by jdeleon7010
I understand the difference between a standard user and an administrator. My question was directed towards Installaware, if it has functionality to support this.

Re: UAC Elevation Clarification

Posted: Thu Jul 24, 2014 11:16 am
by FrancescoT
Dear User,

unfortunately, it doesn't exist a method to overcome it.

Regards

Re: UAC Elevation Clarification

Posted: Fri Mar 18, 2016 10:59 am
by chaoix
I would like to point out that elevating to administrator is a windows installer limitation, not a Install Aware specific limitation.

If you need your installer to only work on administrator accounts, in the per-user context, set the UAC level to "highestAvailable" and change the "Requires Elevation" property on the next button on the startinstallation dialog to true.