UAC elevation/Administrator password prompting...

For all your non-technical questions.
kjullion
Posts: 7
Joined: Tue Aug 06, 2013 6:16 pm

UAC elevation/Administrator password prompting...

Postby kjullion » Tue Aug 06, 2013 6:45 pm

Hi,
Our company sells a product that is used by customers that may or may not use Group Policy (most probably don't); some customers are in big corporate environments but most are in smaller shops or indeed even single roaming users; some customers might be on WinXP, Win 7 (32 or 64-bit) or Win 8 (32 or 64-bit). The installers of our product might be folks that are Administrators within the domain all the way down to normal limited (non-Administrator) users. In other words, our app runs the full spectrum of install types. Our app doesn't use Windows Services, Administrative Tools, or any significant registry edits. The only registry edit we do currently is to the HKLM so our app appears in the Add/Remove Programs control panel applet.

Our full Setup exe might have a name like Setup_v110000.exe and our patch updates might have a name like Update_v110100.exe. We release a patch executable to some --but not all-- clients sometimes 2-3 times per month. Some clients would even like our update patches to occur silently once the user acknowledges that they would like to update to the latest release. We don't "require" any new data from the user during the installation of the update release, we only want to add or update our existing binary and flat-files. If we "add" a new files they are of the same class of files as what we installed during the full setup.

We want an installer product (we currently use Wise Installation System v9.02) that will allow for one of the following two scenarios, the 2nd would be the ideal, but the 1st would be entirely acceptable.

1) Require the Administrator to do the initial full setup install, and then allow that Administrator to say that future patch Update installations can be executed by the limited or standard user. Because our clients get frequent update releases they cannot be required ensure that an Administrator is available every time they get a new update. So our update releases should NOT do a UAC privilege elevation prompt. It can prompt with a Yes or No, but it cannot require the Administrator password.

Or,
2) Do NOT require the Administrator to do the initial full setup install; so a limited user account will do the initial and all subsequent update installs, without the need for an Administrator password.

Thanks.

FrancescoT
Site Admin
Posts: 5360
Joined: Sun Aug 22, 2010 4:28 am

Re: UAC elevation/Administrator password prompting...

Postby FrancescoT » Wed Aug 07, 2013 9:32 am

Dear User,

you can easily integrate your installation needs with InstallAware ... but Unfortunately, you can't override the OS's UAC rules.

This is not an InstallAware limitation, but an OS restriction and it is not possible handle this restriction differently unless you don't alter the system settings.

In other words, if your package during installation modifies restricted system areas, the package must be elevated if UAC restrictions are enabled.

To make an example, just the simple action of storing a file under "Program Files" folder is a system modification and consequently, it is considered an attempt to break the UAC restrictions.

Obviously, same restrictions and rules affect even your application, once it has been installed.

I may suggest you to have a look at the document "Development Requirements for User Account Control (UAC)" available with the following link;
http://msdn.microsoft.com/en-us/library/aa905330.aspx

Hope this helps you.

Regards
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

kjullion
Posts: 7
Joined: Tue Aug 06, 2013 6:16 pm

Re: UAC elevation/Administrator password prompting...

Postby kjullion » Wed Aug 07, 2013 12:33 pm

Hi Francesco,
Thanks for the pointers. We spent weeks making our application "Vista ready" a few years back. During the execution of our application we don't write any data to any files in the \Program Files\ tree. Obviously, during the installation and subsequent updates/patches of our application we _have to_ freshen up the programs file in that folder. In other words, I think we have done everything we can to make our application a Standard User Application.

But it sounds like you are saying that it will still require UAC privilege elevation unless we alter the System Settings. By that "alter" are you referring to something like Cacls or iCacls, whereby during our install it would ask the Administrator to open up the ACLs for future patches of our application to occur without requiring Admin privileges? Or, what other methods are available to elevate our apps privileges during the Full Setup?

Thanks.

FrancescoT
Site Admin
Posts: 5360
Joined: Sun Aug 22, 2010 4:28 am

Re: UAC elevation/Administrator password prompting...

Postby FrancescoT » Thu Aug 08, 2013 6:00 am

Dear User,

exist the possibility to have a look at your current installers in order to have a more clear picture of what it could be really possible?

You can use; support@installaware.com to contact me directly.

Regards
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

FrancescoT
Site Admin
Posts: 5360
Joined: Sun Aug 22, 2010 4:28 am

Re: UAC elevation/Administrator password prompting...

Postby FrancescoT » Thu Aug 08, 2013 6:00 am

Dear User,

exist the possibility to have a look at your current installers in order to have a more clear picture of what it could be really possible?

You can use; support@installaware.com to contact me directly.

Regards
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

kjullion
Posts: 7
Joined: Tue Aug 06, 2013 6:16 pm

Re: UAC elevation/Administrator password prompting...

Postby kjullion » Fri Aug 09, 2013 9:43 am

Hi Francesco,
I sent you (at the support@installaware.com alias) our current installer scripts for your analysis.

Thanks in advance for your assistance.

FrancescoT
Site Admin
Posts: 5360
Joined: Sun Aug 22, 2010 4:28 am

Re: UAC elevation/Administrator password prompting...

Postby FrancescoT » Fri Aug 09, 2013 10:15 am

... just replied to you by email.

Regards
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

kjullion
Posts: 7
Joined: Tue Aug 06, 2013 6:16 pm

Re: UAC elevation/Administrator password prompting...

Postby kjullion » Tue Aug 13, 2013 8:31 am

Hi Francesco,
Is there anything new to report regarding the script files that I sent to you via email?

I've been doing a lot of reading on UAC elevation in the meantime and it seems pretty clear when you read the section called "Privileges During Installation" (http://msdn.microsoft.com/en-us/magazine/cc163486.aspx#S5) that, as of Windows Installer 3.1, a standard user should be able to do an MSP patch without requiring privilege elevation as long as that MSP file
is signed by a certificate that was included in the original MSI file.


So even though our "update" installer is updating the files in our "Program Files" folder, it sounds like Windows should not prompt for Admin credentials as long as the initial, full-setup (MSI) file contains the same certificate as the update (MSP) file. Is that the correct conclusion? Again, we don't mind and fully expect that, the user will require Admin privileges during the initial, full-setup (MSI) but we do not want them to have to find an Admin for the monthly updates that they receive from us.

Thanks.

FrancescoT
Site Admin
Posts: 5360
Joined: Sun Aug 22, 2010 4:28 am

Re: UAC elevation/Administrator password prompting...

Postby FrancescoT » Tue Aug 13, 2013 11:27 am

Dear Kevin,

I think as you that you posted back on the forum at the same time that I were writing my email to you.

Unfortunately, the link you provided doesn't add any additional possibility to skip UAC restrictions ... otherwise any malicious code could easily bypass UAC rules.

I continue to believe that what I suggested by email it is the only possible way to go through ... by the way, Microsoft itself does the same with their update processes.

Regards
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

kjullion
Posts: 7
Joined: Tue Aug 06, 2013 6:16 pm

Re: UAC elevation/Administrator password prompting...

Postby kjullion » Tue Aug 13, 2013 11:46 am

Hi Francesco,
I agree that malicious code could bypass UAC, but according to what I understand to be the case the only way that they could do that would be if

a) their MSI package was first installed by someone with Admin creds.
and
b) their later patch (installed without Admin creds) contained the same digital certificate as that which was contained in the original MSI.

I don't know if malware authors would go through the additional expense of getting a digital certificate, and if they did wouldn't they have that certificate revoked pretty quickly once it was determined they were installing malware?

I'm a newbie when it comes to MSI/MSP/Windows Installer, so I could very well be missing some key ingredient, so forgive me if that is the case.

Best regards,
Kevin

FrancescoT
Site Admin
Posts: 5360
Joined: Sun Aug 22, 2010 4:28 am

Re: UAC elevation/Administrator password prompting...

Postby FrancescoT » Wed Aug 14, 2013 10:00 am

Dear Kevin,

effectively it seems to be as you said ... but I have to admit that I never used such approach.

I believe that the only way to verify it, it is to use a certificate with the package.

Regards
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

FrancescoT
Site Admin
Posts: 5360
Joined: Sun Aug 22, 2010 4:28 am

Re: UAC elevation/Administrator password prompting...

Postby FrancescoT » Fri Aug 16, 2013 7:01 am

Dear Kevin,

I have just verified it and currently InstallAware does not support LUA patching.
It may be added in future versions.

Regards
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE


Return to “Non-Technical”

Who is online

Users browsing this forum: No registered users and 36 guests