UAC Elevation Clarification

Got a problem you cannot solve? Try here.
giaviv
Posts: 2039
Joined: Fri Dec 17, 2010 1:39 pm

UAC Elevation Clarification

Postby giaviv » Wed Jun 15, 2011 4:12 pm

Hey folks,

We recently encountered numerous questions regarding UAC elevation in InstallAware. This thread was written to address some of these common questions.

Let me start off by saying that UAC elevation is a Windows Installer feature. By selecting either UAC elevation option in InstallAware, you are really passing the values down to the installer manifest which is stored in the setup.exe file.

A little bit about User Account Control (UAC) - its a technology and security infrastructure introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems (and a more "relaxed" version also present in Windows 7 and Windows Server 2008 R2) . It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it.

Taking this into account, there are three options for UAC elevation as far as Windows Installer is concerned:
asInvoker (Never Elevate) - The application runs with the same access token as the parent process (Windows Explorer if you clicked on the installer in Windows Explorer). This option is recommended for standard user applications. Put simply, this option means do not show the UAC dialog even if the installer was run by an admin. This way, the setup is forced to run without any privileges.
highestAvailable (Elevate Administrators Only) - The application runs with the highest privileges the current user can obtain. Recommended for mixed-mode applications. Put simply, this option means show the UAC dialog only if the installer was run by an admin. If the installer wasn't run by an admin, the installer wont bother even showing the UAC dialog.
requireAdministrator (Always Elevate) - The application runs only for administrators and requires that the application be launched with the full access token of an administrator. Recommended for administrator only applications. Put simply, this option means always show the UAC dialog, forcing non-admin users to "find" an admin that can elevate for them. This option guarantees maximum privileges for the installer.

Please note that further manipulation of the UAC elevation status is also available at runtime using the Run Program As command.

For example, you might want to run your installer with the highestAvailable UAC elevation, but run an external executable within it with de-elevated privileges. This might be, for example, because you want to limit that application's privileges. Another example would be to make sure that documents or other files from an elevated application don't end up in elevated folders, but in standard user folders.

To de-elevate a program run from an elevated setup, check the "Run under limited user account when UAC is enabled and setup is elevated (de-elevation)" checkbox in the Run Program As command dialog:
runprogramas.png
runprogramas.png (28.58 KiB) Viewed 78438 times


You could also run program "as an administrator" from a non-elevated installer at runtime by using the Run Program As command and providing a user name and password for an elevated-credentials user. That being said, its important to remember that although you can automatically de-elevate an elevated setup (in the manner explained above), you cannot do it the other way around. In other words, if a setup is not run elevated, calling Run Program As with admin credentials will cause the UAC dialog to be shown!
Aviv Giladi
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Product Guides - http://www.installaware.com/publication ... guides.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

Steve
Posts: 118
Joined: Fri Jun 16, 2006 9:51 pm
Location: Canada eh

Re: UAC Elevation Clarification

Postby Steve » Thu Jun 16, 2011 3:12 pm

Aviv,
Thank you very, very much!
This is an excellent post and immediately clarifies the confusion I had around the choice of UAC elevation options within InstallAware.
I hope that this will be added verbatim to the IA Help file!

Thanks again,
-Steve

giaviv
Posts: 2039
Joined: Fri Dec 17, 2010 1:39 pm

Re: UAC Elevation Clarification

Postby giaviv » Thu Jun 16, 2011 3:42 pm

:)
Aviv Giladi
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Product Guides - http://www.installaware.com/publication ... guides.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

shenjige
Posts: 16
Joined: Wed Dec 15, 2010 7:29 pm

Re: UAC Elevation Clarification

Postby shenjige » Wed Aug 03, 2011 1:40 pm

How do you load this "Run Program As" window to tick off the "Run under limited user account when UAC is enabled and setup is elevated (de-elevation)" checkbox? I couldn't find out anywhere to load this window.

Steve
Posts: 118
Joined: Fri Jun 16, 2006 9:51 pm
Location: Canada eh

Re: UAC Elevation Clarification

Postby Steve » Wed Aug 03, 2011 2:08 pm

Shenjige,
You need to be in the MSICode window...
On the right hand side of the MSICode screen is the 'Drag and Drop' column of commands categories.
Locate and expand the 'All' category, then locate 'Run Program As' from the list.
Drag and Drop 'Run Program As' into your the appropriate place in your code where you want the action to occur.

shenjige
Posts: 16
Joined: Wed Dec 15, 2010 7:29 pm

Re: UAC Elevation Clarification

Postby shenjige » Wed Aug 03, 2011 2:45 pm

Hi, Steve,

I am not sure if you really understand my problem now. Let me try to get my problem straight: my application needs to be installed on clients' computers, ideally to the default folder c:\program files\my application folder. The executable file EXE needs to write some files (say text.txt file) in the same folder where the exe file is on the target machine. The process of building the setup file is ok, after I installed the application and ran it. It said "the assess to the file text.txt is denied." It seems that my installed application doesn't have full access of the target folder. I did look at the Run Program As, it seems that is for an extra external program you might need for your application. That is not my case. My question is how I can get full access of my target folder for my application. It didn't have any problem on XP, now I try to make it on win7. I couldn't get it to work. Anything you might be able to take a look?

Thanks!

Gene.

Piet
Posts: 13
Joined: Thu Oct 02, 2008 7:41 am
Location: Pretoria, South Africa
Contact:

Re: UAC Elevation Clarification

Postby Piet » Wed May 02, 2012 3:33 am

Hi Gene

Have you solved your problem yet? I'm having exactly the same problem with writing data files and updating an ini file. I specifically want ALL users to access the same data and ini file.

Thanks
Piet

FrancescoT
Site Admin
Posts: 5361
Joined: Sun Aug 22, 2010 4:28 am

Re: UAC Elevation Clarification

Postby FrancescoT » Tue May 08, 2012 6:58 am

Dear Users,

why do you not use ProgramData folder to store your file?

Regards
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

Piet
Posts: 13
Joined: Thu Oct 02, 2008 7:41 am
Location: Pretoria, South Africa
Contact:

Re: UAC Elevation Clarification

Postby Piet » Wed May 09, 2012 4:42 am

Thanks Fransesco. I'm probably just stuck in XP mindset, but I would prefer the installer to choose whichever dir he wants to. I will consider your suggestion for Win 7 users.

Piet

FrancescoT
Site Admin
Posts: 5361
Joined: Sun Aug 22, 2010 4:28 am

Re: UAC Elevation Clarification

Postby FrancescoT » Thu May 10, 2012 9:15 am

:D
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

jdeleon7010
Posts: 27
Joined: Thu Jul 26, 2012 2:23 pm

Re: UAC Elevation Clarification

Postby jdeleon7010 » Wed Jul 23, 2014 9:14 am

is it possible to create an installer that is ran by a standard user, without prompting for an administrator password? All while UAC is enabled?

FrancescoT
Site Admin
Posts: 5361
Joined: Sun Aug 22, 2010 4:28 am

Re: UAC Elevation Clarification

Postby FrancescoT » Wed Jul 23, 2014 11:19 am

I suggest you to have a look at the link below;

http://windows.microsoft.com/en-us/windows-vista/what-is-a-standard-user-account

Regards
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

jdeleon7010
Posts: 27
Joined: Thu Jul 26, 2012 2:23 pm

Re: UAC Elevation Clarification

Postby jdeleon7010 » Wed Jul 23, 2014 2:31 pm

I understand the difference between a standard user and an administrator. My question was directed towards Installaware, if it has functionality to support this.

FrancescoT
Site Admin
Posts: 5361
Joined: Sun Aug 22, 2010 4:28 am

Re: UAC Elevation Clarification

Postby FrancescoT » Thu Jul 24, 2014 11:16 am

Dear User,

unfortunately, it doesn't exist a method to overcome it.

Regards
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

chaoix
Posts: 5
Joined: Fri Mar 04, 2016 1:57 pm

Re: UAC Elevation Clarification

Postby chaoix » Fri Mar 18, 2016 10:59 am

I would like to point out that elevating to administrator is a windows installer limitation, not a Install Aware specific limitation.

If you need your installer to only work on administrator accounts, in the per-user context, set the UAC level to "highestAvailable" and change the "Requires Elevation" property on the next button on the startinstallation dialog to true.


Return to “Technical Support”

Who is online

Users browsing this forum: Google [Bot] and 26 guests