Mark MSI so it has to be run as elevated Administrator account

views:

3985

answers:

+7 Q:

Mark MSI so it has to be run as elevated Administrator account

I have a CustomAction as part of an MSI.

It MUST run as a domain account that is also a member of the local Administrators account.

It can't use the NoImpersonate flag to run the custom action as NT Authority\System as it will not then get access to network resources.

On Vista/2008 with UAC enabled if NoImpersonate is off then it will run as the executing user but with the unprivileged token and not get access to local resources such as .installState. See UAC Architecture

Anyone know of a way to either

Force the MSI to run with the elevated token in the same way that running from an elevated command prompt does?
Force the CustomAction to run elevated (requireAdministrator in manifest doesn't appear to work)?
Work out if UAC is enabled and if it hasn't been ran elevated and if so warn or cancel the installation?

+1 A:

requireAdministrator in the manifest should work.

You can also use a bootloader .exe file which can use ShellExecute with "RUNAS" as the verb (you can use 7-zip to create the bootloader, or there are many other ways).

Peter Crabtree 2008-11-20 04:57:56

I thought you could only add a manifest to a .EXE, not an MSI? I've added the manifest to the Custom Action's .EXE but it doesn't seem to work, maybe a side effect of running under msiexec?

Ryan 2008-11-20 05:08:07

+11 A:

Answering my own question for any other poor s0d looking at this.

You can't add a manifest to an MSI. You could add a SETUP.EXE or bootstrapper to shell the MSI and manifest that with requireAdministrator but that defeats some of the point of using an MSI.
Adding a manifest to a CustomAction does not work as it is ran from msiexec.exe

The way I have tackled this is to set the MSIUSEREALADMINDETECTION property to 1 so the Privileged condition actually works and add a Launch Condition for Privileged that gives an error message about running via an elevated command prompt and then quits the installation.

This has the happy side effect - when an msi is ran from an elevated command prompt deferred CustomActions are ran as the current user with a full Administrator token (rather than standard user token) regardless of the NoImpersonate setting.

More details - http://www.microsoft.com/downloads/details.aspx?FamilyID=2cd92e43-6cda-478a-9e3b-4f831e899433

[Edit] - I've put script here that lets you add the MSIUSEREALADMINDETECTION property as VS doesn't have ability to do it and Orca's a pain.

Ryan 2008-11-22 22:10:50

If I had enough reputation, I would have edited "set the MSIUSEREALADMINDETECTION property" into "set the MSIUSEREALADMINDETECTION property to 1" so that the reader gets the information without having to follow the link.

Fabien 2008-12-16 12:47:43

ansaurus

tags:

views:

answers:

Mark MSI so it has to be run as elevated Administrator account

related questions