none
Running a msi file as administrator on windows7

    Question

  • Hi all,

            I want to run my msi as administrator on windows7. What changes should I make in the msi? How should I make them. I dont want to write another program to run my msi like using shellexecute. I just want to change my msi so that it can run as administrator on windows7.

            Can we use orca tool for this problem? How can I use it. Plz help...

    Monday, April 12, 2010 1:16 PM

Answers

  • I agree with Yi. The point of limited user accounts is to stop them from doing things which they are not supposed to do, and modifying the global system state is one of them.

    In the admin roles which I have worked in, if anything needed to be installed then it would alwas be installed through the admin account after getting permission to install it. Yes it can be annoying, but security isn't there to not be annoying or help out developers, it is there to protect users and and make administrators lives easier. I know most of us want to find an easy way for anything, but there are some things which shouldn't be easy.

    I'll bring it up again, but you rejected my earlier solution of creating a third executable which takes the msi file as a parameter and running it through shell execute using the runas verb. This would actually prompt you for elevation even in limited user accounts but it would require you to provide the administrator account credentials too. This is the best solution that you have available right now.

    There is one other thought, if you can be sure the application never accesses protected locations, then you can rewrite the entire msi file yourself so that it never installs anything into protected locations, that would work under a limited user account.


    Visit my (not very good) blog at http://c2kblog.blogspot.com/
    Friday, April 16, 2010 9:57 AM

All replies

  • MSI files will by default run as administrator.

    «_Superman_»
    Microsoft MVP (Visual C++)
    Monday, April 12, 2010 6:45 PM
  • Unfortunately they don't. When you double click on the msi file itself it will run in the context of the current user and won't prompt even if the file has setup in the name. It is only when a setup program is used to bootstrap the msi file and have it elevated throughout does the install succeed. I have seen setup run from msi files fail myself because of UAC because it isn't elevated from the start.

    I tried giving help in this thread earlier so others can get a better idea on what this person wants.


    Visit my (not very good) blog at http://c2kblog.blogspot.com/
    Monday, April 12, 2010 10:24 PM
  • MSI files will by default run as administrator.

    «_Superman_»
    Microsoft MVP (Visual C++)

                This is not true. MSI file doesnt run as administrator on windows7 by default. We have to give previleges to it by using shellexecute with runas verb.
    Tuesday, April 13, 2010 4:58 AM
  • Hi Abhi

     

    Due to limitations in the existing Windows Installer tools, you may need to edit the Windows Installer package (.msi) files directly. The Orca database editor is a table-editing tool available in the Windows Installer SDK and it can be used to edit your .msi files.

     

    In Order to remove UAC requirement, you can open a .msi file by Orca, click View->Summary Information…, and check the “UAC Compliant”.  Remember, the UAC is start from Windows Vista /2008; there no UAC option exists in the old version orca editor. Just for your reference, the version of the Orca which I am using is 4.0.6001.0. You can download the latest Orca from the latest Windows SDK at http://www.microsoft.com/downloads/details.aspx?FamilyID=c17ba869-9671-4330-a63e-1fd44e0e2505&displaylang=en

     

    Last but not the least, editing an MSI file can cause serious problems that may leave your system in an unstable state. Microsoft cannot guarantee that problems resulting from the incorrect use of the MSI file editor can be solved.  

     

    Cheers

    Yi Feng Li

    Wednesday, April 14, 2010 7:07 AM
  • Hi,

             I follwed your instructions. But I am installing my msi from local user's account and not from administrator account. So checking UAC compliant doesnt allow installation of my msi from local user's account. I want it to be installed from local user's account only. I s there any other option?

    - Abhi

    Thursday, April 15, 2010 5:53 AM
  • Hi Abhi,

    UAC means User Account Control. This is a security feature of Windows which stops a user with Administrative privileges from running as an Administrator normally.

     

    Please think about this scenario: You are an administrator who runs as a user normally, when you want to do something requires administrative rights, UAC will require your admin rights and make you run as administrator. It is simply because you have the privileges. Therefore “UAC Compliant” helps when you are a user with administrative privileges.

     

    If you want a normal user to get override to be an administrator, this issue is not related to UAC or “Run as Administrator” and editing MSI file attributes. I suggest you focus on the account privileges.

     

    In addition, I think those actions againstwindows security.

     

    Cheers

    Yi Feng Li

     


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Friday, April 16, 2010 3:26 AM
  • I agree with Yi. The point of limited user accounts is to stop them from doing things which they are not supposed to do, and modifying the global system state is one of them.

    In the admin roles which I have worked in, if anything needed to be installed then it would alwas be installed through the admin account after getting permission to install it. Yes it can be annoying, but security isn't there to not be annoying or help out developers, it is there to protect users and and make administrators lives easier. I know most of us want to find an easy way for anything, but there are some things which shouldn't be easy.

    I'll bring it up again, but you rejected my earlier solution of creating a third executable which takes the msi file as a parameter and running it through shell execute using the runas verb. This would actually prompt you for elevation even in limited user accounts but it would require you to provide the administrator account credentials too. This is the best solution that you have available right now.

    There is one other thought, if you can be sure the application never accesses protected locations, then you can rewrite the entire msi file yourself so that it never installs anything into protected locations, that would work under a limited user account.


    Visit my (not very good) blog at http://c2kblog.blogspot.com/
    Friday, April 16, 2010 9:57 AM
  • Instead of using the runas verb you could also mark the executable as requiring administrative privileges in its manifest and use theopen verb for ShellExecute.
    «_Superman_»
    Microsoft MVP (Visual C++)
    Friday, April 16, 2010 2:59 PM
  • I have an admin account named Administrator. Something in what you said gave me the idea (although it wasn't specific), even though the mormal account has admin privileges. It had no problem with the install of the msi file even though I had the normal UAC question at the start of the install. Thanks!
    Paul B Walker
    Friday, February 04, 2011 7:49 PM
  • That is very interesting to me. I work on an application that has a setup project in it. I always run VS As Administrator and the application obviously uses the UAC information of the user that runs the application. The only issue created by this is the fact that applications are not automatically given permission to write into the Program Files folder in Windows 7. I have refactored the application to use the ProgramData folder for the configuration settings, now I need to rewrite the setup project to use the proper folder. This seems to be similar to this issue, in that we are now going to have to modify how legacy applications act in order to ply the same apps in Windows 7.

    Unfortunately, I am not at work today, so I will have to investigate this on Monday.

    Thanks, Paul.

    Friday, February 04, 2011 8:09 PM
  • from Start --> Search programs and files:

    runas /user:domain/adminusername "msiexec /i msiname.msi"

    it will prompt for admin password


    bill
    Tuesday, May 17, 2011 1:52 PM
  • Hello

     

      Right click on Command Prompt, Run as administrator

      msiexec /i "YouMsi.msi"

     

     I have tried this on my computer it works, if you find this solved your problem can you please mark it as answer

     

    Thanks

    Sharath

     

    Sunday, July 24, 2011 11:45 PM
  • Open the command prompt as administator +

    http://technet.microsoft.com/en-us/library/cc759262(v=ws.10).aspx

    Wednesday, November 14, 2012 5:37 PM
  • For run as administrator it is /a not /i

    msiexec /a "YourMsi.msi"

    • Proposed as answer by simuzijin Friday, December 13, 2013 7:39 AM
    Friday, July 26, 2013 2:22 PM
  • Hi Paul,

    >>The only issue created by this is the fact that applications are not automatically given permission >>to write into the Program Files folder in Windows 7. I have refactored the application to use the >>ProgramData folder for the configuration settings, now I need to rewrite the setup project to use >>the proper folder.

    Can u let me know the procedure u have followed.

    Regards,

    Ram

    Friday, January 24, 2014 10:48 AM
  • Sorry for digging up this thread. But I thought just in case you use some really complicated method for doing this. All you have to do is launch cmd as an admin and execute the msi;

    Start > cmd (press "ctrl+shift+enter" to launch as admin) > navigate to the location of your msi file using the "cd" command > run your file ("qwerty.msi" etc.) from here

    Because cmd is already running as admin, the files you open from here will open/launch as an admin.

    Hope this helps!

    Tuesday, January 28, 2014 1:00 AM