none
How to set application EXE to Run as Adimistrator after msi install

    Dotaz

  • I am having trouble with certain users machines after istallation, the application needs to be set to  run as adminstrator(don't really know why) and they get an error that tells them that they need to run as adminstrator... but most don't know how or want to take the time to set the application exe to RunAsAdmin in windows explorer. How can I set this on my exe for them during install?

    Thanks Jon Stroh


    Thank You Jon Stroh

    4. dubna 2012 13:41

Odpovědi

  • f your executable needs admin privilege to run then it needs an elevation manifest.

    http://community.bartdesmet.net/blogs/bart/archive/2006/10/28/Windows-Vista-_2D00_-Demand-UAC-elevation-for-an-application-by-adding-a-manifest-using-mt.exe.aspx

    http://msdn.microsoft.com/en-us/library/bb756929.aspx

    Without knowing the exact error scenario and message that you users are describing I don't know the actual problem is, but on UAC systems all users (even admins) run as limited user unless they elevate somehow.


    Phil Wilson

    • Označen jako odpověď JonStroh 10. dubna 2012 4:23
    4. dubna 2012 19:21
    Moderátor
  • I thought that there was a tool from MS you could run while your app was running, and you'd get a report on all the places it touched that needed privileges higher that ordinary limited user, but I can't find it with a search, dang it.

    ok, found it:

    http://technet.microsoft.com/en-us/library/cc765948(v=ws.10).aspx 

    The way I look at it is that in general you need elevated privilege to update any shared part of the system (because that means you are outside your user sandbox and can impact other users on the system). So that includes folders like Program Files, Common Files and registry locations like HKLM, HKCR. 


    Phil Wilson

    • Označen jako odpověď JonStroh 10. dubna 2012 4:22
    5. dubna 2012 18:52
    Moderátor
  • Hi Jon,

    You can check this MSDN doc about how UAC works and "Will UAC affect your app?", http://msdn.microsoft.com/en-us/library/aa905330.aspx.   Hope it helps!

    How UAC Works

    This section describes the architectural and functional components of User Account Control (UAC) for application developers.

    New Technologies for Windows Vista

    The following sections detail new technologies for Windows Vista, including the ActiveX Installer Service, installer detection, standard user patching with Windows Installer 4.0, Security Center integration, User Interface Privilege Isolation, and virtualization.

    ActiveX Installer Service

    The ActiveX Installer Service enables enterprises to delegate ActiveX control installation for standard users. This service ensures that routine business tasks are not impeded by failed ActiveX control installations and updates. Windows Vista also includes Group Policy settings that enable IT professionals to define Host URLs from which standard users can install ActiveX controls. The ActiveX Installer Service consists of a Windows service, a Group Policy administrative template, and some changes in Internet Explorer. The ActiveX Installer Service is an optional component, and will only be enabled on client computers where it is installed.

    Installer Detection

    Installation programs are applications designed to deploy software, and most write to system directories and registry keys. These protected system locations are typically writeable only by administrator users; this restriction means that standard users do not have sufficient access to install most programs. Windows Vista heuristically detects installation programs and requests administrator credentials or administrator approval in order to run with access privileges. Windows Vista also heuristically detects updater and un-installation programs. A design goal of UAC is to prevent installations from being executed without the user's knowledge and explicit consent since installations write to protected areas of the file system and registry.

    Important   When developing new installation programs, much like developing programs for Windows Vista, be sure to embed an application manifest with an appropriate
    requestedExecutionLevel
    element (see Step 6: Create and Embed an Application Manifest in downloadable Help file). When the
    requestedExecutionLevel
    is present in the embedded application manifest, it overrides Installer Detection.

    Installer Detection only applies to:

    1. 32 bit executables
    2. Applications without a requestedExecutionLevel
    3. Interactive processes running as a Standard User with UAC enabled

    Before a 32 bit process is created, the following attributes are checked to determine whether it is an installer:

    • Filename includes keywords such as "install," "setup," and "update."
    • Keywords in the following Versioning Resource fields: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
    • Keywords in the side-by-side application manifest embedded in the executable.
    • Keywords in specific StringTable entries linked in the executable.
    • Key attributes in the resource file data linked in the executable.
    • Targeted sequences of bytes within the executable.
    Note   The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.

    Ensure that you thoroughly review the entirety of this document, including "Step 6: Create and Embed an Application Manifest" in the downloadable Help File.

    Note   The User Account Control: Detect application installations and prompt for elevation setting must be enabled for installer detection to detect installation programs. This setting is enabled by default and can be configured using the Security Policy Manager snap-in (
    secpol.msc
    ) or with Group Policy (
    gpedit.msc
    ).

    General information and an overview of the Microsoft Windows Installer can be found at MSDN (http://go.microsoft.com/fwlink/?LinkId=30197).

    Will UAC Affect Your Application?

    Whether or not your application will be affected by UAC depends on the applications current state. In a number of cases, no changes will be necessary to comply with Microsoft Windows® Security requirements. However, some applications, including line of business (LOB) applications, may require changes to their install, function, and update processes to properly work in a Windows Vista UAC environment.

    For detailed information about "Will UAC Affect your Application?" see the Windows Help file, which can be downloaded here. To find this article in the Help file, expand Fundamentals, expand Secure Applications, expand Developing Secure Applications, and then clickUser Account Control (UAC).

    Good day!

    Thanks


    Michael Sun [MSFT]
    MSDN Community Support | Feedback to us

    • Označen jako odpověď JonStroh 10. dubna 2012 4:22
    10. dubna 2012 3:32

Všechny reakce

  • f your executable needs admin privilege to run then it needs an elevation manifest.

    http://community.bartdesmet.net/blogs/bart/archive/2006/10/28/Windows-Vista-_2D00_-Demand-UAC-elevation-for-an-application-by-adding-a-manifest-using-mt.exe.aspx

    http://msdn.microsoft.com/en-us/library/bb756929.aspx

    Without knowing the exact error scenario and message that you users are describing I don't know the actual problem is, but on UAC systems all users (even admins) run as limited user unless they elevate somehow.


    Phil Wilson

    • Označen jako odpověď JonStroh 10. dubna 2012 4:23
    4. dubna 2012 19:21
    Moderátor
  • Thanks for you reply Phil. I guess I should be asking WHY my application would need administrator rights. How do I go about (when debugging) finding out the reason for the elevation. It is just a database application using devexpress components and widows forms and sql server 2008 express, on the end users computers.  Any ideas would be appreciated :). It is protected by Protection Plus .dll's for authentication or ownership.

    Thanks Jon Stroh


    Thank You Jon Stroh

    5. dubna 2012 17:02
  • I thought that there was a tool from MS you could run while your app was running, and you'd get a report on all the places it touched that needed privileges higher that ordinary limited user, but I can't find it with a search, dang it.

    ok, found it:

    http://technet.microsoft.com/en-us/library/cc765948(v=ws.10).aspx 

    The way I look at it is that in general you need elevated privilege to update any shared part of the system (because that means you are outside your user sandbox and can impact other users on the system). So that includes folders like Program Files, Common Files and registry locations like HKLM, HKCR. 


    Phil Wilson

    • Označen jako odpověď JonStroh 10. dubna 2012 4:22
    5. dubna 2012 18:52
    Moderátor
  • So I loaded and ran all the MS Compatablity tool and it shows Elevation neccesary as soon as the applcation runs, I was wondering from your previous post if I install ma application to C:\MyApp instead of C:\Program Files\MyApp or C:\Program Files (x86)\MyApp if that would stop all the reason for the Elevation to run as Admin. OR does using SQL Server cause the elevation as well?

    Thanks Jon Stroh


    Thank You Jon Stroh

    7. dubna 2012 14:37
  • Hi Jon,

    You can check this MSDN doc about how UAC works and "Will UAC affect your app?", http://msdn.microsoft.com/en-us/library/aa905330.aspx.   Hope it helps!

    How UAC Works

    This section describes the architectural and functional components of User Account Control (UAC) for application developers.

    New Technologies for Windows Vista

    The following sections detail new technologies for Windows Vista, including the ActiveX Installer Service, installer detection, standard user patching with Windows Installer 4.0, Security Center integration, User Interface Privilege Isolation, and virtualization.

    ActiveX Installer Service

    The ActiveX Installer Service enables enterprises to delegate ActiveX control installation for standard users. This service ensures that routine business tasks are not impeded by failed ActiveX control installations and updates. Windows Vista also includes Group Policy settings that enable IT professionals to define Host URLs from which standard users can install ActiveX controls. The ActiveX Installer Service consists of a Windows service, a Group Policy administrative template, and some changes in Internet Explorer. The ActiveX Installer Service is an optional component, and will only be enabled on client computers where it is installed.

    Installer Detection

    Installation programs are applications designed to deploy software, and most write to system directories and registry keys. These protected system locations are typically writeable only by administrator users; this restriction means that standard users do not have sufficient access to install most programs. Windows Vista heuristically detects installation programs and requests administrator credentials or administrator approval in order to run with access privileges. Windows Vista also heuristically detects updater and un-installation programs. A design goal of UAC is to prevent installations from being executed without the user's knowledge and explicit consent since installations write to protected areas of the file system and registry.

    Important   When developing new installation programs, much like developing programs for Windows Vista, be sure to embed an application manifest with an appropriate
    requestedExecutionLevel
    element (see Step 6: Create and Embed an Application Manifest in downloadable Help file). When the
    requestedExecutionLevel
    is present in the embedded application manifest, it overrides Installer Detection.

    Installer Detection only applies to:

    1. 32 bit executables
    2. Applications without a requestedExecutionLevel
    3. Interactive processes running as a Standard User with UAC enabled

    Before a 32 bit process is created, the following attributes are checked to determine whether it is an installer:

    • Filename includes keywords such as "install," "setup," and "update."
    • Keywords in the following Versioning Resource fields: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
    • Keywords in the side-by-side application manifest embedded in the executable.
    • Keywords in specific StringTable entries linked in the executable.
    • Key attributes in the resource file data linked in the executable.
    • Targeted sequences of bytes within the executable.
    Note   The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.

    Ensure that you thoroughly review the entirety of this document, including "Step 6: Create and Embed an Application Manifest" in the downloadable Help File.

    Note   The User Account Control: Detect application installations and prompt for elevation setting must be enabled for installer detection to detect installation programs. This setting is enabled by default and can be configured using the Security Policy Manager snap-in (
    secpol.msc
    ) or with Group Policy (
    gpedit.msc
    ).

    General information and an overview of the Microsoft Windows Installer can be found at MSDN (http://go.microsoft.com/fwlink/?LinkId=30197).

    Will UAC Affect Your Application?

    Whether or not your application will be affected by UAC depends on the applications current state. In a number of cases, no changes will be necessary to comply with Microsoft Windows® Security requirements. However, some applications, including line of business (LOB) applications, may require changes to their install, function, and update processes to properly work in a Windows Vista UAC environment.

    For detailed information about "Will UAC Affect your Application?" see the Windows Help file, which can be downloaded here. To find this article in the Help file, expand Fundamentals, expand Secure Applications, expand Developing Secure Applications, and then clickUser Account Control (UAC).

    Good day!

    Thanks


    Michael Sun [MSFT]
    MSDN Community Support | Feedback to us

    • Označen jako odpověď JonStroh 10. dubna 2012 4:22
    10. dubna 2012 3:32