MSI: how to forward MSI rights to custom actions RRS feed

  • Question

  • Hello,

    i'm developping a Full MSI installer for an application.

    I've read that when using an install using setup.exe + .msi files, the setup.exe forwards its executions rights to all other processes it will launch.

    When using a full MSI installation (only a .msi file without any exe), the .msi file keeps its execution rights and all other custom actions will have to manage theirs on their own.

    My question is: is it possible that a custom action gets the .msi rights when executing ? 


    Maxime Bianchi

    • Moved by Ciprian Duduiala Wednesday, April 25, 2012 11:31 AM not in French (From:Visual C++)
    • Moved by Barry Wang Thursday, April 26, 2012 2:36 AM Deployment issue (From:Visual Studio Setup and Installation)
    Wednesday, April 25, 2012 7:07 AM


All replies

  • Hi Maxime,
    The installer runs custom actions with user privileges by default in order to limit the access of custom actions to the system. 
    If you want to run the custom action with elevated privileges, you need to use Deferred Execution Custom Actions and set the msidbCustomActionTypeNoImpersonate bit.
    If the msidbCustomActionTypeNoImpersonate bit is set and a managed application is being installed with administrator permission, the installer may run the custom action with elevated privileges. However, if a user attempts to install the managed application without administrator permission, the installer runs the application with user level privileges regardless of whether msidbCustomActionTypeNoImpersonate is set.
    For more details, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa368073(v=vs.85).aspx, http://msdn.microsoft.com/en-us/library/windows/desktop/aa368268(v=vs.85).aspx and http://blogs.msdn.com/b/cjacks/archive/2006/10/30/deferred-custom-actions-and-permissions-on-windows-vista-with-uac-enabled.aspx.
    If you still have any doubt and concern about this issue, please let us know. If I misunderstood you, please kindly elaborate your question.
    Best Regards.

    Bob Wu [MSFT]
    MSDN Community Support | Feedback to us

    • Marked as answer by mbi37 Thursday, April 26, 2012 12:55 PM
    Thursday, April 26, 2012 9:21 AM
  • Hi,

    Thanks for your informations. I will try this. 

    I read before some info about the msidbCustomActionTypeNoImpersonate  bits on internet, but i did'nt know how to set it and when to set it. 

    Now it is more clear. 



    Maxime Bianchi

    Thursday, April 26, 2012 12:55 PM
  • Visual Studio custom actions are already deferred.

    On UAC systems if you run an MSI:

    1. If you do a Everyone install (per-system) the custom actions run with the local system account, so they are elevated and can do whatever they need to do. The install will show an elevation dialog to elevate.

    2. If you do a Just me (per user) install the custom actions run with the credentials of the installing user but they will not be elevated.

    Phil Wilson

    Thursday, April 26, 2012 4:55 PM
  • I have the ALLUSERS config parameter set to 1 by default, but i still experience the problem
    Thursday, April 26, 2012 6:02 PM
  • You didn't say exactly what the problem was, just that you weren't sure how rights work in custom actions. What's the problem you're seeing?  There's plenty of ways to get errors in custom actions that run with the local sysetm account. They can't access the network, they can't connect to databases with Windows authentiaction unless the database allows the system account, they can't access user profile folders etc.

    Phil Wilson

    Thursday, April 26, 2012 11:17 PM
  • That's right that i did not explained fully my problem.

    fact is that my .msi is launching several external executable files which are needed to configure the final software.

    I was hoping that the .msi file would forward its execution rights so that i won't have any further UAC prompt when launching configuration executables.

    Friday, April 27, 2012 6:23 AM
  • Hi Maxime,

    According to my knowledge, you can avoid UAC prompt when you trying to install a msi, even the msi is signed and the certificate is installed. The UAC prompt because you are trying to install the msi rather than run a custom action.

    Best Regards,

    Bob Wu [MSFT]
    MSDN Community Support | Feedback to us

    Wednesday, May 2, 2012 8:51 AM