Elevated privileges in maintenance mode
I have an application running on x64 windows2008. Installation and uninstallation running well, because Windows ask me for allowance – UAC is enabled.
The problem I have is in maintenance mode: there, windows didn’t ask me to elevate –allow installation and so some custom actions failed with permission issues.
I have set a .msi package to install for all users (ALLUSERS=1). Also, the package is set to be run only with privileges – property Privileges = 1.
What I need to set to ask me for allowance in maintenance mode?
Thanks in advance.
Regards,
Andreo
Answers (1)
This is expected behavior built into the Windows Installer service that ships with Windows. Since a per-machine (managed) installation required admin privileges to be installed, a successful install of such a package indicates it was approved by an administrator on the machine. Therefore, subsequent maintenance operations (except for a full uninstall) will not present a UAC prompt (MSI always runs in the LocalSystem context, and therefore can perform any modification to the system as needed; it impersonates a launching user when user privileges/context are needed).
you will need to contact microsoft to ask for this feature request...( good luck;-)
WorkAround:
by installing the package you are building in a per-user context. This can be done by deleting the ALLUSERS property from the Property Manager, and anything else in the package that might set the ALLUSERS property to a value of 1 or 2 (the CustomerInformation dialog's Next button behavior will also need to be changed to not set ALLUSERS).
Comments:
-
source of information : (GOOGLE) http://community.flexerasoftware.com/showthread.php?193420-UAC-in-Maintenance(Change)-Mode - jaybee96 11 years ago
-
Thank you jaybee96 for the answer.
I have per machine installation! The problem I have is that during Maintenance mode in an immediate phase when deferred phase was finished, some custom action failed with "access denied" or "permissions denied" error.
I suppose that LocalSystem account should have permissions to remove some files from the file system, so obviously installation is not run under LocalSystem account. Also, start/stop the services (I cannot user regular MSI mechanism to do that) doesn’t work. The same permissions error.
In regular installation/uninstallation there is no problem because UAC pop-up “allow†dialog and permit to run elevated.
Any suggestion?
Thanks in advance.
Regards,
Andreo - jamsek19 11 years ago -
(custom) actions that make changes on system needs to be placed in Deferred ( between InstallInitialize and InstallFinalize) , this way the System Account will execute these actions for you. Immediate actions are run in User context. - jaybee96 11 years ago
-
Thanks for answer.
Yes I know that, but during deferred phase I have limited number of properties and I need to do somekind of workaround: for example first put properties into registry and during deferred phase read their values from there instead from memory.
This is not just what I want to do - more code more possibilities for failures. Also, the installation will be slower. - jamsek19 11 years ago -
if you want to reuse PUBLIC properties, you can use the SecureCustomProperties Property.. just add your Properties there and you are able to reuse them later ( after InstallFinalize ) eg. ProductCode which is needed for uninstall action (Major Upgrade) - jaybee96 11 years ago
-
Hi again.
Actually that's my first implementation where I got those permission denied stuff.
Currently I solved the issue by moving problematic action to deferred phase with elevated permissions. This is not the 100% OK because in a log file it is seen a password from one property.
Anyway, currently works!
Thanks for information.
Best regards,
Andreo - jamsek19 11 years ago -
Use Hidden Property trick to avoid to see this in Log:
http://msdn.microsoft.com/nl-nl/library/windows/desktop/aa370308(v=vs.85).aspx - jaybee96 11 years ago -
I know that trick.
But in my case doesn't work: I have a deferred custom action which is declared to run a command declared in a property table. As one of arguments for the command I have to quote also a property which represents a password.
During installation there's whole command recorded in a log file - all properties are expanded even that my password property in quoted also in MsiHiddenProperty property. Also, I run the custom action as deferred action (because of elevation right) and these kind of actions are specially recorded in a log file.
Using this trick works in all other cases - the value of "hidden" properties are represented by dots.
Best regards,
Andreo - jamsek19 11 years ago