I've just developed a .NET program which has the ability to patch itself.
I've noticed that the patching process only runs if I choose "run as administrator".
It seems I need to "create and embedd an Application Manifest", according this this:
https://msdn.microsoft.com/en-us/library/bb756929.aspx
So my question:
Is it normal for applications like mine (which can patch themselves) to require Admin rights, and is this the route I should be going?
Thanks
If your application does not normally require elevation then I don't recommend that you request it in your manifest because it will be very annoying for your users. Firefox uses a NT service to get around the UAC dialog but I can't really recommend that either unless your updates are very frequent.
I would suggest that you write a little updater application that does the patching. It can request elevation in its manifest and this way the user only has to elevate when there is something to patch. If you don't want another .exe in your bundle, you can execute yourself again with the runas verb when you need to patch.
Edited the NSIS script to include this line:
AccessControl::GrantOnFile \"$INSTDIR" "(S-1-5-32-545)" "FullAccess"
This gave the User account full access to the application folder within Program Files, meaning my patcher could write to it without any problems.
Related
I've made a console application that is supposed to update some registry entries so that I can access 32 bit COM components from a 64 bit application. If I have admin rights, it works great, but I can't seem to get the application run with admin rights out of the box.
This is what I've done.
Create a Windows Console Application.
Add my code.
Right click on my project and select Properties.
Navigate to Configuration Properties > Linker > Manifest File > UAC Execution Level and set to requireAdministrator (/level='requireAdministrator').
It took a lot to figure out this because all of the info on the web is for Visual Studio 2010 or earlier which required manually creating an XML manifest file and conflicts with the auto generated one that this creates.
However, this doesn't seem to be enough to get it to run as an admin. It is a real PITA that this information isn't made easily findable. Is there some other step that I am missing? Something like a signing process?
Turns out it is how this mini application is run.
From my main programme, using ShellExecute() or ShellExecuteEx() with the "runas" verb will allow running of this executable with administrator privileges without popping up a UAC dialog.
Running this from the command line however, will result in this mini app being executed in the user's security context, which is what I was doing.
I am using the Limited edition and in my installer I have a custom action where I open a cmd.exe and passing a batch file for executing.
The cmd is executing but its not in the elevated permission. I need to execute this in elevated permission since my batch file has operations which needs admin privilege.
I tried many options and the screen shots attached describes what I have done.
Let me know if this is possible with Limited Edition. I am installing in windows 10 machine.
the whole "Elevetad privilege" thing changed a lot during the lasts years.
if I were you, I'd put the schema to version 500 (the last one)
you'll might wan't to double check that your batch file is correctly found, as properties in system context can be unavailable. (use /k so the cmd prompt will not close and you'll be able to see the result of your batch file.)
also if the UAC is disabled on the client machine the user won't have the right to elevate your installer so setting the Require Administrative privilege won't change anything.
in order to be sure, you'll might wan't to use a install condition validating the Privileged property.
I am trying to update my App from the sysMenu.
And by doing click on Update App.. in the SysMenu, Updates automatically started.
Its working fine with XP and Win 7,
But when I trying to do the same thing in Win 8 then Its not working.
It gives alert message that "You do not have sufficient rights to run this App".
even if I am logged with Administrator user.
Hint: If I manually run that Updates.exe with run as Administrator then its also working.
I have attached the screen shot. I don't know why this happen with Win 8 only.
Edit
I have also refer these articles.
https://learn.microsoft.com/en-us/previous-versions/bb756929(v=msdn.10)
http://www.developerfusion.com/code/7987/making-a-net-app-run-on-vista-with-administrator-priviledges/
I am definitely sure that there is something wrong with your manifest file. Please embed the manifest with
<requestedExecutionLevel level="requireAdministrator" uiAccess="false">
with your Updates.exe.
Though even you have tried it, please try it one more time.
The error dialog seen in snapshot is look like its from your app. So there may be some check in your app, which is showing this dialog.
You didn't mention if this is your app or not. I assume it's your app, which you have build using the given manifest setting.
You can use Process Explorer to check if it is running with Elevated user permissions or not (check when this dialog comes up). It may be some build issue, you are setting this UAC setting for different project/build, and attempting to run different executable.
Other thing might be with specific user rights in Local Security Policy (I don't know which policy may allow/prevent updates). Or may be with the thread security rights, which is attempting to launch updates.
I am trying to construct a silent install using Inno Setup. I am using the /SILENT and /VERYSILENT command parameters, and everything works fine, except for the UAC window popping up at the start.
How do I get around this issue?
I have found a few posts loosely mentioning about using SignTool, but other sources have said that this will simply change the UAC box blue with the publisher parameter filled.
Can anyone help here? The scenario is an installer which will be distributed over the internet to update existing software on a machine silently without any user interaction.
To run a setup elevated without the UAC prompt, you need to run it from something that is already elevated. It would defeat the entire point of UAC if programs could elevate without the user controlling access.
Signing the executable does just show the publisher.
The basic idea is to first install a service that runs under the Local System account, and this service will launch your update installers so that updates can bypass UAC, and don't force the end user to run as admin. If you don't want to develop one on your own, there are 3rd party solutions like this:
http://www.autoupdateplus.com/
When your users first install your application, an "updater service" gets installed, and all subsequent updates can be silent.
(We used to use AutoUpdate+, but later decided to roll our own which just downloads the full installer file of our appliation and runs it silently. This wasn't possible with AutoUpdate+, we had to create update packages with the changed files, which turned out to be too much hassle, with too much room for error.)
I have found one solution of it, like If I do the following before Installing my EXE for temporary then on post Installation I revert it. then, I hope my purpose get solved.
[Registry] Root: "HKLM"; Subkey: "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"; ValueType: dword; ValueName: "ConsentPromptBehaviorAdmin"; ValueData: "0x00000000"
You can install it as User Software. Then you have no problems with UAC because it is no system wide software. ProgramData must be stored in User Folders and Registery Settings must be done under CurrentUser.
Not sure if you like to do that.
But anyway. You do not have to take care of UAC. Companies will have a deployment server with elevated rights so silent deployment will not force there a UAC message.
The UAC message is the normal behavier
Folks,
I've got a strange issue at the moment with a visual studio 2010 built MSI...
When I run the msi, it performs a few tasks, then executes a tool we built - this tool then carries out some more advanced work we couldn't do within a custom task.
The issue here, is then when the msi starts my custom built tool, it doesn't execute it with the same credentials as I start the MSI with (i.e. my administrative login).
Is there a parameter I can pass to an MSI to enforece this? Or perhaps I can pass the credentials to the process when I start it?
My process is started using Process process = Process.Start(procInfo) nothing fancy. I've also noted the ability to pass in a parameterised username/password/domain, but this will vary depending on the user who is installing - can this be extracted from the installer somehow?
Any help (or questions) welcomed.
Dave
EDIT: for clarity... I'm running the MSI under my domain account, and I want my custom process to run under that 'context'. At present, it starts (regardless of whether I start as administrator or not) under the SYSTEM account (rather than mydomain\me). I'm using Windows Server DataCenter edition if that helps...
I should also add, I think this is a policy issue, but I've no idea what to check/where to check...
By default Windows Installer runs custom actions as the current user. If the MSI is elevated, custom actions will run as the elevated user.
Please note that if you are running the MSI as an Administrator, it doesn't mean your custom actions will have full Administrator privileges. On Vista or higher any user can gain Administrator privileges through elevation.
So if your custom actions need Administrator privileges, make sure they use the msidbCustomActionTypeNoImpersonate flag so they run under the local system account.
If this is not the problem and you just need access to the current user data, can you please give me more details?