The situation is thus: We create an installer with Inno Setup. The software will be installed by an admin (e.g. when the computer is set up before it is given to the user), but we want normal users to be able to uninstall / update the installation (without admin rights). Adjusting permissions on installed files and running icacls.exe after the installation to grant rights for all users to access the uninstaller executable have gotten me almost to the goal.
The only thing missing is that if the administrator installs the program, it is not visible in Control Panel -> Uninstall a Program - list of other users. The (nonadmin) user has to know where to find the uninst000.exe and run it.
How can I make an Inno Setup install script so that any user (with or without admin rights) can uninstall the program via the Control Panel?
You can use PrivilegesRequired=none.
It's similar to PrivilegesRequired=lowest, except that it will try to write the non-user areas. This among other means that it will write the uninstall key to HKLM.
Note that none value is not officially documented anymore:
https://github.com/jrsoftware/issrc/commit/c42c98eca8dd1eb0fc615e113935b475815a8f98
Another option is that you create the uninstall key in HKLM yourself. Use {uninstallexe} constant to resolve a path to the installer.
Though this will only add the uninstaller key to HKLM. But the uninstaller will still require administrator privileges, as long as the installer was run with administrator privileges. This is built-into the uninstaller and is not configurable in anyway.
This makes sense, as otherwise the uninstaller cannot remove its uninstaller key from HKLM.
Anyway, if you really need to hack it, you can remove a flag from uninsxxx.dat that indicates the installer was run with administrator privileges.
Related
I want to install Miniconda3 on Windows 10 computers used in a school with a developed network thinking and hierarchy of what admin and users can do. I also want to add a short number of special python libraries that fit my teaching needs for the students. The problem I face is that the admin privilege makes it possible for me to install Miniconda3 for all users, but then it is actually not enough to install further libraries for all users using conda. But I can very well install further libraries for myself as single users and special environment. Can someone describe what kind of privilege (more than admin) is needed to install further libraries to all users on Windows 10 machine? How can I describe the privileges needed to this installation for IT-people?
All installation as admin should be done with PowerShell in mode "run as admin" that you can choose by right click on the PowerShell Icon
and make the choice at start.
Then conda environments can be created and various python-library files can be installed.
In order to make the conda-environment accessible and useful for each individual user you have to adjust the security settings for the folder
ProgramData/Minconda3 where all libraries are stored. The details here
depends on the local security arrangements.
Note ProgramData is usually a hidden folder and you need change a setting to see it.
The problem was solved by the IT responsible at the school.
Here is also today some instruction by Anaconda and I take for granted that these instructions also hold for minconda.
https://docs.anaconda.com/anaconda/install/multi-user/
I need to access a network share during the install process, and I also need to edit some registry keys. And finally, I'd like to add some shortcuts to a program that is over the network share.
To edit registry keys, I run the installer with elevated privileges. However, if I do that, I won't be able to see the network share as it is usually created without admin privileges.
There is a way to kill the installer and restart it with admin privileges, and this is fine for copying necessary files, but in order to create shortcuts that point to the network share, I would then need to downgrade my privileges again, in the middle of the Inno Setup step where it copies file, a step which I can't do anything in the middle of.
Any other options for a workaround? The only one that I found was this, which requires a registry edit (fine) and a restart (not as fine).
You can create the shortcut using some command and run it from [Run] section with runasoriginaluser flag.
See How do I create a shortcut via command-line in Windows?
Or do not kill the unelevated installer. Run it only to copy the files. And continue with the unelevated installer.
Also note that you can create a shortcut pointing to a nonexisting file.
My setup project performs a UAC check because it uses regserver. This is OK (and in fact necessary); however it makes all of the installed files be owned by Administrator , and not by the user that originally ran the installer.
This means that the user that ran the installer cannot edit any of the configuration files that are part of my installation.
I don't want to set permission on the files to be writable by Everyone; they just need to be writable by the user that ran the installation.
Does Inno Setup have any way of assigning ownership of certain files (or all of the files) to the user that ran the self-installing executable?
I am not using the line PrivilegesRequired=admin although it seems makes no difference whether or not that line is active. (Presumably because regserver implies this).
I have in hands a third party msi installer that requires to be executed by an administrator. Im trying to change that so it could be installed by a regular user.
I managed to open it with installshield and changed some obvious settings like:
"Require Administrative privileges"
But in your perspective is that even possible? I´m having a hard time changing settings and configurations and until now i´m not having any success.
Im working with InstallShield 2013 Professional and if it is possible, in wich settings do you think i should be focusing?
For instance, running as regular user im now having a 1925 error.
"You do not have sufficient privileges to complete this installation for all users of the machine"
And i feel if i correct the error, others will appear.
Thank you guys!
It's highly unlikely you can do this because it depends on too many things in the MSI package that can change the system. Any files going to restricted locations (program files, common files etc) or changes to HKLM registry keys will require elevation. MSI installs don't violate security - they don't allow a limited user to change areas of the system that are restricted.
If the environment has group policy/Active Directory you can arrange for the MSI to be deployed from a central location via Group Policy, that's the way people get around this. Otherwise on UAC systems the MSI may offer an elevation prompt that allows admin credentials to be entered.
Otherwise the vendor needs to create an install that can be used by limited users.
Well, Yes i need administrative privileges to write to locations that are shared by multiple users. In the filesystem, this means folders like \WINDOWS or \Program Files. In the registry, this means all of the hives which aren't per-user. That´s ok, i don´t need any of this.
Therefore, i thought it could be possible to change the filesystem to something like [userprofile] and rewrite the program to only use the HKEY_CURRENT_USER.
But i suspect it could be more to it than only this.
I am stuck at some UAC issue (I guess).
My question is: What does this UAC Shield Icon on some applications mean? And how would I get this icon to my Inno Setup setup.exe?
Inno Setup installers require Admin Privileges by default (if not customized by installer creator). UAC popup will be triggered if user did not change UAC settings in Windows.
http://www.jrsoftware.org/ishelp/index.php?topic=setup_privilegesrequired
[Setup]: PrivilegesRequired
Valid values:
none, poweruser, admin, or lowest
Default value:
admin
Description:
The effect of this directive depends on which version of Windows the user is running:
As others have said, Inno Setup requires administrator privileges by default, and will trigger the UAC prompt. You can change that with PrivilegesRequired. The problem with this is that it doesn't show the shield icon on the executable.
The best way to do it is to use the Microsoft's Manifest Tool and change the manifest embedded in the executable. It is usually included in Microsoft SDKs, which are free to download from Microsoft. Once you install it, the Manifest Tool is usually located in C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\bin\mt.exe. Note that some SDKs don't include it. I also found it in https://github.com/eladkarako/mt, if you don't want to install the SDK.
To extract the manifest from the executable, execute this in the command line: "path to mt.exe" -inputresource:"path_filename.exe";#1 -out:"path_filename.exe.manifest"
Now change asInvoker to requireAdministrator in path_filename.exe.manifest (manifest files are actually XMLs, so you can edit them with a text editor)
To put the manifest into the executable: "path to mt.exe" -manifest "path_filename.exe.manifest" -outputresource:"path_filename.exe";1
There you go! The executable now has the shield icon no matter what!
There's another method, which is far less useful. You can change the executable to run as administrator in the registry (same as right clicking it --> Properties --> Compatibility --> checking Run as Administrator on). To do this, create a string value that has the name set as the path+filename of the executable, and contains the data/text RUNASADMIN; the value has to be created in:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers if you want to change it for the current user
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers if you want to change it for all users (this usually requires you to have administrator privileges)
The problem with it is that it doesn't carry over if you move the executable (you have to do it all over again) or give it to someone else (they have to do it, or have to run some tool to do it). This is not useful.