Mark MSI so it has to be run as elevated Administrator account

Ryan picture Ryan · Nov 20, 2008 · Viewed 18.5k times · Source

I have a CustomAction as part of an MSI.

It MUST run as a domain account that is also a member of the local Administrators account.

It can't use the NoImpersonate flag to run the custom action as NT Authority\System as it will not then get access to network resources.

On Vista/2008 with UAC enabled if NoImpersonate is off then it will run as the executing user but with the unprivileged token and not get access to local resources such as .installState. See UAC Architecture

Anyone know of a way to either

  • Force the MSI to run with the elevated token in the same way that running from an elevated command prompt does?

  • Force the CustomAction to run elevated (requireAdministrator in manifest doesn't appear to work)?

  • Work out if UAC is enabled and if it hasn't been ran elevated and if so warn or cancel the installation?

Answer

Ryan picture Ryan · Nov 22, 2008

Answering my own question for any other poor s0d looking at this.

  • You can't add a manifest to an MSI. You could add a SETUP.EXE or bootstrapper to shell the MSI and manifest that with requireAdministrator but that defeats some of the point of using an MSI.

  • Adding a manifest to a CustomAction does not work as it is ran from msiexec.exe

The way I have tackled this is to set the MSIUSEREALADMINDETECTION property to 1 so the Privileged condition actually works and add a Launch Condition for Privileged that gives an error message about running via an elevated command prompt and then quits the installation.

This has the happy side effect - when an msi is ran from an elevated command prompt deferred CustomActions are ran as the current user with a full Administrator token (rather than standard user token) regardless of the NoImpersonate setting.

More details - http://www.microsoft.com/downloads/details.aspx?FamilyID=2cd92e43-6cda-478a-9e3b-4f831e899433

[Edit] - I've put script here that lets you add the MSIUSEREALADMINDETECTION property as VS doesn't have ability to do it and Orca's a pain.