NSIS: Installing an Application to always Run as Administrator

installation uac nsis
MoonKnight picture MoonKnight · Jan 11, 2012 · Viewed 16.3k times · Source

I have a NSIS script that is working well for a large application. I have read many threads all over the web, but cannot get a clear answer to the following: is it possible to install an application using NSIS which, when launched (regardless of the type of user) automatically is run as administrator? If this is possible how can it be achieved?

Note: I am already imposing that the NSIS package must be run as admin using

RequestExecutionLevel admin

I have tried writing the UAC requirement to the applications registry entry using this method but I could not get the RUNASADMIN command to compile as it is not in the required format for NSIS.

Answer

Anders picture Anders · Jan 11, 2012

To ensure that the installer is running as administrator usually I recommend this little example:

Outfile RequireAdmin.exe
RequestExecutionLevel admin ;Require admin rights on NT6+ (When UAC is turned on)

!include LogicLib.nsh

Function .onInit
UserInfo::GetAccountType
pop $0
${If} $0 != "admin" ;Require admin rights on NT4+
    MessageBox mb_iconstop "Administrator rights required!"
    SetErrorLevel 740 ;ERROR_ELEVATION_REQUIRED
    Quit
${EndIf}
FunctionEnd

Page InstFile

Section
SectionEnd

The installed application should perform similar steps if it always needs to run as admin, for a Win32 app that would be:

If by "automatically is run as administrator" you mean bypass the UAC elevation, then no that is not really possible, the whole point of UAC is to allow the user to confirm/deny privileged operations! Some applications get around this by installing a NT service that performs whatever operation they require on behalf of the application. I would not recommend this because it fills the users machine up with services and could weaken the security of the system if the service is not coded correctly.

If you did not write the application you are installing then your options are a bit more limited. If the application does not have a manifest at all you could use a external (myapp.exe.manifest) manifest.

Setting the RUNASADMIN string under the AppCompatFlags key is not really something the installer should be doing, those compatibility options are supposed to be controlled by the user, not applications.

The forum thread you linked to also tell you about two ways to set the SLDF_RUNAS_USER flag on a shortcut, this will not ensure that the application is started as admin in all situations, only when the application is started from the shortcut but it might be your only option if you cannot change the application itself...

Related questions

How to prevent "This program might not have installed correctly" messages on Vista

I have a product setup executable that copies some files to the user's hard drive. It's not a typical installer in the normal sense (it doesn't add anything to the Start Menu or Program Files folders). Each time the setup …

Read More
VS2010 Setup Project - Run As Administrator

I have a VS2010 solution with 2 projects in it - a .NET 4 program, and an installer for it. The Installer is just a simple Setup Project with a prerequisite - .NET Framework 4. The problem is that I need the installer …

Read More
How to allow to allow admins to edit my app's config files without UAC elevation?

My company produces a cross-platform server application which loads its configuration from user-editable configuration files. On Windows, config file ACLs are locked down by our Setup program to allow reading by all users but restrict editing to Administrators and Local …

Read More