Vista Forums - View Single Post

permalink · 07-05-2007

On Jul 2, 11:47 am, Jimmy Brush <j...@mvps.org> wrote:
> > More information requests for help....
>
> > (From a different/previous post reply...) You say...
>
> > "Signing will not negatively affect your MSI file use downlevel from
> > Vista.
> > However it won't suddenly allow you to by-pass UAC prompts. Your
> > application will have to be elevated in order to silently run the
> > installation without prompts -- either that or have a service perform
> > the
> > installation for you. "
>
> > What do you mean by 'your application will have to be elevated in
> > order to silently run the installation without prompts'? Do you mean
> > there is a way to elevate the .msi so it can be run silently?
>
> Elevated means that the program is running with adminpower- which
> means it was either started by an administrator interactively, or it was
> started by the system outside of anyuseraccount(invisible), for
> example, from a service or a scheduled task.
>
> The important point here is that non-admins cannot install random
> machine-wide programs.
>
> An actual administrator will have to in some fashion choose to install
> your program, since it needs to do muck about with system files and
> settings. Standard users just can't do it.
>
> Now, there are many ways an admin can install your program. This doesn't
> necessarily mean that an admin will have to physically go to each
> computer to perform the installation.
>
> They can use group policy if in a domain environment to push the program
> down to people.
>
> http://www.windowsnetworking.com/art...45a873dd-660d-...
>
> Or, they can use alternative deployment methods to get the app there.
> (It can be as simple as making a program or script that connects to all
> the computers, creates a scheduled task that runs as system and launches
> an msi file in silent mode located on a network share somewhere).
>
> > Also, you follow that up with 'either that or have a service perform
> > the installation for you'. How can this be accomplished, with a
> > service? Is there any documentation out there to explain this?
>
> Basically, you create a service program that starts msiexec against your
> msi, with the correct flags to run in quiet mode (since a service runs
> outside of anyuseraccount, no UI is visible to any users).
>
> > The reason I ask these questions it because we currently have an
> > install that is basically writing 'stuff' all over the place with
> > regards to the registry. It also defaults to an installation location
> > under Program Files, which most end users leave unchanged, but is now
> > considered sacred in VISTA so if they are not an Admin (this occurs
> > with UAC disabled in my testing as well) they receive a message
> > indicating the install cannot continue.
>
> Which is how it was in every previous version of Windows NT.
>
> It worked for you before because you made your users administrators (akapowerusers).
>
>
>
> > Our mechanism of updating our client piece is that our application
> > looks to an .ini for various information. If the information
> > indicates an update is available, our .msi is installed silently.
> > This probably will not work any longer in VISTA so I will have to
> > search for an alternative here as well.
>
> You need to separate out your update logic into its own program that
> will run privileged outside of any specificuseraccount, and so will be
> invisible - it cannot show UI.
>
> You could either rewrite your update program as a service, or you could
> just use it as-is and register it as a scheduled task that runs under a
> system account.
>
> Your initial setup program would register the update service or
> scheduled task programmatically.
>
> Alternatively, you might look into turning your updates into MSP's
> (windows installer patches). If you follow the correct procedures, MSP's
> can be launched and installed inside of a standarduseraccount.
>
> http://msdn2.microsoft.com/en-us/library/Aa372388.aspx
>
> > I've inherited these various installs since starting my new job last
> > December. They basically have to be reworked. Its difficult because
> > there is some third party stuff in there that writes to HKLM, etc.,
> > which is tough to deal with in locked down environments where
> > installing users are not Admin's. The workaround in earlier OSs to
> > VISTA was to indicate thatPowerUsers would be an acceptable means of
> > installation. In Vista, this concept seems to no longer apply really.
>
> You're right,powerusers aren't supported anymore because there really
> is no such thing as apoweruserfrom a security perspective.Power
> users = administrators.
>
> > If anyone out there knows of where I can turn for possible consulting
> > services with regard to installation and security, please let me
> > know. It seems as though you really need someone close to or part of
> > Microsoft to guide you through.
>
> > THANKS IN ADVANCE FOR ANY HELP, INFORMATION, LINKS PROVIDED!!
>
> Hope this information helps.
>
> --
> -JB
> Microsoft MVP - Windows Shell/User
> Windows Vista Support FAQ -http://www.jimmah.com/vista/- Hide quoted text -
>
> - Show quoted text -

Earlier in our thread, you mentioned:

"However, the Power Users group still exists in Vista, but like the
document says, they are not ACL'ed access to system resources, so you
have to run the special file first to grant them extra access."

What 'special file' do you mean? I guess I need to know what exactly
do I have to do to mimic the Power Users group of XP.
I don't know if I mentioned this before, but I'm getting the no access
to Program Files messages with UAC Disabled. If I install with my
Power User with UAC enabled, I simply have to apply credentials
currently.

Any more info in setting up Power Users as in XP on VISTA would be
GREATLY APPRECIATED!

Thanks for the help/great information so far!!

07-05-2007	#8 (permalink)
Superfreak3 n/a posts	Re: VISTA and Power Users? On Jul 2, 11:47 am, Jimmy Brush <j...@mvps.org> wrote: > > More information requests for help.... > > > (From a different/previous post reply...) You say... > > > "Signing will not negatively affect your MSI file use downlevel from > > Vista. > > However it won't suddenly allow you to by-pass UAC prompts. Your > > application will have to be elevated in order to silently run the > > installation without prompts -- either that or have a service perform > > the > > installation for you. " > > > What do you mean by 'your application will have to be elevated in > > order to silently run the installation without prompts'? Do you mean > > there is a way to elevate the .msi so it can be run silently? > > Elevated means that the program is running with adminpower- which > means it was either started by an administrator interactively, or it was > started by the system outside of anyuseraccount(invisible), for > example, from a service or a scheduled task. > > The important point here is that non-admins cannot install random > machine-wide programs. > > An actual administrator will have to in some fashion choose to install > your program, since it needs to do muck about with system files and > settings. Standard users just can't do it. > > Now, there are many ways an admin can install your program. This doesn't > necessarily mean that an admin will have to physically go to each > computer to perform the installation. > > They can use group policy if in a domain environment to push the program > down to people. > > http://www.windowsnetworking.com/art...45a873dd-660d-... > > Or, they can use alternative deployment methods to get the app there. > (It can be as simple as making a program or script that connects to all > the computers, creates a scheduled task that runs as system and launches > an msi file in silent mode located on a network share somewhere). > > > Also, you follow that up with 'either that or have a service perform > > the installation for you'. How can this be accomplished, with a > > service? Is there any documentation out there to explain this? > > Basically, you create a service program that starts msiexec against your > msi, with the correct flags to run in quiet mode (since a service runs > outside of anyuseraccount, no UI is visible to any users). > > > The reason I ask these questions it because we currently have an > > install that is basically writing 'stuff' all over the place with > > regards to the registry. It also defaults to an installation location > > under Program Files, which most end users leave unchanged, but is now > > considered sacred in VISTA so if they are not an Admin (this occurs > > with UAC disabled in my testing as well) they receive a message > > indicating the install cannot continue. > > Which is how it was in every previous version of Windows NT. > > It worked for you before because you made your users administrators (akapowerusers). > > > > > Our mechanism of updating our client piece is that our application > > looks to an .ini for various information. If the information > > indicates an update is available, our .msi is installed silently. > > This probably will not work any longer in VISTA so I will have to > > search for an alternative here as well. > > You need to separate out your update logic into its own program that > will run privileged outside of any specificuseraccount, and so will be > invisible - it cannot show UI. > > You could either rewrite your update program as a service, or you could > just use it as-is and register it as a scheduled task that runs under a > system account. > > Your initial setup program would register the update service or > scheduled task programmatically. > > Alternatively, you might look into turning your updates into MSP's > (windows installer patches). If you follow the correct procedures, MSP's > can be launched and installed inside of a standarduseraccount. > > http://msdn2.microsoft.com/en-us/library/Aa372388.aspx > > > I've inherited these various installs since starting my new job last > > December. They basically have to be reworked. Its difficult because > > there is some third party stuff in there that writes to HKLM, etc., > > which is tough to deal with in locked down environments where > > installing users are not Admin's. The workaround in earlier OSs to > > VISTA was to indicate thatPowerUsers would be an acceptable means of > > installation. In Vista, this concept seems to no longer apply really. > > You're right,powerusers aren't supported anymore because there really > is no such thing as apoweruserfrom a security perspective.Power > users = administrators. > > > If anyone out there knows of where I can turn for possible consulting > > services with regard to installation and security, please let me > > know. It seems as though you really need someone close to or part of > > Microsoft to guide you through. > > > THANKS IN ADVANCE FOR ANY HELP, INFORMATION, LINKS PROVIDED!! > > Hope this information helps. > > -- > -JB > Microsoft MVP - Windows Shell/User > Windows Vista Support FAQ -http://www.jimmah.com/vista/- Hide quoted text - > > - Show quoted text - Earlier in our thread, you mentioned: "However, the Power Users group still exists in Vista, but like the document says, they are not ACL'ed access to system resources, so you have to run the special file first to grant them extra access." What 'special file' do you mean? I guess I need to know what exactly do I have to do to mimic the Power Users group of XP. I don't know if I mentioned this before, but I'm getting the no access to Program Files messages with UAC Disabled. If I install with my Power User with UAC enabled, I simply have to apply credentials currently. Any more info in setting up Power Users as in XP on VISTA would be GREATLY APPRECIATED! Thanks for the help/great information so far!!
My System Specs