> More information requests for help....
> (From a different/previous post reply...) You say...
> "Signing will not negatively affect your MSI file use downlevel from
> However it won't suddenly allow you to by-pass UAC prompts. Your
> application will have to be elevated in order to silently run the
> installation without prompts -- either that or have a service perform
> installation for you. "
> What do you mean by 'your application will have to be elevated in
> order to silently run the installation without prompts'? Do you mean
> there is a way to elevate the .msi so it can be run silently?
Elevated means that the program is running with admin power - which
means it was either started by an administrator interactively, or it was
started by the system outside of any user account(invisible), for
example, from a service or a scheduled task.
The important point here is that non-admins cannot install random
An actual administrator will have to in some fashion choose to install
your program, since it needs to do muck about with system files and
settings. Standard users just can't do it.
Now, there are many ways an admin can install your program. This doesn't
necessarily mean that an admin will have to physically go to each
computer to perform the installation.
They can use group policy if in a domain environment to push the program
down to people. http://www.windowsnetworking.com/art...eployment.html http://technet2.microsoft.com/window....mspx?mfr=true
Or, they can use alternative deployment methods to get the app there.
(It can be as simple as making a program or script that connects to all
the computers, creates a scheduled task that runs as system and launches
an msi file in silent mode located on a network share somewhere).
> Also, you follow that up with 'either that or have a service perform
> the installation for you'. How can this be accomplished, with a
> service? Is there any documentation out there to explain this?
Basically, you create a service program that starts msiexec against your
msi, with the correct flags to run in quiet mode (since a service runs
outside of any user account, no UI is visible to any users).
> The reason I ask these questions it because we currently have an
> install that is basically writing 'stuff' all over the place with
> regards to the registry. It also defaults to an installation location
> under Program Files, which most end users leave unchanged, but is now
> considered sacred in VISTA so if they are not an Admin (this occurs
> with UAC disabled in my testing as well) they receive a message
> indicating the install cannot continue.
Which is how it was in every previous version of Windows NT.
It worked for you before because you made your users administrators (aka
> Our mechanism of updating our client piece is that our application
> looks to an .ini for various information. If the information
> indicates an update is available, our .msi is installed silently.
> This probably will not work any longer in VISTA so I will have to
> search for an alternative here as well.
You need to separate out your update logic into its own program that
will run privileged outside of any specific user account, and so will be
invisible - it cannot show UI.
You could either rewrite your update program as a service, or you could
just use it as-is and register it as a scheduled task that runs under a
Your initial setup program would register the update service or
scheduled task programmatically.
Alternatively, you might look into turning your updates into MSP's
(windows installer patches). If you follow the correct procedures, MSP's
can be launched and installed inside of a standard user account. http://msdn2.microsoft.com/en-us/library/Aa372388.aspx
> I've inherited these various installs since starting my new job last
> December. They basically have to be reworked. Its difficult because
> there is some third party stuff in there that writes to HKLM, etc.,
> which is tough to deal with in locked down environments where
> installing users are not Admin's. The workaround in earlier OSs to
> VISTA was to indicate that Power Users would be an acceptable means of
> installation. In Vista, this concept seems to no longer apply really.
You're right, power users aren't supported anymore because there really
is no such thing as a power user from a security perspective. Power
users = administrators.
> If anyone out there knows of where I can turn for possible consulting
> services with regard to installation and security, please let me
> know. It seems as though you really need someone close to or part of
> Microsoft to guide you through.
> THANKS IN ADVANCE FOR ANY HELP, INFORMATION, LINKS PROVIDED!!
Hope this information helps.
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/