Community
FAQ Community User guide Contact Customer Info
Post Reply
nickp
Posts: 8
Joined: Tue Jan 10, 2006 12:08 pm

MSI elevated priviledges

Hi there,

My understanding is that an MSI script is run at elevalted priviedges in order to get it to install on a limited account. One thing I am unsure of though is whether a custom action such as an EXE run at the end of the installation process is also run at the same priviledge level?

My problem is that I am having to use a seperate EXE in order to perform some post file copy installation operations but some operations are failing on a limited account. Is there any way to increase the priviledges for the action or have I just run into a wall?!

Cheers in advance

:?:
Ionut
Posts: 605
Joined: Tue Nov 22, 2005 11:29 am
Contact: Website

Hi,
My understanding is that an MSI script is run at elevalted priviedges in order
to get it to install on a limited account.
This is not quite true. The UI Sequence of a MSI package runs with the privileges of the installing user. When the Execute Sequence is processed, Windows Installer runs a service (on WinNT based systems). However, this service updates the target system based on the privileges of the installing user unless the package is managed (and it is installed by a non-admin). "Managed" means that elevated (system) privileges are used to install the package.

Elevated privileges are allowed for:
- an Administrator that is performing a per-machine install
- packages that have been advertised by an Administrator using the "/jm" or "/ju" command line options of "msiexec"
- an Administrator can set the "AlwaysInstallElevated" policy for the machine and/or the user. This means that the user has elevated privileges during the installation process. This policy should be avoided because it is a security hole.
- an Administrator can advertise an application by publishing the MSI package using Group Policy.

The following Microsoft KB article might provide additional information:
http://support.microsoft.com/default.as ... us;q259459


By default, Custom Actions are also executed with the privileges of the user installing the package. However, if the package is managed (see the cases described above) a Deferred Custom Action can run in system context (with elevated privileges) by setting a special bit in the "Type" field of the "CustomAction" table inside the MSI database. In AI, you can set this bit by selecting the "Deferred with no impersonation" radio button in the Custom Actions page.
My problem is that I am having to use a seperate EXE in order to perform some post file copy installation operations but some operations are failing on a limited account. Is there any way to increase the priviledges for the action?
If the EXE is run as a "Deferred with no impersonation" Custom Action and the package is managed (see the cases described above), then the CA will run in system context.

Hope this helps.

Regards,
Ionut
Denis Toma
Advanced Installer Team
http://www.advancedinstaller.com/
nickp
Posts: 8
Joined: Tue Jan 10, 2006 12:08 pm

Excellent reply

That's a really informative excellent reply. Thank you that has really cleared up a few things in my head :-) Cheers!
Post Reply

Return to “Common Problems”