Impersonating the Right Token in Vista

In The NoImpersonate Bit Mistake, Robert Flaming of the Windows Installer team discusses how some custom actions may fail because they impersonate the non-privileged client token and won’t be able to perform some actions. Such a scenario is described in Custom Actions under UAC on Vista. For administrative users on Vista, a client token would typically be the filtered token and wouldn’t have all rights granted that the non-filtered token, or full token, would have. If the client installation was elevated from the start, whether because of a manifest with the requestedExecutionLevel/@level attribute set to either requireAdministrator or highestAvailable; or because the filename without a manifest (like setup.exe) causes an automatic prompt for elevation for backward compatibility.

When a limited user – or “Standard User” in Vista: one who is not part of the Administrators group, or otherwise any other user who would receive both a filtered and full token – requires an elevation of privileges, they receive an Over the Shoulder prompt for someone with administrative credentials. This runs the process, in this example, using the full token of the administrative user. For this reason, Robert explains to use a second, elevated process to advertise the product, then install the product as the standard user account. Not installing in this manner would only be a problem for Over the Shoulder prompts because the privileged token would be the administrative user’s token (for example, a parent) so all user directories and registry hives would be loaded for the administrative user. If an administrative user were to install a product with impersonating custom actions – assuming those custom actions wouldn’t fail – the token still identifies that user so there would be no confusion about which user’s directories and registry hives to load.

Both articles written by Robert Flaming in this post are part of a great series about how Windows Installer works with UAC on Vista. Any installation developer should really give this series a read to understand the restrictions with UAC and how to install their product successfully with UAC enabled on Vista.