Installing and Deploying Applications on Vista


Welcome to the User Account Control (UAC) Blog.  We’ll be using this forum to talk about interesting, important, or whimsical aspects of UAC and Vista.


It seems only fitting that we start out the posts with a discussion of installation.  What is the very first thing you’re going to do on your new Vista machine?  Well…install your favorite piece of software, of course.  This is where most of the world will be meeting the Consent Dialog for the first time.  Have you seen it yet? 


Here’s a preview of an early version of the Consent Dialog –


For those of you who don’t know what this is – it’s the new dialog in Windows Vista that tells you when you’re going to do something that requires Administrator privileges and thus needs your approval.  We’ll delve into this more in later posts.  For now, just imagine that you’ll be running everything in Vista as what we call a Standard User and when you want to install something or change a system setting you need to approve it.


So there we were, installing that piece of software you love and the Consent Dialog comes up.  Why did it happen? 


When you install a piece of software, more often than not, you need to copy files from the CD to the Program Files directory.  The Program Files directory is a protected location that Standard Users can’t write to, and because we know that most installs write there, we ask you for permission to run the install with your Administrator privileges.


We’ll get more into the technical details about how we identify applications that are installers and how enterprises can do installations in future posts.


Cheers, Chris


Comments (17)

  1. Vishnu says:

    Is there a sample manifest or program available that can be used to try out UAC functionality?

  2. T Edge says:

    I thought these dialogs were going to ask us for an admin password? Wouldn’t that be advisable?

  3. megame says:

    Dialogs do ask for Admin password when you are not running as administrator.

    The great thing is that you can run as administrator but you app’s do not!

    This takes-out requirement to re-enter admin password time after time after time, and also – home users (some) don’t want passwords (it just further complicates working with computer, which is pretty complicated already to some).

  4. Andy C says:

    I actually prefer the Permit/Deny choice rather than passwords. It’s all too easy to spoof a password dialog, but spoofing the current UI isn’t going to get you anywhere.

  5. UAC says:

    The behavior of the elevation prompt is configurable via Group Policy and local computer policy (secpol.msc). Available options include: no prompt (this is NOT recommended), prompt for consent, prompt for password, and prompt for password on the secure desktop. We’ll go over this in more detail in a post soon.

  6. Note: LUA (Least User Access) has been

    renamed UAC (User Access Control) which is a much better name…

  7. Callie Jordan says:

    I am greatly pleased to see that this idea of running with least privilege is actually  happening. I’ve been following Aaron Margosis’ posts for a while, and actually running as LUA for everyday usages. Of course, there have been problems…

    I teach (very) beginner computer classes — your mom — and, as much as I wish I could do something to help them be more secure, it’s just toooooo complicated to explain. These guys have trouble with the difference between a file and a folder.

    It’s not going to be that much "easier" in Vista, but at least it’s right out there where they’ll have to learn to deal with it.

    Just like the decision to make Automatic Updates the default was better for the rest of the world, even if the techie types complain about things being shoved down their throats.

  8. dganesh says:

    Setup: Feb CTP 5308 + VS2005

    I have an app that I want to package as an administator only program (It has to install a Service programmatically and getting full access to the SCM requires Administrative elevation).

  9. dganesh says:

    I wrote a small program to just test the elevation. Here is the code:

    int main(void)

    {

    SC_HANDLE schSCManager;

    schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);

    if (NULL == schSCManager)

    printf("OpenSCManager (SC_MANAGER_ALL_ACCESS) failed (%d)n", GetLastError());

    else

    printf("OpenSCManager (SC_MANAGER_ALL_ACCESS) succeededn");

    return 0;

    }

  10. dganesh says:

    Then I created an OpenSCManager.rc file that has:

    #define MANIFEST_RESOURCE_ID 1

    MANIFEST_RESOURCE_ID RT_MANIFEST "OpenSCManager.exe.manifest"

    The manifest file I created has:

    <?xml version="1.0" encoding="utf-8" standalone="yes"?>

    <assembly xmlns="urn:schemas-microsoft.com:asm.v1" manifestVersion="1.0">

     <assemblyIdentity version="1.0.0.0"

                       processorArchitecture="X86"

                       name="OpenSCManager"

                       type="win32"/>

     <description>IAII – Intel Architecture Instruction Inspector</description>

     <!– Identify the application security requirements. –>

     <trustInfo xmlns="urn:schemas-microsoft.com:asm.v3">

       <security>

         <requestedPrivileges>

           <requestedExecutionLevel

             level="requireAdministrator"

             uiAccess="false"/>

         </requestedPrivileges>

       </security>

     </trustInfo>

    </assembly>

  11. dganesh says:

    After I build, I can use a Hex Editor to verify that the XML is built into the exe, although I don’t know if that is the PE portion of the binary.

    But when I run this app, it just fails without bringing up the elevation prompt for Admin privileges. I made sure it passes if I right click and select "Run as Administrator".

    Can you please tell me what I am doing wrong?  I would prefer to stick with the manifest option among the other options listed.

    Thanks in advance!

  12. Nick says:

    I think the problem with your manifest is this

    urn:schemas-microsoft.com should be urn:schemas-microsoft-com?

  13. Prem Kumar says:

    Our application provides option to create customized installers on there own using web-app. All the option of creating an installer including the installer name is customizable.

    We use MSI for the installer creation and after the MSI is created we package the whole folder into a self- extractable exe (same name has of installer name). My question is should we embed a manifest for that exe. If yes, then as I said before the installer name is customizable, following is our manifest that we are planning to include.

    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">

     <assemblyIdentity

       processorArchitecture="x86"

       version="7.1.0.0"

       type="win32"

       name="pkgr.exe"/>

    My questions are

    1) Is name=""/> is mandatory?

    2) If answer yes, it is going to create few issues to us

    a. We have to package mt.exe with our product to create manifest at runtime so that the name tag included the user selected name.

    b. And mt.exe requires .NET framework to be installed in those machines which needs to use mt.exe

    3) If name is not mandatory then it is going to create same issues for except no need to replace the name tag at runtime.

  14. Jessica says:

    I have been having problems being able to view videos from the internet since I began using Windows Vista Beta 1. I had Macromedia Flash Player 9 installed and it wasn’t playing them. I tried to install Macromedia Flash Player 8 and I received an error message that read:

    1.Failed to install ISKernel files.

    Make sure you have appropriate priviledges on this machine.

    How can I correct the problem I am having?

  15. Jason Atlas says:

    We are having an issue with our installation, where we are trying to install our application, which has some third party dependencies with it that require a reboot during installation.  The question is this – how do we configure our installer to persist application installation after a reboot of Vista?

    jason

  16. Bob says:

    I have the same problem. I installed Macromedia Dreamweaver.

    After rebooting i tried to open Macromedia Dreamweaver and i get this message:

    "1.Failed to install ISKernel files.

    Make sure you have appropriate priviledges on this machine."

    And then Macromedia Dreamweaver doesnt even start.

    Im using Windows Vista Home Premium.

    Maybe somebody can help. Send me an email to nucleusambiens@gmx.de please

    Thanks

  17. Shirley says:

    I am trying to remove a program from my new laptop that has windows vista, and it keeps referring me to system administrator.  I am the system administrator on my computer, how do I do it, it is driving me nuts