Running with elevated privileges
I've read related threads to my problem and pored over the help files but I'm still confused as to the exact way to make my installation work with users that have "limited" access.
Specifically, I have an install that needs to create a registry entry in HKLM. I've tried selecting all Permissions for the registry entry while in the Components section using the domain - [%USERDOMAIN] and user - [LogonUser]. I've also created a property called ISALWAYSINSTALLELEVATED and set it to 1. When I run the install I get a 1406 error.
My app is fairly straightforward: it dumps everything into a single folder, creates a couple of shortcuts, a registry entry, and ODBC. Because it's a commercial product I need to have this installable by anyone with any privileges and can't rely on an admin user setting the proper policies on the machine before hand.
Also, would I also need elevated privileges for installing ODBC and self-registering DLLs?
Any suggestions would be greatly appreciated!
Well the concept is simple and straightforward....
Locations and registries to which a limited user does not have access, one should not expect MSI the same as this would be breach of Windows security. So a limited user has to get elivated privileges from the Administrator for a setup that make changes into this forbidden area. For configuring these privileges refer following article:
However if this article has already been followed, I would request for the complete 1406 error messages you get on installing this setup.
So it sounds like you're saying there's no way to have a limited user do an install without having certain things setup on their machine ahead of time.
I was under the impression from speaking to someone in tech support that you could "temporarily" elevate a limited user's privileges to get the install done.
You CAN temporary elevate user privilege...(the RunAs Service)
However you need Administrator's password.
Moreover, as neo already said, due to windows security, you CAN'T elevate user's privileges with installer.
If it could be possible someone could write a MSI setup that once run by a User, elevates temporarily user's privileges, changes the local machine policies in hklm and then closes itself.
As you can imagine this would be a security flaw, so Users will never be able to gain Administrator's access unless explicitily wanted (like the runas service, or the "execute installations with elevated privileges" policy...or an exploit :P)
Exactly: allowing an arbitrary process to gain elevated privileges would be a recipe for disaster; please see the MSI Help Library page "How do I install a package with elevated privileges as a non-admin?" for a summary of techniques...