PDA

View Full Version : Required Execution Level



Jennifer
06-20-2006, 03:48 PM
Is the "Require Administrative Privileges" property in the Summary Information Stream the same as the "Required Execution Level" property in the release view?? If not what are the differences? If so then why do they not provide the same selections?

DebbieL
06-21-2006, 08:20 AM
The Required Execution Level setting in the Releases view indicates how the Windows Vista application manifest (which InstallShield embeds into the setup launcher if you include one in the release) should be configured. The manifest controls how Windows Vista systems should run the Setup.exe file, any setup prerequisites, and the .msi file on Windows Vista systems.

The Require Administrative Privileges setting in the Summary Information Stream part of the General Information view applies to just the .msi file. It specifies whether administrative privileges are required in order to run the .msi file on Windows Vista. When you configure this setting, InstallShield sets the the fourth bit (0x08) of the Summary Information Stream's Word Count property.

Does that help clarify the difference?

Debbie Landers
Macrovision Corporation

Christopher Painter
06-21-2006, 08:47 AM
I gathered that much from reading the context sensitive help in InstallShield. But as someone who hasn't played with Vista/MSI4.0 a whole lot, the real question is what does it `really` mean. That is, in terms of real world use cases and design patterns.

Jennifer
06-21-2006, 10:42 AM
Debbie, if I set Reqiure Administrative Privileges to yes and Required Execution Level to Administrator then how is this different from setting an install condition of Privileged?

Christopher Painter
06-21-2006, 10:48 AM
From what I see if you just set the LaunchCondition to Privliged and you ran the install as an Administrator you would get an error message saying that you don't have privileges.

Set the other flags and the setup.exe's manifest will instruct UAC to run with administrator privileges.

I believe you still want to author both since pre MSI 4.0 won't know what any of this is.

Jennifer
06-21-2006, 10:52 AM
So basically "Privileged" does not apply on Windows Vista and the other two do not apply on platforms that do not run installer 4.0 ?

Christopher Painter
06-21-2006, 10:58 AM
Frankly I'm not 100% sure. I need to start looking over the updated MSI 4.0 documentation that came with IS12 ( the whats new topic has links for Using Windows Installer with UAC and Guidelines for Packages )

Jennifer
06-21-2006, 11:13 AM
Oh, I think that setting Privileged and Require Administrative Privileges are the same except setting Require Administrative Privileges is only valid on windows installer 4.0.
Required Execution Level tells Vista what privileges the installation package should run with. I guess the installer service no longer has the ability to run itself and installations with elevated privileges on Vista.
Debbie can you clarify?

MichaelU
06-21-2006, 11:18 AM
In my experience, here's what the two settings mean at runtime. If you launch from setup.exe Vista will first evaluate the directions in the manifest. If you don't have a setup.exe, or if setup.exe runs as a limited user (either lowest privileges, or highest available on a limited account), then the client-side MSI process (UI sequence, as it were) will be launched as a limited user. If you have a setup.exe running with administrative privileges then the client-side MSI process will be running with administrative privileges. Microsoft recommends against that as it doesn't follow the principle of least privilege.

Now assuming your client-side MSI process is running as a limited user, the Summary Info stream bit comes into play. If you say the MSI requires administrative privileges (our default in 12 and also for preexisting MSI packages), then when it launches the server-side MSI process (Execute sequence), MSI will prompt for administrative privileges just like any other UAC prompt (or elevate for free if advertised), and the server-side process will run as though you're an administrator. If you say the MSI does not, there will be no prompt, and MSI will run as though it has limited privileges. This will generally lead to failures unless the MSI has been advertised, or, for example, INSTALLDIR is set to a place your limited user account can write (not [ProgramFilesFolder]...).

So to bring it back to recommendations and patterns (does this help?):
If you want a fully limited-user UAC compliant install, you want setup.exe to be set to limited user (or not be used), the MSI to be authored such that it doesn't need to write to anything a limited-user account cannot, and to tell MSI that it doesn't need administrator privileges. If you want to follow the ideas of UAC, but still tend to do machine-wide installs, you'll do the same for setup.exe's level, but your MSI will require administrative privileges, either via prompt or advertisment. If you (presumably for legacy reasons) require administrative privileges early on - particularly for actions in the UI sequence, you will probably want to require administrative execution level on the setup.exe, and then it won't generally matter what you set the MSI to require, at least until someone does an administrative install.

Christopher Painter
06-21-2006, 11:37 AM
MichaelU-

Great post. Needs to be a sticky or KB article. :)

Regarding your comment of MsiExec /i foo.msi will run the client side with reduced privs.... how will msiexec /jm behave?

The question is two parts:

1) Does the administrator have to use UAC to elevate his privs to execute the advertisement command ( I suspect yes )

2) When the user runs the msiexec /i will the advertisement still be respected? Or does the bit in the summary information stream have to be null'd? I assume it would for all the previous packages built for MSI 3.0 to work.

I do Basic MSI's with InstallScript custom actions. Now that Windows XP and Vista come preloaded with MSI and InstallScript doesn't need a runtime bootstrapper, I don't want to have a setup.exe at all.

MichaelU
06-21-2006, 01:08 PM
Thanks; I appreciate the positive feedback! :cool:

As for your question, this is all pure Microsoft behavior territory, and I haven't actually tested it...but here's what I expect.

1. Yes the administrator will have to authenticate/authorize the msiexec process to run with administrator privileges in order to advertise the package. This sounds like a standard administrative-privileges-required UAC scenario.

2. I could see this one going either way. Neither way will the limited user be prompted, but MSI may interpret the bit as saying this package never needs administrator privileges, so (per the spirit of LUA/UAC) don't acquire them. However I could just as easily see the advertisement overriding that saying the package is blessed (say to install to [ProgramFilesFolder]) so elevate deferred actions that run in the system context.

Some quick links:
Is your MSI Package ready for Vista? (http://blogs.msdn.com/robmen/archive/2006/02/22/537106.aspx) (which I see you've already read) seems to suggest that per-action elevation may still occur in the second scenario, but I could be reading way more into that than Rob meant.

Using Windows Installer with UAC (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/using_windows_installer_with_uac.asp) gives Microsoft's definitions for a lot of scenarios, but doesn't seem to describe Bit 3 of the Word Count Summary at all; nor does the Word Count Summary discuss advertisement.

Authoring Packages without the UAC Dialog Box (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/authoring_packages_without_the_uac_dialog_box.asp) also seems to dodge issues of advertisement, but comes closer to specifying behavior.

Christopher Painter
06-21-2006, 02:57 PM
Thanks, I'm mostly just curious at this point. I don't do repackaging anymore so I don't advertise packages or push them with the SMS client as SYSTEM. Our customer ( US Govt ) is also unlikely to adopt Vista for quite some time so I'm probably safe for now.

Christopher Painter
06-21-2006, 09:20 PM
BTW, there is a MSDN Webcast on Vista/MSI 4.0 covering this and other topics on Friday.

MSDN Architecture Webcast: Designing Software Installations for Windows Vista Using Windows Installer 4.0 (Level 200)

http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032299358&EventCategory=4&culture=en-US&CountryCode=US

Prakash.m.n
09-01-2006, 07:20 AM
Hi,

This issue is in Basic MSI project.
I am facing a problem while registering a service during repair.
Though I have set the required execution level as "Administrator" and set the summary stram Require Administrative Previlages to "Yes".
This works fine when i does repair from the image but fails from control panel add remove program. I understood that msiexec executes the msi package from control panel so msiexec is not getting elevated from control panel.

Can you please help me out in this regard.

Thanks in advance
Prakash .M.N

MichaelU
09-01-2006, 10:39 AM
Launching from the control panel falls is equivalent to not launching from the setup.exe, so the setup.exe manifest isn't part of that picture. In this scenario the UI sequence runs as a limited user, as do execute sequence actions that impersonate. The bit in the Summary Info Stream will only ensure that the execute sequence deferred actions set to not impersonate (as well as most standard actions) execute with elevated privileges; it doesn't impact anything else.

Prakash.m.n
09-05-2006, 09:20 AM
Hi,

I am using deffered action for unregistering the service.
Is this causing the problem ?
How to set the bit in the summary info stream ?
Not clear much about the solution.

Thanks and regards
Prakash.M.N

Prakash.m.n
10-19-2006, 01:35 AM
Hi,

The issue has been solved now. I made the custom action to run in Deferred Execution in System context. Now everything works fine!!!!

Thanks and regards
Prakash.M.N

dcutting
09-28-2007, 02:47 PM
Does anyone know how to for pure InstallScript (not InstallScript MSI) projects to run with elevated priveleges?

Any help would be greatly appreciated.

Doug