PDA

View Full Version : Force .msi file to request elevated privileges (administrator) on run



clawdtm
01-23-2015, 07:13 AM
Greetings to you, fine people of the Flexera forum,

I come to you in the most troublesome of moments with my BasicMSI project(s). I am aware of (some of) the methods to work around the issue depicted in the thread title, but allow me to clarify why they're not viable options:

* setup.exe with "required execution level" = "Administrator"
this would be the most direct and simple way to deal with the issue, but it's not doable because the installations will be posted on a website for download, and due to security reasons, no .exe files will be uploaded.

* no tweaks to the registry (so no "run as administrator" added to the .msi's contextual menu)
the clients do not allow manual work on their registry (for security reasons, obviously).
also, the reflex will most often be to double-click it, and not [right-click + "run as administrator"]

* the "Require Administrative Privileges" on the General Information\Summary Information Stream panel only come into effect when the install execute starts (evidently). And it doesn't even require the admin login, instead stopping the installation with an [i-forgot-what-the-message-said-but-it's-someting-about-"you-are-not-allowed-because-elevated-privileges-are-required"] message.
That's a big no-no, because there are a lot of dialogs with input data that will result in a lot of wasted time.

* therefore, the only viable solution/workaround that has occured to me so far is running the msi file from an elevated CLI.
... which they would rather avoid.


Basically, what the clients want is:
* .msi file
* when double-clicking it, credentials popup - regardless of the UAC status.

Any thoughts?

I bid you farewell, gentlemen and gentleladies,
Daniel.

MichaelU
01-23-2015, 09:14 AM
This is not how Microsoft designed things to work, so your requirements are putting you in a bad place. At this point I would expect most people to understand that you need administrative privileges to install most software.

It's theoretically possible that you could detect this case inside the UI sequence of your package, and use a custom action to have it relaunch itself elevated, and then exit the outer non-elevated one. But this would be an unusual experience.