Innovative Application Packaging Cloud

Innovative Application Packaging Cloud
Automated Packaging Self-Service (APS) is an innovative cloud solution that provides smart application packaging, testing and documentation.

Thursday, October 20, 2011

Controlling UAC and Restart Manager in Windows 7/Windows Vista in windows installer

Controlling UAC in windows installer

  • When an administrator user logs on to a Windows Vista computer, two access tokens are created: a filtered standard user access token, and a full administrator access token. Instead of launching the desktop (Explorer.exe)  with the administrator’s access token, the standard user access token is used. All child processes inherit from this  initial launch of the desktop (the explorer.exe process), which helps limit Windows  attack surface. By default, all users, including administrators, log on to a Windows Vista/7 computer as standard users.
  • Certain Custom actions in MSI  that write to protected files on the destination computer need elevated rights.
  • While the UAC is enabled and such installer is run, the user is prompted in 2 ways:
  1. The user with administrator account is prompted to confirm whether they should continue to run.
  2. The user with standard account is prompted to enter a password for an administrator account in order to continue the installation.
Method 1

However, if you're using WPS 8 and above version - You can elevate the rights temporarily by editing the UAC
Compatibility Settings on the Windows Installer Options (Target System) tab.

Method 2
  1. The UAC prompts up due to security reasons.so by using windows installer tools figure the files/folder/registries requiring security permission for proper execution.
  2. Apply Secdit by creating a security template which contains the needed permission on the folder/file system/registry whatever and apply it with a custom action which calls secedit.
Controlling Restart Manager in windows installer

  1. Files-In-Use functionality is among the countless services that Windows Installer exposes for setup authors to leverage for their application install/maintenance. This functionality lets setup authors display the processes that hold on to files that would be updated by this install. The user would want to shut those processes before continuing with the install to ensure that the install wouldn’t require a reboot. The current Files-In-Use  mechanism involves enumerating the HKEY_PERFORMANCE_DATA key using registry API for information on processes and the PE images that they have held in-use. This works well in scenarios where the process holding the file in use has a visible window that the user can shut down.
  2. Usage of the new Restart Manager API’s will allow Windows Installer to display processes such as: system services, tray applications or applications that have no visible window that require shutting down to avoid a reboot. Additionally, Restart Manager provides additional functionality above-and-beyond enhanced files in use detection, including:
  • Shutting down of all or selected processes.
  • Automatic restart of processes that were shutdown to install the in-use files.
  •  Ability to join a currently running Restart Manager session to consolidate shutdown/reboot across multiple installations.
  • Appilications that had been shut down, have the opportunity to be restarted to a state that they were before being shut down.

Controlling Windows Installer’s interaction with Restart Manager

Windows Installer provides the following properties and policy to let setup authors and IT admins fine tune their setup’s behavior:


MSIRESTARTMANAGERCONTROL: This property specifies whether the Windows Installer package uses the Restart Manager or FilesInUse Dialog functionality.

MSIRMSHUTDOWN: This property determines how applications or services that are affected by an update should be shut down while a reboot is being mitigated.

MSIDISABLERMRESTART: This property determines whether applications or services that are affected by an update are restarted when a reboot is being mitigated by Windows Installer's interaction with Restart Manager

DisableAutomaticApplicationShutdown: This policy specifies whether Windows Installer uses the Restart Manager or FilesInUse Dialog functionality.

In order to control the restart manager is by editing the Settings on the Windows Installer Options (Target System) tab.




No comments: