Aaron Stebner's WebLog

Thoughts about setup and deployment issues, WiX, XNA, the .NET Framework and Visual Studio

Mailbag: How to set the NoImpersonate flag for a custom action in Visual Studio 2005

Mailbag: How to set the NoImpersonate flag for a custom action in Visual Studio 2005

  • Comments 69


I have built an installer using the Visual Studio 2005 setup project wizard.  It installs correctly on Windows XP but fails on Windows Vista.  I investigated and found that the failure on Windows Vista is caused by a custom action that fails with an access denied error.  However, I am running the setup with elevated privileges in Windows Vista.  How can I fix my setup so it will work correctly on Windows Vista?


As Robert Flaming described in this blog post, it is necessary to set the NoImpersonate flag for custom actions that modify the system in Windows Vista.  This was an uninforced architectural intent that is now enforced in Windows Vista.

Unfortunately, there is not a way to directly set this flag for a custom action in the UI for the setup project in the Visual Studio IDE.  In Visual Studio 2005, you can use a post-build step that modifies the MSI to set this bit using a strategy previously described in this blog post.

You can use the following steps to set the NoImpersonate bit in a Visual Studio 2005 setup project:

  1. Download the sample script and extract the contents to the directory that contains the Visual Studio project you are working on
  2. Open the project in Visual Studio 2005
  3. Press F4 to display the Properties window
  4. Click on the name of your setup/deployment project in the Solution Explorer
  5. Click on the PostBuildEvent item in the Properties window to cause a button labeled "..." to appear
  6. Click on the "..." button to display the Post-build Event Command Line dialog
  7. Add the following command line in the Post-build event command line text box:
    cscript.exe "$(ProjectDir)CustomAction_NoImpersonate.js" "$(BuiltOuputPath)"
  8. Build your project in Visual Studio 2005

<update date="1/22/2007"> Updated command line in step 7.  The variable I had specified previously was incorrect.  It actually needs to be spelled wrong using "ouput" instead of "output" in the $(BuiltOuputPath) variable </update>

<update date="3/18/2009"> Fixed broken link to the sample script. </update>


  • Hi Aaron,

    Can I confirm something? I have built a .Net extension for some software called ArcGIS. I built an installer and everything worked fine on XP systems. Someone tried to install it on a Windows 7 system and got the error message. So I am looking at your blog as a solution. What I want to know is if I implement the above does that mean the installer will only work on Vista/Window 7 OS or will it still work on XP systems too?


  • Hi Duncan Hornby - Changing the NoImpersonate flag will not cause any problems on Windows XP.  If that setting is what is causing the problem on Windows 7, then making the change listed in this blog post should allow the MSI to install on any OS.  Please note that you should try to confirm that this really is the root cause of the install failure before trying to make this type of change though.  You can do that by looking at the verbose MSI log file from a failing installation and searching for the string "return value 3".

  • Hi Aaron

    When I build the MSI installer project it shows following error.

    Error 1 'PreBuildEvent' failed with error code '1' 'Unspecified error'.

    Cause of error : Can not find script file "E:\del\AdobeVS2005\AdobeSerivce\DeletePDF\CustomAction_NoImpersonate.js".

    I am running 2 projects at the time of installation.

    Thanks in advance

    Santosh Patil.

  • Hi Santosh - You're going to want to run this script as a post-build step, not a pre-build step.  The script updates the MSI that is produced by the build process, so running it as a pre-build step will not work because the MSI won't be built yet.  I'd suggest making sure that you're following the exact steps listed in this blog post so that it will run the script as a post-build step.  Also, the error message lists the full path where it expects to find the script, so I'd suggest double-checking that the script is saved at that exact path on your computer.

  • Just to confirm that having read the thread all the way through I included the js file into my deployment folder and it all worked first time.  Many thanks all for this thread.  Its a serious time-saver!  A

  • Hello Aaron,

    How do I check if the noimpersonate is set correctly in the MSI. I followed your steps and rebuilt the solution and the build succeeded. Now when the client installs the msi, will they see this .js file copied down anywhere in their system?

  • Hi Naga - No, the .js file will not be copied to the user's system.  It is only used at build time to make some modifications to the .msi file.  To verify the changes in the .msi, you would need to look in the .msi file after running the .js file on it.  Specifically, the settings for the Type column of the CustomAction table will be changed.  You can use the Orca tool in the Windows SDK (msdn.microsoft.com/.../aa370557.aspx) to view the tables in a .msi file.

  • Thanks for your quick reply Aaron. Unfortunatly, this solution is not resolving the issue I have. My msi still errors out with 2869. This error very recentand all was well until occur some Microsoft security patches for XP SP3 was installed( We are yet to determine which security patch as a number of them have been installed.)

  • Hi Naga - If you've updated your MSI and it is still failing, it is possible that the issue described in this blog post is not the root cause of the failure.  Also, the issue related to teh NoImpersonate flag only affects Windows Vista and higher, and should not be an issue on Windows XP.

    I'd suggest looking in the verbose MSI log to see if there is any useful error information to help narrow down the root cause further.  You can use steps like the ones listed at blogs.msdn.com/.../help-me-help-you-if-you-have-setup-bugs.aspx to gather a verbose MSI log file from your installer.

Page 5 of 5 (69 items) 12345
Leave a Comment
  • Please add 3 and 7 and type the answer here:
  • Post