Aaron Stebner's WebLog

Thoughts about setup and deployment issues, WiX, XNA, the .NET Framework and Visual Studio

UAC prompt from unidentified publisher appears when uninstalling MSIs on Windows Vista and Windows Server 2008

UAC prompt from unidentified publisher appears when uninstalling MSIs on Windows Vista and Windows Server 2008

Rate This
  • Comments 10

We ran into an issue while testing the final build before we released the Windows Media Center SDK for Windows Vista that I wanted to describe here because it affects all MSI-based setups on Windows Vista and Windows Server 2008.

In preparation for shipping, we digitally signed the MSI for the Windows Media Center SDK.  When an MSI is digitally signed and you try to install it, Windows Vista lists the publisher's information in the User Account Control (UAC) elevation prompt that appears during installation.  In the case of the Windows Media Center SDK setup, the UAC prompt includes the following information:

Windows Media Center SDK
Microsoft Corporation

However, when a user attempts to uninstall the Windows Media Center SDK, the UAC prompt includes the following somewhat scary text:

An unidentified program wants to access your computer

Don't run the program unless you know where it's from or you've used it before.

Unidentified publisher

After some further investigation and discussions with the Windows Installer team, we determined that this behavior happens for all MSI-based setup packages on Windows Vista and Windows Server 2008 during uninstall.  This issue was also previously mentioned on the Windows Vista compatibility team blog.

The reason that this happens is that when installing an MSI, Windows Installer caches a copy of the MSI in the %windir%\Installer folder that is used during uninstall.  The cached MSI is different than the original MSI because Windows Installer removes unnecessary information in order to save disk space.  Once the original MSI is changed, the digital signature is invalidated.  UAC for Windows Vista and Windows Server 2008 always shows a prompt stating that an unidentified program wants to access your computer when you try to install or uninstall an MSI that does not have a valid digital signature.  For more information about how digital signatures work in Windows Installer, check out this blog post by Heath Stewart.

There is not currently anything you can do to avoid this unidentified publisher message when uninstalling an MSI on Windows Vista or Windows Server 2008.  The Windows Installer team is preparing to publish a knowledge base article describing this scenario, but I wanted to let folks know in the meantime in case you run into this issue and attempt to try to resolve it.

<update date="12/4/2006"> Added a link to a blog post written by Heath Stewart about digital signatures in Windows Installer. </update>

<update date="6/15/2008"> Added information to indicate that this issue affects Windows Server 2008 in addition to Windows Vista. </update>

 

  • If you are a developer for SharePoint your best friend has been Virtual PC or VMWare. It&rsquo;s time

  • Et non ce n'est pas une blague ! Si vous êtes comme moi, vous êtes toujours à la recherche de LA solution

  • Is there any updates on when this will be fixed?  The MS KB doesn't really give any details on this.  http://support.microsoft.com/kb/929467/en-us

  • Hi Dczyz - I don't have any specific information about when the Windows Installer team will be addressing this issue.  From what I've been able to find, it is something that they've heard a lot of reports of both from other Microsoft teams and from customers and partners, and they are evaluating how best to handle this scenario in a future version of Windows.  I'm sorry I don't have anything more specific to pass on.

  • Hi Aaron, I am facing this same problem on Windows 2008 Server.

    Does this problem exist for Win 2008 server also?

  • Hi Ray3k - Yes, this issue affects Windows Server 2008 in addition to Windows Vista.  I'll update the text of the main blog post to reflect this.

  • Thanks Aaron. Is there a Microsoft KB article documenting this problem for Windows 2008 Server which will help me in addressing this issue?

  • Hi Ray3k - The knowledge base article that I know of for this issue is located at http://support.microsoft.com/kb/929467.  That article does not list Windows Server 2008 as an affected OS, but the same issue affects Windows Server 2008.  There isn't really anything you can do to address this scenario aside from just disregard the unsigned MSI message and continue with the uninstall of the product in question.

  • Here are two ideas (for Microsoft) to fix this:

    1) allow developers to compile and distribute their own, signed uninstallers.

    2) when code-signing an msi, sign it in two phases: first, just those components required for the uninstall, and second the whole thing. when the other elements are stripped out, the first phase signature should still apply to the subset.

  • Hi Chaiguy1337 - Windows Installer creates its own cached copy of the MSI when it performs an install.  If you allow Windows Installer to create a default entry in Add/Remove Programs for your MSI, it will use this cached copy.  However, you can use the ARPSYSTEMCOMPONENT property in your MSI and then author some additional registry values that will allow you to redirect Add/Remove Programs to use a different program for uninstall.  You can sign and distribute that uninstall program with your MSI and that should avoid this issue.  There are some trade-offs you need to make when choosing to use this method.  I encourage you to take a look at the blog posts that Heath Stewart has written about this topic at http://blogs.msdn.com/heaths/archive/tags/ARPSYSTEMCOMPONENT/default.aspx before deciding to go this route.

Page 1 of 1 (10 items)
Leave a Comment
  • Please add 7 and 7 and type the answer here:
  • Post