Welcome to MSDN Blogs Sign in | Join | Help

Installing and Deploying Applications on Vista

Welcome to the User Account Control (UAC) Blog.  We'll be using this forum to talk about interesting, important, or whimsical aspects of UAC and Vista.

It seems only fitting that we start out the posts with a discussion of installation.  What is the very first thing you're going to do on your new Vista machine?  Well...install your favorite piece of software, of course.  This is where most of the world will be meeting the Consent Dialog for the first time.  Have you seen it yet? 

Here's a preview of an early version of the Consent Dialog -

For those of you who don't know what this is – it's the new dialog in Windows Vista that tells you when you’re going to do something that requires Administrator privileges and thus needs your approval.  We’ll delve into this more in later posts.  For now, just imagine that you'll be running everything in Vista as what we call a Standard User and when you want to install something or change a system setting you need to approve it.

So there we were, installing that piece of software you love and the Consent Dialog comes up.  Why did it happen? 

When you install a piece of software, more often than not, you need to copy files from the CD to the Program Files directory.  The Program Files directory is a protected location that Standard Users can't write to, and because we know that most installs write there, we ask you for permission to run the install with your Administrator privileges.

We'll get more into the technical details about how we identify applications that are installers and how enterprises can do installations in future posts.

Cheers, Chris

Published Tuesday, December 20, 2005 11:32 AM by User Account Control Team

Comments

# re: Installing and Deploying Applications on Vista

Thursday, December 29, 2005 10:20 AM by Vishnu
Is there a sample manifest or program available that can be used to try out UAC functionality?

# re: Installing and Deploying Applications on Vista

Sunday, January 15, 2006 12:55 AM by T Edge
I thought these dialogs were going to ask us for an admin password? Wouldn't that be advisable?

# re: Installing and Deploying Applications on Vista

Monday, January 16, 2006 6:54 AM by megame
Dialogs do ask for Admin password when you are not running as administrator.

The great thing is that you can run as administrator but you app's do not!

This takes-out requirement to re-enter admin password time after time after time, and also - home users (some) don't want passwords (it just further complicates working with computer, which is pretty complicated already to some).

# re: Installing and Deploying Applications on Vista

Tuesday, January 17, 2006 4:41 AM by Andy C
I actually prefer the Permit/Deny choice rather than passwords. It's all too easy to spoof a password dialog, but spoofing the current UI isn't going to get you anywhere.

# re: Installing and Deploying Applications on Vista

Wednesday, January 18, 2006 5:54 PM by User Account Control Team
The behavior of the elevation prompt is configurable via Group Policy and local computer policy (secpol.msc). Available options include: no prompt (this is NOT recommended), prompt for consent, prompt for password, and prompt for password on the secure desktop. We'll go over this in more detail in a post soon.

# Vista LUA (or now UAC)

Monday, January 30, 2006 7:10 AM by Dinis Cruz @ Owasp .Net Project

Note: LUA (Least User Access) has been
renamed UAC (User Access Control) which is a much better name...

# re: Installing and Deploying Applications on Vista

Friday, February 17, 2006 10:21 PM by Callie Jordan
I am greatly pleased to see that this idea of running with least privilege is actually  happening. I've been following Aaron Margosis' posts for a while, and actually running as LUA for everyday usages. Of course, there have been problems...

I teach (very) beginner computer classes --- your mom -- and, as much as I wish I could do something to help them be more secure, it's just toooooo complicated to explain. These guys have trouble with the difference between a file and a folder.

It's not going to be that much "easier" in Vista, but at least it's right out there where they'll have to learn to deal with it.

Just like the decision to make Automatic Updates the default was better for the rest of the world, even if the techie types complain about things being shoved down their throats.

# Problem with elevation request through manifest

Wednesday, March 01, 2006 7:58 PM by dganesh
Setup: Feb CTP 5308 + VS2005

I have an app that I want to package as an administator only program (It has to install a Service programmatically and getting full access to the SCM requires Administrative elevation).

# Problem with elevation request through manifest (contd)

Wednesday, March 01, 2006 7:58 PM by dganesh
I wrote a small program to just test the elevation. Here is the code:

int main(void)
{
SC_HANDLE schSCManager;

schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);

if (NULL == schSCManager)
printf("OpenSCManager (SC_MANAGER_ALL_ACCESS) failed (%d)\n", GetLastError());
else
printf("OpenSCManager (SC_MANAGER_ALL_ACCESS) succeeded\n");

return 0;
}

# Problem with elevation request through manifest (contd)

Wednesday, March 01, 2006 7:59 PM by dganesh

Then I created an OpenSCManager.rc file that has:

#define MANIFEST_RESOURCE_ID 1
MANIFEST_RESOURCE_ID RT_MANIFEST "OpenSCManager.exe.manifest"



The manifest file I created has:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft.com:asm.v1" manifestVersion="1.0">
 <assemblyIdentity version="1.0.0.0"
                   processorArchitecture="X86"
                   name="OpenSCManager"
                   type="win32"/>
 <description>IAII - Intel Architecture Instruction Inspector</description>
 <!-- Identify the application security requirements. -->
 <trustInfo xmlns="urn:schemas-microsoft.com:asm.v3">
   <security>
     <requestedPrivileges>
       <requestedExecutionLevel
         level="requireAdministrator"
         uiAccess="false"/>
     </requestedPrivileges>
   </security>
 </trustInfo>
</assembly>

# Problem with elevation request through manifest (ended)

Wednesday, March 01, 2006 7:59 PM by dganesh
After I build, I can use a Hex Editor to verify that the XML is built into the exe, although I don't know if that is the PE portion of the binary.

But when I run this app, it just fails without bringing up the elevation prompt for Admin privileges. I made sure it passes if I right click and select "Run as Administrator".

Can you please tell me what I am doing wrong?  I would prefer to stick with the manifest option among the other options listed.

Thanks in advance!

# re: Installing and Deploying Applications on Vista

Tuesday, May 30, 2006 1:47 PM by Nick
I think the problem with your manifest is this
urn:schemas-microsoft.com should be urn:schemas-microsoft-com?

# re: Installing and Deploying Applications on Vista

Monday, July 17, 2006 3:02 AM by Prem Kumar
Our application provides option to create customized installers on there own using web-app. All the option of creating an installer including the installer name is customizable.

We use MSI for the installer creation and after the MSI is created we package the whole folder into a self- extractable exe (same name has of installer name). My question is should we embed a manifest for that exe. If yes, then as I said before the installer name is customizable, following is our manifest that we are planning to include.

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
 <assemblyIdentity
   processorArchitecture="x86"
   version="7.1.0.0"
   type="win32"
   name="pkgr.exe"/>

My questions are

1) Is name=""/> is mandatory?

2) If answer yes, it is going to create few issues to us

a. We have to package mt.exe with our product to create manifest at runtime so that the name tag included the user selected name.
b. And mt.exe requires .NET framework to be installed in those machines which needs to use mt.exe

3) If name is not mandatory then it is going to create same issues for except no need to replace the name tag at runtime.

# re: Installing and Deploying Applications on Vista

Tuesday, November 07, 2006 4:44 AM by Jessica

I have been having problems being able to view videos from the internet since I began using Windows Vista Beta 1. I had Macromedia Flash Player 9 installed and it wasn't playing them. I tried to install Macromedia Flash Player 8 and I received an error message that read:

1.Failed to install ISKernel files.

Make sure you have appropriate priviledges on this machine.

How can I correct the problem I am having?

# re: Installing and Deploying Applications on Vista

Tuesday, February 20, 2007 9:46 AM by Jason Atlas

We are having an issue with our installation, where we are trying to install our application, which has some third party dependencies with it that require a reboot during installation.  The question is this - how do we configure our installer to persist application installation after a reboot of Vista?

jason

# re: Installing and Deploying Applications on Vista

Sunday, February 25, 2007 1:15 PM by Bob

I have the same problem. I installed Macromedia Dreamweaver.

After rebooting i tried to open Macromedia Dreamweaver and i get this message:

"1.Failed to install ISKernel files.

Make sure you have appropriate priviledges on this machine."

And then Macromedia Dreamweaver doesnt even start.

Im using Windows Vista Home Premium.

Maybe somebody can help. Send me an email to nucleusambiens@gmx.de please

Thanks

# re: removing a program that you have installed from disc

Monday, March 19, 2007 9:26 AM by Shirley

I am trying to remove a program from my new laptop that has windows vista, and it keeps referring me to system administrator.  I am the system administrator on my computer, how do I do it, it is driving me nuts

Anonymous comments are disabled
 
Page view tracker