[wix-users] A package that can be run elevated or not elevated

Rob Mensching rob at firegiant.com
Thu Aug 20 14:55:31 PDT 2015 

This comment:

    "After that a user should be able to install versions of the package without requiring admin privileges."

With this comment:

   "you can install multiple versions of the same package, and they are independent."

Basically means you want to bypass all the security provided by elevation, which is done like so:

    "having custom actions copy it the files to the appropriate Program Files location ... because the permissions were set on the folder "

Ultimately, the truth is here:

   "But this went against every rule of Windows Installer"

If you want no elevation, install per-user. To install per-user install to a per-user location. When you install to per-user location you get no security there (aka: do *not* install software that will prompt for elevation).

What you've described otherwise fits the profile of malware.

I feel like I should take a shower now. <smile/>


PS: With patches you can sign everything to try to maintain a chain of trust (it's a huge pain to maintain). However, the independence of your packages means there is no chain to trust.

_______________________________________________________________
 FireGiant  |  Dedicated support for the WiX toolset  |  http://www.firegiant.com/


-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Griesshammer, Christoph (GE Healthcare)
Sent: Thursday, August 20, 2015 2:22 PM
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] A package that can be run elevated or not elevated

I've done a good amount of research on trying to figure out whether I can make a package that can be run both elevated or not elevated. From everything I keep reading, I see that one of the big drivers in requiring elevation is that most packages require an install to 'Program Files'.

My package does not have an upgrade, by which I mean, you can install multiple versions of the same package, and they are independent.

The goal of my package is to require an admin install, only the first time. After that a user should be able to install versions of the package without requiring admin privileges.

To do this, we have the user run as an admin the first time, so that we can set permissions to full for users as well, on the folder where future installations will also install to. Then the user should be able to make changes to the location, without being an admin.

The legacy package I am replacing, dealt with this by delivering the files to a temp location, and then having custom actions copy it the files to the appropriate Program Files location. When you ran it the first time, you had to have admin privileges, but after that you were fine to run as just a normal user, because the permissions were set on the folder. But this went against every rule of Windows Installer, and made everything a headache (especially for me, now). It was done in InstallShield.

My question is, can I make a package that can run elevated, but also run not elevated, granted that any action that would normally require admin privileges is allowed to run without admin privileges because it has been granted the right?

Christoph Griesshammer
GE Healthcare IT
Software Engineer

T: 978-395-5770
E: christoph.griesshammer at ge.com<mailto:christoph.griesshammer at ge.com>
http://www.gehealthcare.com<http://www.gehealthcare.com/>

116 Huntington Ave
Boston, MA, USA
02116-5744

GE Imagination at Work


____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-users mailing list