[wix-users] How to execute a custom action with user privileges (non elevated)

Paul Mumford paul.mumford at gmail.com
Mon Nov 27 14:47:47 PST 2017


What worked for me was to have a service account on the target machine
which was only allowed to deal with the application and use impersonation
programmaticly. Requires the tiny bit of extra effort of making the account
i guess but it did indeed solve the problem.

On 27 November 2017 at 20:56, Roland K via wix-users <
wix-users at lists.wixtoolset.org> wrote:

> Yes, I know. But in my case it makes a huge difference, if I get the
> elevated or non elevated user token and if the InstallScope of your msi is
> set to "perMachine", it seems you always get the elevated user token with
> Impersonate="yes".
>
> My current working solution is doing a second impersonation manually inside
> the custom actions by duplicating the right, non elevated user token of the
> bootstrapper.
>
> Joel Budreau via wix-users <wix-users at lists.wixtoolset.org> schrieb am
> Mo.,
> 27. Nov. 2017, 21:04:
>
> > You can execute a custom action and set Impersonate=“yes”. This will make
> > the custom action execute with the user’s credentials (not the SYSTEM
> > account).
> >
> > - Joel
> >
> > > On Nov 16, 2017, at 1:51 AM, Roland Kieslinger via wix-users <
> > wix-users at lists.wixtoolset.org> wrote:
> > >
> > > Hello!
> > >
> > > Is it possible to execute a custom action with user privileges (non
> > elevated)?
> > >
> > > If a user with local admin rights logs on on windows, 2 tokens are
> > generated. One token without admin rights (filtered token) and one token
> > with admin rights. If he maps a network drive, this usually happens using
> > the filtered token, except he does it explicitly with admin rights, for
> > example by starting cmd elevated and using "net use...". But if he does
> the
> > mapping with the filtered token, I have no chance to access the network
> > drive in my setup, because I always get the token with admin rights
> there.
> > >
> > > I thought I get the filtered token, when I'm executing a custom action
> > in the immediate phase, but it seems that's not the case.
> > >
> > >
> > >
> > > ____________________________________________________________________
> > > WiX Toolset Users Mailing List provided by FireGiant
> > http://www.firegiant.com/
> >
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant
> > http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>


More information about the wix-users mailing list