[wix-users] Custom Action with elevated privilege

Hoover, Jacob Jacob.Hoover at greenheck.com
Fri Dec 14 08:51:23 PST 2018 

Again, my stance would be to change the config.exe to write to Program Data instead of Program Files if it's a per machine configuration, and update the application to look in the new location.

If that isn't an option, then you could write a BA that gathers the settings and property drives the MSI to have custom actions that write out the INI settings.

One final option with less impact to you but still has the security concerns of modifying machine state.  Author a burn bundle and use a ApprovedExeForElevation element to invoke config.exe.  

https://stackoverflow.com/questions/27451028/how-do-i-use-burns-new-ability-to-ability-to-launch-an-elevated-process-after-i

http://wixtoolset.org/development/wips/3249-allow-ba-to-run-elevated-aync-process-through-engine/

https://github.com/wixtoolset/issues/issues/3249/



-----Original Message-----
From: Wenzheng Jia [mailto:WJia at liaison.com] 
Sent: Friday, December 14, 2018 10:38 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>; Hoover, Jacob <Jacob.Hoover at greenheck.com>
Cc: Christopher Painter <chrpai at iswix.com>
Subject: RE: Custom Action with elevated privilege

The config.exe basically is a configuration tool that retrieves the settings for a customer and writes them to an ini file. The issue I'm having right now is that after the config.exe is invoked, the user can go through all the config settings. It's at the time of writing the config file to the installation folder, that's where the issue is. It requires a higher level of privilege to be able to write the ini file to the installation folder.

We currently have an NSIS script to do so. That installer is working as expected. We are trying to move to the WiX ToolSet but running into this issue. Grantly, I'm still new to the toolset and still trying to figuring things out as I convert them.

Wenzheng

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of Christopher Painter via wix-users
Sent: Friday, December 14, 2018 10:01 AM
To: Hoover, Jacob <Jacob.Hoover at greenheck.com>; WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Christopher Painter <chrpai at iswix.com>
Subject: Re: [wix-users] Custom Action with elevated privilege

I believe we are in 100% agreement.  I don't know what his config.exe is doing so it's impossible for me to say what the proper solution is.

________________________________
From: Hoover, Jacob <Jacob.Hoover at greenheck.com>
Sent: Friday, December 14, 2018 9:53 AM
To: Christopher Painter; WiX Toolset Users Mailing List
Subject: RE: Custom Action with elevated privilege


First run is fine, but it shouldn't require elevation to configure the application. There are well defined locations where an application can store configs (either per user or per machine) which don't require elevation.



The issue with "but I just want to write this 1 file" is there is nothing preventing it from changing anything else.  And typically the installer developer and the app developer are different people, so while the 1 file may be true today it may not be tomorrow. Hence why if it has to be in a restricted location, it should be written/updated by a CA in the installer.



From: Christopher Painter [mailto:chrpai at iswix.com]
Sent: Friday, December 14, 2018 9:48 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Hoover, Jacob <Jacob.Hoover at greenheck.com>
Subject: Re: Custom Action with elevated privilege



Handling config in an MSI can be a pain.  Running an EXE after the install can be a good compromise.  Usually when I do it  I make it optional and I have the make program call it on first run if configuration hasn't occurred.  I usually put the configuration data in a registry key or folder that doesn't require elevation.   This usually works well.



I typically only handle configuration in the installer when it's needed to execute sql scripts or setup a windows service or application with a certain account.  Otherwise I tend to push it to application first run.



________________________________

From: wix-users <wix-users-bounces at lists.wixtoolset.org<mailto:wix-users-bounces at lists.wixtoolset.org>> on behalf of Hoover, Jacob via wix-users <wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>>
Sent: Friday, December 14, 2018 9:15 AM
To: WiX Toolset Users Mailing List
Cc: Hoover, Jacob
Subject: Re: [wix-users] Custom Action with elevated privilege



Why not write a proper CA that can be ran during the installation sequence? What is its need for modifying machine state after the installation is complete?

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Wenzheng Jia via wix-users
Sent: Thursday, December 13, 2018 9:15 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>>
Cc: Wenzheng Jia <WJia at liaison.com<mailto:WJia at liaison.com>>
Subject: Re: [wix-users] Custom Action with elevated privilege

I changed the manifest of the configuration executable. Now the event doesn't trigger the configuration executable's UI to show up at all. Any thoughts?

Wenzheng

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org<mailto:wix-users-bounces at lists.wixtoolset.org>> On Behalf Of Rob Mensching via wix-users
Sent: Thursday, December 13, 2018 4:01 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>>
Cc: Rob Mensching <rob at firegiant.com<mailto:rob at firegiant.com>>
Subject: Re: [wix-users] Custom Action with elevated privilege

Manifest the executable to require elevation

_____________________________________________________________
 Short replies here. Complete answers over there: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.firegiant.com_&d=DwICAg&c=PSLapdneSrIm6YCSwp9NIGuZt5KBqytXkQWJ6tZG4UQ&r=1Rm10nvLj379JDc0olGT1Q&m=avZa-T5fw-SOKT3TquIRo1WmRnXgOTWNtV5hFWlvt4Y&s=fig_YK_LGEbx77zlghw1Vgh7yLkHiCkil4caTdKkgo0&e=

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org<mailto:wix-users-bounces at lists.wixtoolset.org>> On Behalf Of Wenzheng Jia via wix-users
Sent: Thursday, December 13, 2018 1:56 PM
To: wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>
Cc: Wenzheng Jia <WJia at liaison.com<mailto:WJia at liaison.com>>
Subject: [wix-users] Custom Action with elevated privilege

I'm creating an installer to launch an executable after the installation. The executable will only be launched when a checkbox is selected on the ExitDialog. I hooked up the CustomAction to the Finish button of the ExitDialog box. I'm able to launch the executable. But the executable doesn't have the elevated privilege. It failed to save the output file to the installation folder due to lack of privilege. Is there any way that I can accomplish this?

<Property Id="WIXUI_EXITDIALOGOPTIONALCHECKBOXTEXT" Value="Run Wizard to configure the Connector config file" />

<Publish Dialog="ExitDialog" Control="Finish" Event="DoAction" Value="LaunchFile" Order="999">(NOT Installed) AND (WIXUI_EXITDIALOGOPTIONALCHECKBOX = 1)</Publish>


<CustomAction Id='LaunchFile' Directory='APPLICATIONFOLDER' ExeCommand='[APPLICATIONFOLDER]Config.exe' Impersonate='no' Return="asyncNoWait" />

Wenzheng Jia
Senior Software Engineer

Liaison Technologies
3157 Royal Drive | Suite 200 | Alpharetta, GA 30022
T: +1 888.806.0309 x525
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.liaisonhealthcare.com&d=DwICAg&c=PSLapdneSrIm6YCSwp9NIGuZt5KBqytXkQWJ6tZG4UQ&r=1Rm10nvLj379JDc0olGT1Q&m=avZa-T5fw-SOKT3TquIRo1WmRnXgOTWNtV5hFWlvt4Y&s=kKXHAPnLhNVfz78aKLK0T8ObJcLe5UxuZYlWuvA_Eg4&e=
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.liaisonhealthcare.com_&d=DwICAg&c=PSLapdneSrIm6YCSwp9NIGuZt5KBqytXkQWJ6tZG4UQ&r=1Rm10nvLj379JDc0olGT1Q&m=avZa-T5fw-SOKT3TquIRo1WmRnXgOTWNtV5hFWlvt4Y&s=J0tBdN8mP8E_tHcSGJHeix-C1nudBqnt_WzIkpICt78&e=>Connect with us!<http://liaison.com/about-liaison/communities>


____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant https://urldefense.proofpoint.com/v2/url?u=http-3A__www.firegiant.com_&d=DwICAg&c=PSLapdneSrIm6YCSwp9NIGuZt5KBqytXkQWJ6tZG4UQ&r=1Rm10nvLj379JDc0olGT1Q&m=avZa-T5fw-SOKT3TquIRo1WmRnXgOTWNtV5hFWlvt4Y&s=fig_YK_LGEbx77zlghw1Vgh7yLkHiCkil4caTdKkgo0&e=

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant https://urldefense.proofpoint.com/v2/url?u=http-3A__www.firegiant.com_&d=DwIF-g&c=PSLapdneSrIm6YCSwp9NIGuZt5KBqytXkQWJ6tZG4UQ&r=1Rm10nvLj379JDc0olGT1Q&m=aUStesA1Ad3NxOp8Vb7d1nKUDl4GOX8fN-xwbFb5Ndw&s=WHb4koSWv4sZsTm6ULD8emyBzmF_naDhJAbdOAAAgL0&e=
NOTE: This email was received from an external source. Please use caution when opening links or attachments in the message.

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant https://urldefense.proofpoint.com/v2/url?u=http-3A__www.firegiant.com_&d=DwIF-g&c=PSLapdneSrIm6YCSwp9NIGuZt5KBqytXkQWJ6tZG4UQ&r=1Rm10nvLj379JDc0olGT1Q&m=aUStesA1Ad3NxOp8Vb7d1nKUDl4GOX8fN-xwbFb5Ndw&s=WHb4koSWv4sZsTm6ULD8emyBzmF_naDhJAbdOAAAgL0&e=

NOTE: This email was received from an external source. Please use caution when opening links or attachments in the message.

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant https://urldefense.proofpoint.com/v2/url?u=http-3A__www.firegiant.com_&d=DwIF-g&c=PSLapdneSrIm6YCSwp9NIGuZt5KBqytXkQWJ6tZG4UQ&r=1Rm10nvLj379JDc0olGT1Q&m=aUStesA1Ad3NxOp8Vb7d1nKUDl4GOX8fN-xwbFb5Ndw&s=WHb4koSWv4sZsTm6ULD8emyBzmF_naDhJAbdOAAAgL0&e=
NOTE: This email was received from an external source. Please use caution when opening links or attachments in the message.

More information about the wix-users mailing list