[wix-users] EXT: Re: Running elevated functions from non-elevated UI

Vanniekerk, Tyrel (GE Healthcare) tyrel.vanniekerk at ge.com
Fri Feb 25 08:26:45 PST 2022 

I agree that it would be nice to only need elevated permissions from the MSI part of the install, but in our case just about every installer we have requires one or more calls that need elevated permissions.  I have tried to get them to work without elevated permissions, but sadly that's not possible.

IIS is really bad and LDAP seems to be a pain as well.  I don't make any changes to the system during the UI, so it would be nice to not require elevated permissions.

I guess the point is that this is a real world situation that people encounter, so having a built in solution would be nice.  I keep thinking if I could just run an exe when I need it, get it to elevate, and then have it handle all the calls that require an elevated process that would be nice.  That way the UI runs non-elevated.  Problem is still that I have yet to find a reliable way to securely communicate between the two processes.  Running the exe ever time would not be acceptable (Having to enter credentials more than once would be silly), so that leaves me using a custom non-official version of WiX, something I would rather not do.  And then when the nice folks get WiX 4 released, I am back to square 1.

-----Original Message-----
From: Bryan Dam <bryand at recastsoftware.com> 
Sent: Thursday, February 24, 2022 12:49 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>; Nir Bar <nir.bar at panel-sw.com>
Cc: Vanniekerk, Tyrel (GE Healthcare) <tyrel.vanniekerk at ge.com>
Subject: RE: [wix-users] EXT: Re: Running elevated functions from non-elevated UI

> Just about every installer seems to require at least one function call 
> that fails if not elevated
The actual installation itself: yes.  The pre-installation parts: not usually.

Generally speaking, you should only need elevated access to make changes to the system.  If you need to change the system then that should be done during the elevated installation process.  If you need to do something non-standard then you write a deferred custom action.  This is by design as it helps enforce the delineation between the non-elevated UI portion of the installer and the elevated "we're making system changes up in here" portion.

The exceptions are when you want to query something in the non-elevated UI portion that requires admin rights.  That's fairly rare but it does happen.  In my case we are a plugin to a Microsoft product and for reasons unknown to use they removed the read permission from the local Users group.  Just to read a reg value we need to elevated.  It's dumb, we shouldn't have to, but sometimes that's life.

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of Vanniekerk, Tyrel (GE Healthcare) via wix-users
Sent: Thursday, February 24, 2022 1:16 PM
To: Nir Bar <nir.bar at panel-sw.com>; WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Vanniekerk, Tyrel (GE Healthcare) <tyrel.vanniekerk at ge.com>
Subject: Re: [wix-users] EXT: Re: Running elevated functions from non-elevated UI

After some manual project file updates I got all the references changed to use the NuGet package and lo and behold, it works.  Nice.  I tried it on a test installer and it escalated nicely and the UI came up.  So hopefully it's all good.  I will try it on our main product soon (We are preparing to release an update, so can't change it right now).

The original question does remain though.  I have thought about it quite a bit, but still can't figure out a good answer.  Just about every installer seems to require at least one function call that fails if not elevated.  I am sure I can't be the only one with this problem.  How are other people handling this issue?

Running a separate exe that will escalate seems to be the only solution that would work, but communicating with that process in a secure way without having to make changes to the system (like adding something to the registry to use a cert of something like that) seems to be difficult or impossible.

There has to be a solution, that's all I am saying.  We used InstallShield before and with that it was also just an option to run elevated.  It seems that if the concern is some malware or something the issue would exist for the exe as well.  It just bugs me that it seems there is no answer to this other than bypassing built in WiX Toolset functionality.

From: Nir Bar <nir.bar at panel-sw.com>
Sent: Wednesday, February 23, 2022 1:29 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Vanniekerk, Tyrel (GE Healthcare) <tyrel.vanniekerk at ge.com>
Subject: Re: [wix-users] EXT: Re: Running elevated functions from non-elevated UI

You can use my custom WiX build https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.nuget.org%2Fpackages%2FPanelSW.Custom.WiX%2F&data=04%7C01%7Cbryand%40recastsoftware.com%7C4f548bf3998842e6731f08d9f7c1c90d%7C9315bb44634846c6bd378880b87e774e%7C0%7C0%7C637813233961073060%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=tStBx1bZzsJTE%2FQzO6YP7QxEok6H1AhM2U2oq%2F1ETvE%3D&reserved=0
Bundle/@RunAsAdmin="yes" attribute creates a bootstrapper that requires elevation when launched


--
Nir Bar
WiX Expert


---- On Tue, 22 Feb 2022 20:11:45 +0200 Vanniekerk, Tyrel (GE Healthcare) via wix-users <wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>> wrote ----

It would be nice. In the end, just allowing the installer to run elevated (or elevate when it starts) would solve the issue. There are just too many calls, regular checks and looking up a list of certificates or if a web site is running in IIS etc. that require elevated permissions.

Using named pipes, remoting, web API etc. all have issues. They would likely be blocked or disabled and they open up various security concerns. You could write to a file and have the exe check the file and write to another file, but that also has issues.

One could create your own setup.exe that escalates, then calls the WiX setup.exe, but that also would fail when you run modify mode for instance. I have noticed that some OS'es (not sure which) will elevate when you click modify, but most will not. So for us that means you have to get the setup.exe on your ISO, run that as administrator and then click modify instead of running through the Windows UI.

All these workarounds because of a requirement.

My thought is that there is no bullet proof way to run an elevated exe and communicate with it that would not get blocked at some companies.

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org<mailto:wix-users-bounces at lists.wixtoolset.org>> On Behalf Of Sean Hall via wix-users
Sent: Tuesday, February 22, 2022 11:50 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>>
Cc: Sean Hall <r.sean.hall at gmail.com<mailto:r.sean.hall at gmail.com>>
Subject: EXT: Re: [wix-users] Running elevated functions from non-elevated UI

https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fwixtoolset%2Fissues%2Fissues%2F6358&data=04%7C01%7Cbryand%40recastsoftware.com%7C4f548bf3998842e6731f08d9f7c1c90d%7C9315bb44634846c6bd378880b87e774e%7C0%7C0%7C637813233961073060%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PAANY4bbwyW88ILfHWcTLFTCkjy6wRCVWOMk8DhgMv0%3D&reserved=0

On Tue, Feb 22, 2022 at 11:35 AM Vanniekerk, Tyrel (GE Healthcare) via wix-users <wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>> wrote:

> Hi,
>
> I have some time to look at this again, so I am trying to revisit the 
> elevated permissions issue in the installer UI. Our current solution 
> is that we give an error if the installer is not running with elevated 
> permissions and if they run it "As Administrator", then everything works.
> It would be easier if one could just get the installer to elevate, but 
> that's not an option.
>
> Assuming then that an installer with a custom bootstrapper UI is 
> running in the prescribed WiX toolset mode, what suggestions do you 
> have to run some check that requires elevated permissions? There are 
> cases where we might have to check more than one thing per install and 
> I would prefer not to have to call another exe that will escalate, do 
> the check and return a result somehow, just to have call it again and 
> escalate again when the user goes back to the previous page or we need to check something else.
>
> I was thinking I would create an exe that I can start if I need to 
> escalate and communicate with that exe to make multiple calls for 
> various checks. Just not sure what would be a good way to talk between 
> the installer UI and the exe. Remoting is an option or web API or 
> something like that.
>
> Any ideas? Every solution I have though of seems rather clunky.
>
> Thanks,
> Tyrel
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant 
> https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.f
> iregiant.com%2F&data=04%7C01%7Cbryand%40recastsoftware.com%7C4f548
> bf3998842e6731f08d9f7c1c90d%7C9315bb44634846c6bd378880b87e774e%7C0%7C0
> %7C637813233961073060%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ
> IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BmSmu58%2F
> C6g2w2M99Jv%2Fod0LpVLW%2FcALJFaro9Ykx24%3D&reserved=0
>

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cbryand%40recastsoftware.com%7C4f548bf3998842e6731f08d9f7c1c90d%7C9315bb44634846c6bd378880b87e774e%7C0%7C0%7C637813233961229295%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=2wXcBXd72gvBS5AXcpW3OvtvbQicuXWCuNBULWP4bnc%3D&reserved=0

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cbryand%40recastsoftware.com%7C4f548bf3998842e6731f08d9f7c1c90d%7C9315bb44634846c6bd378880b87e774e%7C0%7C0%7C637813233961229295%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=2wXcBXd72gvBS5AXcpW3OvtvbQicuXWCuNBULWP4bnc%3D&reserved=0



____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cbryand%40recastsoftware.com%7C4f548bf3998842e6731f08d9f7c1c90d%7C9315bb44634846c6bd378880b87e774e%7C0%7C0%7C637813233961229295%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=2wXcBXd72gvBS5AXcpW3OvtvbQicuXWCuNBULWP4bnc%3D&reserved=0

More information about the wix-users mailing list