Condividi tramite


UAC in MSI Notes: Read the Friendly Manual

This is the sixteenth in a series of notes about UAC in MSI. Per the earlier caveat, these are just my notes and not an official position from the Windows Installer team. The previous entries

  1. Introduce...
    1. ...the UAC in MSI Notes series
    2. ...my view of the root problem
    3. ...the conflicting per-user definition
    4. ...it'll be just like Managed Installs
    5. ...the jagged edge to user
    6. ...my relief providing framework
  2. Architecture Insights
    1. The "Saw Tooth" Diagram
    2. Credential Prompt and Permissions
  3. Common Package Mistakes
    1. The AdminUser Mistake
    2. Modify System with InstallUISequence Custom Action
    3. Modify System with InstallExecuteSequence Custom Action Outside of Script
    4. The NoImpersonate Bit Mistake
  4. More Architectural Insights
    1. My "Four Square" Diagram
    2. Challenges for a Beautiful Custom Action
    3. O Whitepaper, Where Art Thou?

This entry will talk about the next step to understanding the broader architecture in play for understanding UAC in MSI: please take the time to read the SDK.

Read the Fine Manual (RTFM), an old acronym

If you are already deeply involved in this topic, I don't have to tell you the following. For most Windows Installer experts, a large part of providing their expertise to others Windows Installer is being a human index to the Windows Installer portion of the Platform Software Development Kit. While there are more rude versions of RTFM, Read The Fine Manual is tried and true advice from many generations of computing. You'd be surprised how just understanding the manual makes you an expert.

Inevitably I run into those who, like me honestly, have only partially consumed the manual. These Windows Installer journeyman

  • get stuck in translating the intent behind a topic
  • synthesizing the full insight needed to understand
  • find the topics are insufficiently rich or verbose
  • point out to the rich mix of mixing documentation

To these journeyman I am sympathetic. I've personally tried to help by opening hundreds of documentation bugs in the six months I was focused on documentation for Windows Installer 4.0. Some of those bugs came back "By Design" or "Won't Fix" so I've learned there are constraints to the SDK document format.

 

The SDK is focused on explaining "What?". "How?" and "Why?" questions are not the domain of the SDK. Some of the "How?" and "Why?" around the Windows Installer can be inferred from the "What?" BUT not all things. Other technologies in the Windows motivate shelves and shelves of technical books. Other technologies in Windows motivate whitepapers and rich tool environments on top of the base "What?" that comes from the platform SDK. Windows Installer does have a small market but for these secondary sources but it's still small on a relative basis.

Still, if you aspire to go beyond the journeyman to attain architectural mastery, you're going to need to have the "What?" on hand as you work outward toward the "How?" and "Why?".

Quick Introduction to Topics in the SDK

So the journeyman say "I'm under some pressure so could help me pick out the important items?". Absolutely. Here you go:

Let's start on the What's New in Windows Installer Version 4.0? page.

Using Windows Installer with UAC

Our professional SDK writers introduction to what UAC in MSI means.  Chock full of goodness.  Tight writing.  (Wish I could write like that. ;^)

User Account Control Patching

An update to the 3.1 feature that enabled home users get patch even if they were Standard Users in the precursor to UAC called Least Privileged User.  A full forensic account of UAC in MSI would report this as proof MSI could help deliver the UAC scenarios.

User Account Control glossary entry

Functional definition of UAC in the MSI SDK.  Also provides a bridge to the UAC portion of the SDK.

Per-User and Per-Machine

Stuff you need to understand to see the difference between Install per-user and per-machine.  Compare this with the way UAC defines per-user and the gaps and seams will start to appear for you too.

Biggest explanation comes for the topic Using Windows Installer with UAC and it's sub topics.

Guidelines for Packages

This topic was generated from one of the first bugs I opened against the SDK to respond to the top customer issues.  The dialog I remember around this time was: sure, these topics are all already covered in other topics in the SDK but customers are having a really hard time putting these all together.  As you read this, contrast this with what I've tried to say in the blog series and you may get a sense of the difference between going from "What?" to "How?" in the format to the SDK that is distinct from going to the "Why?" to "How?" I'm trying to built out via the blog.

Authoring Packages Without the UAC Dialog Box

Again another "how" topic that was based off a bug that said: sure, these topics are all already covered in other topics in the SDK but customers are having a really hard time putting these all together.

Installing a Package with Elevated Privileges for a Non-Admin

To me, this reads like a family tree in the thinking behind how users and elevation are managed in the Windows Installer.  Were I our SDK writer, this topic would have been the hardest topic for me to write.  This is a synthesis topic that covers a number of generations of the Windows Installer and the Windows platform.  Hurts my head to think about all these generations simultaneously.

Advertising a Per-User Application to be Installed with Elevated Privileges

This topic hasn't changed for Vista but Vista makes this increasingly important.  As a Windows Installer user (before I got my current role), I've always considered this topic cryptic.  I still see it as cryptic but I now have a path I could walk someone through the context if I had to.  I walked a UAC PM through the context behind this once to which he said: "that would be a great whitepaper.  Can you write that down?".  It's on the list.

 

Outside of the Windows Installer portion of the SDK, the User Account Control team is still building their docs. Today, this contains...

Getting Started with User Account Control on Windows Vista

Pretty intro to the user experience from Vista Beta 1.  This is much friendlier writing that later writing because UAC was optional in Beta1.  Ideas are still relevant but lots of context has changed.

Getting Started with User Account Control on Windows Vista

Post Beta 2 draft of the above.  Subtitled: discover how to get started with User Account Control.

Understanding and Configuring User Account Control in Windows Vista

Index page that provides a jumping off point.  In that this was authored post Beta2, it's much more relevant.

Windows Vista Application Development Requirements for User Account Control Compatibility

Downloadable word doc that you can place next to your development environment as a desktop reference.

Developer Best Practices and Guidelines for Applications in a Least-Privileged Environment

Bible for working with UAC between Beta 1 and Beta 2.  This is the doc I used to understand UAC.

Lots to read. Some believe understanding the manual will tell you everything you need to know. Honestly, the manual isn't enough for me but maybe simply RTFM it'll work for you.

Comments