次の方法で共有


Installing and Deploying Applications on Vista

Welcome to the User Account Control (UAC) Blog.  We'll be using this forum to talk about interesting, important, or whimsical aspects of UAC and Vista.

It seems only fitting that we start out the posts with a discussion of installation.  What is the very first thing you're going to do on your new Vista machine?  Well...install your favorite piece of software, of course.  This is where most of the world will be meeting the Consent Dialog for the first time.  Have you seen it yet? 

Here's a preview of an early version of the Consent Dialog -

For those of you who don't know what this is – it's the new dialog in Windows Vista that tells you when you’re going to do something that requires Administrator privileges and thus needs your approval.  We’ll delve into this more in later posts.  For now, just imagine that you'll be running everything in Vista as what we call a Standard User and when you want to install something or change a system setting you need to approve it.

So there we were, installing that piece of software you love and the Consent Dialog comes up.  Why did it happen? 

When you install a piece of software, more often than not, you need to copy files from the CD to the Program Files directory.  The Program Files directory is a protected location that Standard Users can't write to, and because we know that most installs write there, we ask you for permission to run the install with your Administrator privileges.

We'll get more into the technical details about how we identify applications that are installers and how enterprises can do installations in future posts.

Cheers, Chris

Comments

  • Anonymous
    December 29, 2005
    Is there a sample manifest or program available that can be used to try out UAC functionality?

  • Anonymous
    January 14, 2006
    I thought these dialogs were going to ask us for an admin password? Wouldn't that be advisable?

  • Anonymous
    January 15, 2006
    Dialogs do ask for Admin password when you are not running as administrator.

    The great thing is that you can run as administrator but you app's do not!

    This takes-out requirement to re-enter admin password time after time after time, and also - home users (some) don't want passwords (it just further complicates working with computer, which is pretty complicated already to some).

  • Anonymous
    January 16, 2006
    I actually prefer the Permit/Deny choice rather than passwords. It's all too easy to spoof a password dialog, but spoofing the current UI isn't going to get you anywhere.

  • Anonymous
    January 18, 2006
    The behavior of the elevation prompt is configurable via Group Policy and local computer policy (secpol.msc). Available options include: no prompt (this is NOT recommended), prompt for consent, prompt for password, and prompt for password on the secure desktop. We'll go over this in more detail in a post soon.

  • Anonymous
    January 29, 2006

    Note: LUA (Least User Access) has been
    renamed UAC (User Access Control) which is a much better name...

  • Anonymous
    February 17, 2006
    I am greatly pleased to see that this idea of running with least privilege is actually  happening. I've been following Aaron Margosis' posts for a while, and actually running as LUA for everyday usages. Of course, there have been problems...

    I teach (very) beginner computer classes --- your mom -- and, as much as I wish I could do something to help them be more secure, it's just toooooo complicated to explain. These guys have trouble with the difference between a file and a folder.

    It's not going to be that much "easier" in Vista, but at least it's right out there where they'll have to learn to deal with it.

    Just like the decision to make Automatic Updates the default was better for the rest of the world, even if the techie types complain about things being shoved down their throats.

  • Anonymous
    March 01, 2006
    Setup: Feb CTP 5308 + VS2005

    I have an app that I want to package as an administator only program (It has to install a Service programmatically and getting full access to the SCM requires Administrative elevation).

  • Anonymous
    March 01, 2006
    I wrote a small program to just test the elevation. Here is the code:

    int main(void)
    {
    SC_HANDLE schSCManager;

    schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);

    if (NULL == schSCManager)
    printf("OpenSCManager (SC_MANAGER_ALL_ACCESS) failed (%d)n", GetLastError());
    else
    printf("OpenSCManager (SC_MANAGER_ALL_ACCESS) succeededn");

    return 0;
    }

  • Anonymous
    March 01, 2006

    Then I created an OpenSCManager.rc file that has:

    #define MANIFEST_RESOURCE_ID 1
    MANIFEST_RESOURCE_ID RT_MANIFEST "OpenSCManager.exe.manifest"



    The manifest file I created has:

    <?xml version="1.0" encoding="utf-8" standalone="yes"?>
    <assembly xmlns="urn:schemas-microsoft.com:asm.v1" manifestVersion="1.0">
     <assemblyIdentity version="1.0.0.0"
                       processorArchitecture="X86"
                       name="OpenSCManager"
                       type="win32"/>
     <description>IAII - Intel Architecture Instruction Inspector</description>
     <!-- Identify the application security requirements. -->
     <trustInfo xmlns="urn:schemas-microsoft.com:asm.v3">
       <security>
         <requestedPrivileges>
           <requestedExecutionLevel
             level="requireAdministrator"
             uiAccess="false"/>
         </requestedPrivileges>
       </security>
     </trustInfo>
    </assembly>

  • Anonymous
    March 01, 2006
    After I build, I can use a Hex Editor to verify that the XML is built into the exe, although I don't know if that is the PE portion of the binary.

    But when I run this app, it just fails without bringing up the elevation prompt for Admin privileges. I made sure it passes if I right click and select "Run as Administrator".

    Can you please tell me what I am doing wrong?  I would prefer to stick with the manifest option among the other options listed.

    Thanks in advance!

  • Anonymous
    May 30, 2006
    I think the problem with your manifest is this
    urn:schemas-microsoft.com should be urn:schemas-microsoft-com?

  • Anonymous
    July 16, 2006
    Our application provides option to create customized installers on there own using web-app. All the option of creating an installer including the installer name is customizable.

    We use MSI for the installer creation and after the MSI is created we package the whole folder into a self- extractable exe (same name has of installer name). My question is should we embed a manifest for that exe. If yes, then as I said before the installer name is customizable, following is our manifest that we are planning to include.

    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
     <assemblyIdentity
       processorArchitecture="x86"
       version="7.1.0.0"
       type="win32"
       name="pkgr.exe"/>

    My questions are

    1) Is name=""/> is mandatory?

    2) If answer yes, it is going to create few issues to us

    a. We have to package mt.exe with our product to create manifest at runtime so that the name tag included the user selected name.
    b. And mt.exe requires .NET framework to be installed in those machines which needs to use mt.exe

    3) If name is not mandatory then it is going to create same issues for except no need to replace the name tag at runtime.

  • Anonymous
    November 06, 2006
    The comment has been removed

  • Anonymous
    February 20, 2007
    We are having an issue with our installation, where we are trying to install our application, which has some third party dependencies with it that require a reboot during installation.  The question is this - how do we configure our installer to persist application installation after a reboot of Vista? jason

  • Anonymous
    February 25, 2007
    I have the same problem. I installed Macromedia Dreamweaver. After rebooting i tried to open Macromedia Dreamweaver and i get this message: "1.Failed to install ISKernel files. Make sure you have appropriate priviledges on this machine." And then Macromedia Dreamweaver doesnt even start. Im using Windows Vista Home Premium. Maybe somebody can help. Send me an email to nucleusambiens@gmx.de please Thanks

  • Anonymous
    March 19, 2007
    The comment has been removed