UAC in MSI Notes: How do I get the shield on the advertised shortcut?

Artigo
09/30/2006

This is the nineteenth in a series of notes about UAC in MSI. Per the earlier caveat, these are just my notes and not an official position from the Windows Installer team. The previous entries

Introduce...
Architecture Insights
1. The "Saw Tooth" Diagram
2. Credential Prompt and Permissions
Common Package Mistakes
More Architectural Insights
Conversations with Customers
1. Should I write my installer as a Standard User install? If yes, how?
2. When General Custom Action Mitigation Fails

This entry continues a section specifically focused on Question and Answers that often come up in the UAC in MSI dialogs. For this topic, the question is: how do I add shield to my advertised shortcut?

My application is advertised. How do I get the shield on the advertised shortcut?

If you are a developer of an Administrator-Only Application, you will need to manifest your application itself to get the credential prompt appropriate to the users’ rights. If you install supports advertised shortcuts you will also need to manifest your icon. Here's a quick walkthrough for what you need to add a Shield to your shortcut.

Base Generation of an Icon EXE for your Advertise Shortcut

Here's how one generates the icon only exe for advertised shortcut

Generate an icon.ico file.

Generate the icon.rc file

//

 // base resource script.

//

 #include "resource.h"

 /////////////////////////////////////////////////////////////////////////////

//

 // Icon

//

 // Icon with lowest ID value placed first to ensure application icon

 // remains consistent on all systems.

 IDI_ICON1               ICON                    "icon.ico"

Generate the resource.h file

 // Used by icon.rc

//

 #define IDI_ICON1                101

Build the icon.res file

 c:\icon>rc icon.rc

Build the icon.exe file

 c:\icon>link icon.res /noentry /machine:x86 /dll /out:icon.exe

And now you have your initial icon.exe

 c:\icon>dir /o:d

 1,078 icon.ico

   421 icon.rc

    71 resource.h

 1,912 icon.RES

 2,560 icon.exe

that you have been referencing with the Shortcut table Icon_ column

Shortcut	Directory_	Name	Component_	Target	Arguments	Description	Hotkey	Icon_	IconIndex	ShowCmd	WkDir
AdministratorTool	AdminToolsDirectory	Admin.exe	AdminTools	AdminTools				icon.exe

foreign key to the Icon table

Name	Data
icon.exe	[Binary Data]

Generate an icon.exe.manifest file.

 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

 <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">

   <assemblyIdentity version="1.0.0.0"

      processorArchitecture="X86"

      name="Icon"

      type="win32"/>

   <description>Description of your application</description>

   <!-- Identify the application security requirements. -->

   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">

     <security>

       <requestedPrivileges>

         <requestedExecutionLevel

           level="requireAdministrator"

           uiAccess="false"/>

         </requestedPrivileges>

        </security>

   </trustInfo>

 </assembly>

Augment the icon.rc file

//

 // Tweaked resource script.

//

 #include "resource.h"

  /////////////////////////////////////////////////////////////////////////////

//

  // Add Shield - per https://msdn.microsoft.com/library/en-us/dnlong/html/AccProtVista.asp

//

  #define MANIFEST_RESOURCE_ID 1

 MANIFEST_RESOURCE_ID RT_MANIFEST "icon.exe.manifest"

 /////////////////////////////////////////////////////////////////////////////

//

 // Icon

//

 // Icon with lowest ID value placed first to ensure application icon

 // remains consistent on all systems.

 IDI_ICON1               ICON                    "icon.ico"

Rebuild the icon.res file

 c:\icon>rc icon.rc

Rebuild the icon.exe file

 c:\icon>link icon.res /noentry /machine:x86 /dll /out:icon.exe

And now you have your manifested icon.exe

 c:\icon>dir /o:d

 1,078 icon.ico

    71 resource.h

   421 icon.rc

    600 icon.rc

    657 icon.exe.manifest

  1,916 icon.RES

 3,072 icon.exe

Why the second manifest anyway?

The way the Windows Installer enables advertised shortcuts is by pointing Windows the shortcut icon to a cached EXE and putting a Darwin Descriptor in the target path. Dividing a package this way enables the CreateShortcuts action in the AdvtExecuteSequence table to populate the Advertised shortcut. When the user clicks on the shortcut, the Darwin Descriptor is decoded by the Windows shell into parameters that are passed to the Windows Installer.

Windows Installer will evaluate if the thing pointed as is present locally and install it if it's not. Due to the caching of credentials with Windows Installer 4.0 support for User Account Control, the Windows Installer will not prompt for credentials. The good news is that even with the dual manifesting one will get just one credential prompt at the launch of the target EXE.

Comments

Anonymous
September 30, 2006
PingBack from http://blog.devinstall.com/2006/09/24/understanding-uac-in-vista-and-windows-installer/
Anonymous
October 02, 2006
Windows Vista introduces a security concept called User Account Control (UAC) which has multiple impacts
Anonymous
November 28, 2006
Is it really necessary to have a separate (elevated) exe containing the icon? Is there any reason you can't use an icon that's already in the (elevated) EXE that you're creating a shortcut for? I'm trying to do this from a VS2005 deployment project - is it possible to do this using that tool?

Compartilhar via

UAC in MSI Notes: How do I get the shield on the advertised shortcut?

Comments

Recursos adicionais