Ironically enough, the point of the UAC *is* to disrupt your process and 
*force* you to think about what you are doing. If you just play dumb and click 
OK or if you just disable UAC, then you have made a choice and taken deliberate 
action to lower the security level offered by UAC.

This is a change in behavior for most of us, but as Pally said, it doesn't make 
it wrong. You'll still need to play by the UAC rules when you are 
designing/authoring an installer for consumption by other parties, regardless 
of whether you agree with the UAC design or not.

Edwin G. Castro
Software Developer - Staff
Electronic Banking Services
Fiserv
Office: 503-746-0643
Fax: 503-617-0291
www.fiserv.com
Please consider the environment before printing this e-mail

-----Original Message-----
From: Kurt Jensen [mailto:kurt.jen...@ophir-spiricon.com]
Sent: Thursday, June 10, 2010 9:03 AM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] MSI vs Windows 7 UAC

I don't necessarily agree with the UAC design. For me it disrupts my thought 
process and workflow. After I click/double-click some action I am thinking 
about the task to be completed.  Then some dialog pops up wanting me to stop 
and decide if I was the initiator.  Or worse, if I want to allow some access 
whose consequences I really do not understand.
I could play dumb and just click OK. But any dialog could be an indicator of 
something wrong.  So I stop, think, then click OK.  Now my workflow has been 
completely disrupted. And I'm trying to remember what I intended to do.  Of 
course, it could just be me...

It is more secure when used properly.  But it annoys me enough to just turn it 
off. This is why -my- test of the installation worked just fine but QA found a 
problem...my fault for not restoring the default.

And yes, we will be signing the MSI so that the error message is a little less 
scary.

Thanks again!


Kurt Jensen
Senior Software Engineer
Ophir-Spiricon
Ph: 435-755-5429
Cell: 435-764-2122
www.ophir-spiricon.com
kurt.jen...@ophir-spiricon.com

The True Measure of Laser Performance(tm)

-----Original Message-----
From: Pally Sandher [mailto:pally.sand...@iesve.com]
Sent: Thursday, June 10, 2010 9:33 AM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] MSI vs Windows 7 UAC

It's not a matter of putting up with #3, that's basic functionality of UAC & 
Windows Installer on UAC systems. It won't elevate until it's good & ready to 
do something which needs elevation. If it did always run msiexec permanently 
elevated there would be legions of people complaining about how insecure it is. 
FYI this isn't a new thing, it's been around since the release of Vista in 
January 2007. Just because you're used to the laziness that Windows XP/2000/NT4 
allowed doesn't mean it was ever right or good or proper that you're now being 
forced to adhere to the guidelines instead of Microsoft simply asking you 
nicely to.

BTW signing your MSI will make the UAC prompt look more friendly/less 
scary/more professional to your users. Last time we purchased a code signing 
certificate it cost us less than $200 for a 3 year certificate from Comodo 
(through author.tucows.com) but that was in early 2008 so prices/offers may 
have changed since then.

Palbinder Sandher
Software Deployment & IT Administrator
T: +44 (0) 141 945 8500
F: +44 (0) 141 945 8501

http://www.iesve.com
**Design, Simulate + Innovate with the <Virtual Environment>** Integrated 
Environmental Solutions Limited. Registered in Scotland No.
SC151456
Registered Office - Helix Building, West Of Scotland Science Park, Glasgow G20 
0SP Email Disclaimer


-----Original Message-----
From: Kurt Jensen [mailto:kurt.jen...@ophir-spiricon.com]
Sent: 10 June 2010 16:11
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] MSI vs Windows 7 UAC

OK.  Duh.  Forgot to add Impersonate="no" to the #1 custom action... Now it's 
good.


Brain is a little scrambled trying to come up to speed on Code Composer and 
finish this stuff for Windows 7.  Two wildly divergent tasks...

Thanks for all your help!!!


-----Original Message-----
From: Kurt Jensen [mailto:kurt.jen...@ophir-spiricon.com]
Sent: Thursday, June 10, 2010 7:06 AM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] MSI vs Windows 7 UAC

Thanks.  I got confused and thought Impersonate="no" was the default.
Good coding practice is to be explicit about key parameters, default value or 
not.  That took care of #2 & #4.

I guess we all will now have to put up with #3.

#1 is the real failure and continues to fail.  This looks like a serious error 
in the WiX handling of custom actions.  I understand only a little.  I know 
that custom actions, and any dependent assemblies, are placed in a temporary 
directory with the name "<custom action dll file
name>=#".  Apparently this mechanism is failing under UAC in Windows 7.
I would guess that the directory creation and file copy are not being elevated. 
 This will fail if "Program Files" is read only to the current user. This 
confuses me because the user is required to be an administrator because we are 
installing drivers.

Also, there is a current bug where the directory is not removed after the 
custom action is done.

Kurt

-----Original Message-----
From: Blair [mailto:os...@live.com]
Sent: Wednesday, June 09, 2010 6:06 PM
To: 'General discussion for Windows Installer XML toolset.'
Subject: Re: [WiX-users] MSI vs Windows 7 UAC

A couple of observations:

Add Impersonate="no" to your CustomAction declarations. That attribute defaults 
to "yes". You are impersonating the installing user instead of running those 
CAs as SYSTEM.

Normally custom actions are run from the Binary table instead of the File 
table, unless you also need them outside of your installation. DTF CAs require 
write access to the directory that the DLL is run from. For CAs run from the 
Binary table, Windows Installer places them in a location appropriate for the 
impersonation-level the CA will run at. For File table CAs, you have to ensure 
that. If a deferred CA is impersonating the installing user, it will lose 
elevation if that wasn't supplied before invoking MSI.

-----Original Message-----
From: Kurt Jensen [mailto:kurt.jen...@ophir-spiricon.com]
Sent: Wednesday, June 09, 2010 12:30 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] MSI vs Windows 7 UAC

1)
    <DirectoryRef Id="APPLICATIONDIRECTORY">
      <Component Id="CustomAction.Install.WiX"
Guid="{5B6CBC69-4EA2-4648-A080-8D2027BAB081}">
        <File Id="$(var.CustomAction.Install.WiX.TargetName)"
Source="$(var.CustomAction.Install.WiX.TargetDir)$(var.CustomAction.Inst
all.WiX.TargetName).CA.dll" />
      </Component>
    </DirectoryRef>

    <CustomAction Id="CAInstall"
FileKey="$(var.CustomAction.Install.WiX.TargetName)"
DllEntry="CAInstall" Execute="commit" />
    <CustomAction Id="CAUninstall"
FileKey="$(var.CustomAction.Install.WiX.TargetName)"
DllEntry="CAUninstall" Execute="deferred" />

    <InstallExecuteSequence>
      <!-- Run CAInstall after InstallFiles only if the product was not 
installed (i.e. do not run on uninstall) -->
      <Custom Action="CAInstall" Before="InstallFinalize">NOT Installed</Custom>
      <!-- Run CAInstall after InstallFiles only if the product was installed 
(i.e. only run on uninstall) -->
      <Custom Action="CAUninstall"
Before="RemoveFiles">Installed</Custom>
    </InstallExecuteSequence>

2)

    <DirectoryRef Id="PYROCAMDIRECTORY">
      <Component Id="PyrocamIII"
Guid="21324FF8-D573-4811-A7E8-DB9A58274EAD">
        <File
Source="$(var.SolutionDir)..\..\Installations\Source\Pyrocam III Device Driver 
1.1.0.0\InstallII.exe" />
      </Component>
    </DirectoryRef>

    <CustomAction Id="InstallII"
                  Directory="PYROCAMDIRECTORY"
                  ExeCommand="[PYROCAMDIRECTORY]InstallII.exe"
                  Execute="deferred"
                  Return="ignore" />
    <InstallExecuteSequence>
      <Custom Action="InstallII" After="InstallFiles">NOT Installed</Custom>
    </InstallExecuteSequence>

    <InstallExecuteSequence>
      <Custom Action="ReenumPyrocam" After="InstallFiles">NOT Installed</Custom>
    </InstallExecuteSequence>

3,4) As I said, very annoying and looks unprofessional. The thought is that 
there is something wrong with my installation which is why Windows
7 has to ask permission. This is a cause for concern and phone calls.
As a result, my supervisor and salesmen want no messages and no requests for 
permission.

5) "You can do all this in a plain MSI you just need to do it properly."
I would if I could.  Please explain.

Kurt

-----Original Message-----
From: Pally Sandher [mailto:pally.sand...@iesve.com]
Sent: Wednesday, June 09, 2010 11:40 AM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] MSI vs Windows 7 UAC

1 - Post the Custom Action WiX code. Could be a number of things.

2 - See 1.

3 - That's expected behaviour. Windows Installer won't request elevation until 
it needs to which is when the InstallExecuteSequence starts (hence anything 
needing elevation should be in the InstallExecuteSequence between 
InstallInitialize & InstallFinalize). It's never "always elevated" unless you 
launch your msi from an elevated process e.g.
command prompt started with "Run as Administrator" or a bootstrapper which 
requests elevation through a manifest. If you run your MSI with basic or no UI 
you'll see the UAC prompt immediately since there's no InstallUISequence being 
run.

4 - see 1 & 2.

Sounds to me like your vdproj is either scheduling stuff correctly or (more 
likely) is taking the easy way out & running everything always fully elevated 
due to a manifest in its setup.exe. You can do all this in a plain MSI you just 
need to do it properly.

Palbinder Sandher
Software Deployment & IT Administrator
T: +44 (0) 141 945 8500
F: +44 (0) 141 945 8501

http://www.iesve.com
**Design, Simulate + Innovate with the <Virtual Environment>** Integrated 
Environmental Solutions Limited. Registered in Scotland No.
SC151456
Registered Office - Helix Building, West Of Scotland Science Park, Glasgow G20 
0SP Email Disclaimer


-----Original Message-----
From: Kurt Jensen [mailto:kurt.jen...@ophir-spiricon.com]
Sent: 09 June 2010 17:54
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] MSI vs Windows 7 UAC

P.S.  I have incorporated the tools in 2-4, without any of these problems, in 
our current installation using Visual Studio vdproj.
Surely there is some setting I am missing but have not found yet.


-----Original Message-----
From: Kurt Jensen [mailto:kurt.jen...@ophir-spiricon.com]
Sent: Wednesday, June 09, 2010 10:23 AM
To: wix-users@lists.sourceforge.net
Subject: [WiX-users] MSI vs Windows 7 UAC

First I need some guidance.  I have several problems which all appear related 
to dealing with UAC on Windows 7. But they may each require separate solutions. 
Should I post these separately?



1) On a Windows 7 computer with the default UAC setting, my installation 
appears to be failing because SFXCA fails to extract my custom action to a 
temporary directory.  The relevant messages I get in the log are:



  SFXCA: Extracting custom action to temporary directory: C:\Program 
Files\Spiricon\BeamGage

    Standard\CustomAction.Install.WiX.CA.dll-9\



  SFXCA: Failed to extract to temporary directory. Cabinet error code 11.



  CustomAction CAInstall returned actual error code 1603



This message is followed immediately by Rollback messages.



2) We use a program, written many years ago, that calls CM_Reenumerate_DevNode 
in order to simulate Find New Hardware.
Originally I thought that this program was causing the install to fail but I 
removed it and found the failure described above. When I tried to just run it, 
UAC said it needed elevated privileges.  When I ran it as administrator it 
appeared to execute without error.  But, I keep an error message in the log as 
if it was not being run at elevated privileges.  I thought deferred custom 
actions, and Impersonate="no", were executed with elevated privileges.  Any 
ideas how I can debug this?



3) When I click through the installation dialogs, I always get a UAC dialog 
before the actual install starts. I always thought MSI was elevated and would 
"just run".  My MSI is not (yet) signed.  Would this help?



4) I am using a third tool to install third part drivers.  I run this tool 
three times.  And three times I get a UAC dialog.  This is not only annoying, 
it looks very unprofessional. This tool is run in a custom action.  Again, I 
thought deferred custom actions were executed with elevated privileges.



Please note that I am using WiX v3.0.



TIA!



Kurt Jensen

Senior Software Engineer

Ophir-Spiricon

Ph: 435-755-5429

Cell: 435-764-2122

www.ophir-spiricon.com <http://www.ophir-spiricon.com/>

kurt.jen...@ophir-spiricon.com
<mailto:kenneth.fer...@ophir-spiricon.com>



The True Measure of Laser Performance(tm)




**********************************************************************
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager.

This footnote also confirms that this email message has been swept by 
MIMEsweeper for the presence of computer viruses.

www.clearswift.com
**********************************************************************


------------------------------------------------------------------------
------
ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day 
Giveaway. ONE MASSIVE PRIZE to the lucky parental unit.  See the prize list and 
enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

------------------------------------------------------------------------
------
ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day 
Giveaway. ONE MASSIVE PRIZE to the lucky parental unit.  See the prize list and 
enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users



------------------------------------------------------------------------
------
ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day 
Giveaway. ONE MASSIVE PRIZE to the lucky parental unit.  See the prize list and 
enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

------------------------------------------------------------------------
----
--
ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day 
Giveaway. ONE MASSIVE PRIZE to the lucky parental unit.  See the prize list and 
enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
------
ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day 
Giveaway. ONE MASSIVE PRIZE to the lucky parental unit.  See the prize list and 
enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

------------------------------------------------------------------------
------
ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day 
Giveaway. ONE MASSIVE PRIZE to the lucky parental unit.  See the prize list and 
enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

------------------------------------------------------------------------
------
ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day 
Giveaway. ONE MASSIVE PRIZE to the lucky parental unit.  See the prize list and 
enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users



------------------------------------------------------------------------
------
ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day 
Giveaway. ONE MASSIVE PRIZE to the lucky parental unit.  See the prize list and 
enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day 
Giveaway. ONE MASSIVE PRIZE to the lucky parental unit.  See the prize list and 
enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

Reply via email to