Ironically enough, the point of the UAC *is* to disrupt your process and *force* you to think about what you are doing. If you just play dumb and click OK or if you just disable UAC, then you have made a choice and taken deliberate action to lower the security level offered by UAC.
This is a change in behavior for most of us, but as Pally said, it doesn't make it wrong. You'll still need to play by the UAC rules when you are designing/authoring an installer for consumption by other parties, regardless of whether you agree with the UAC design or not. Edwin G. Castro Software Developer - Staff Electronic Banking Services Fiserv Office: 503-746-0643 Fax: 503-617-0291 www.fiserv.com Please consider the environment before printing this e-mail -----Original Message----- From: Kurt Jensen [mailto:kurt.jen...@ophir-spiricon.com] Sent: Thursday, June 10, 2010 9:03 AM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] MSI vs Windows 7 UAC I don't necessarily agree with the UAC design. For me it disrupts my thought process and workflow. After I click/double-click some action I am thinking about the task to be completed. Then some dialog pops up wanting me to stop and decide if I was the initiator. Or worse, if I want to allow some access whose consequences I really do not understand. I could play dumb and just click OK. But any dialog could be an indicator of something wrong. So I stop, think, then click OK. Now my workflow has been completely disrupted. And I'm trying to remember what I intended to do. Of course, it could just be me... It is more secure when used properly. But it annoys me enough to just turn it off. This is why -my- test of the installation worked just fine but QA found a problem...my fault for not restoring the default. And yes, we will be signing the MSI so that the error message is a little less scary. Thanks again! Kurt Jensen Senior Software Engineer Ophir-Spiricon Ph: 435-755-5429 Cell: 435-764-2122 www.ophir-spiricon.com kurt.jen...@ophir-spiricon.com The True Measure of Laser Performance(tm) -----Original Message----- From: Pally Sandher [mailto:pally.sand...@iesve.com] Sent: Thursday, June 10, 2010 9:33 AM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] MSI vs Windows 7 UAC It's not a matter of putting up with #3, that's basic functionality of UAC & Windows Installer on UAC systems. It won't elevate until it's good & ready to do something which needs elevation. If it did always run msiexec permanently elevated there would be legions of people complaining about how insecure it is. FYI this isn't a new thing, it's been around since the release of Vista in January 2007. Just because you're used to the laziness that Windows XP/2000/NT4 allowed doesn't mean it was ever right or good or proper that you're now being forced to adhere to the guidelines instead of Microsoft simply asking you nicely to. BTW signing your MSI will make the UAC prompt look more friendly/less scary/more professional to your users. Last time we purchased a code signing certificate it cost us less than $200 for a 3 year certificate from Comodo (through author.tucows.com) but that was in early 2008 so prices/offers may have changed since then. Palbinder Sandher Software Deployment & IT Administrator T: +44 (0) 141 945 8500 F: +44 (0) 141 945 8501 http://www.iesve.com **Design, Simulate + Innovate with the <Virtual Environment>** Integrated Environmental Solutions Limited. Registered in Scotland No. SC151456 Registered Office - Helix Building, West Of Scotland Science Park, Glasgow G20 0SP Email Disclaimer -----Original Message----- From: Kurt Jensen [mailto:kurt.jen...@ophir-spiricon.com] Sent: 10 June 2010 16:11 To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] MSI vs Windows 7 UAC OK. Duh. Forgot to add Impersonate="no" to the #1 custom action... Now it's good. Brain is a little scrambled trying to come up to speed on Code Composer and finish this stuff for Windows 7. Two wildly divergent tasks... Thanks for all your help!!! -----Original Message----- From: Kurt Jensen [mailto:kurt.jen...@ophir-spiricon.com] Sent: Thursday, June 10, 2010 7:06 AM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] MSI vs Windows 7 UAC Thanks. I got confused and thought Impersonate="no" was the default. Good coding practice is to be explicit about key parameters, default value or not. That took care of #2 & #4. I guess we all will now have to put up with #3. #1 is the real failure and continues to fail. This looks like a serious error in the WiX handling of custom actions. I understand only a little. I know that custom actions, and any dependent assemblies, are placed in a temporary directory with the name "<custom action dll file name>=#". Apparently this mechanism is failing under UAC in Windows 7. I would guess that the directory creation and file copy are not being elevated. This will fail if "Program Files" is read only to the current user. This confuses me because the user is required to be an administrator because we are installing drivers. Also, there is a current bug where the directory is not removed after the custom action is done. Kurt -----Original Message----- From: Blair [mailto:os...@live.com] Sent: Wednesday, June 09, 2010 6:06 PM To: 'General discussion for Windows Installer XML toolset.' Subject: Re: [WiX-users] MSI vs Windows 7 UAC A couple of observations: Add Impersonate="no" to your CustomAction declarations. That attribute defaults to "yes". You are impersonating the installing user instead of running those CAs as SYSTEM. Normally custom actions are run from the Binary table instead of the File table, unless you also need them outside of your installation. DTF CAs require write access to the directory that the DLL is run from. For CAs run from the Binary table, Windows Installer places them in a location appropriate for the impersonation-level the CA will run at. For File table CAs, you have to ensure that. If a deferred CA is impersonating the installing user, it will lose elevation if that wasn't supplied before invoking MSI. -----Original Message----- From: Kurt Jensen [mailto:kurt.jen...@ophir-spiricon.com] Sent: Wednesday, June 09, 2010 12:30 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] MSI vs Windows 7 UAC 1) <DirectoryRef Id="APPLICATIONDIRECTORY"> <Component Id="CustomAction.Install.WiX" Guid="{5B6CBC69-4EA2-4648-A080-8D2027BAB081}"> <File Id="$(var.CustomAction.Install.WiX.TargetName)" Source="$(var.CustomAction.Install.WiX.TargetDir)$(var.CustomAction.Inst all.WiX.TargetName).CA.dll" /> </Component> </DirectoryRef> <CustomAction Id="CAInstall" FileKey="$(var.CustomAction.Install.WiX.TargetName)" DllEntry="CAInstall" Execute="commit" /> <CustomAction Id="CAUninstall" FileKey="$(var.CustomAction.Install.WiX.TargetName)" DllEntry="CAUninstall" Execute="deferred" /> <InstallExecuteSequence> <!-- Run CAInstall after InstallFiles only if the product was not installed (i.e. do not run on uninstall) --> <Custom Action="CAInstall" Before="InstallFinalize">NOT Installed</Custom> <!-- Run CAInstall after InstallFiles only if the product was installed (i.e. only run on uninstall) --> <Custom Action="CAUninstall" Before="RemoveFiles">Installed</Custom> </InstallExecuteSequence> 2) <DirectoryRef Id="PYROCAMDIRECTORY"> <Component Id="PyrocamIII" Guid="21324FF8-D573-4811-A7E8-DB9A58274EAD"> <File Source="$(var.SolutionDir)..\..\Installations\Source\Pyrocam III Device Driver 1.1.0.0\InstallII.exe" /> </Component> </DirectoryRef> <CustomAction Id="InstallII" Directory="PYROCAMDIRECTORY" ExeCommand="[PYROCAMDIRECTORY]InstallII.exe" Execute="deferred" Return="ignore" /> <InstallExecuteSequence> <Custom Action="InstallII" After="InstallFiles">NOT Installed</Custom> </InstallExecuteSequence> <InstallExecuteSequence> <Custom Action="ReenumPyrocam" After="InstallFiles">NOT Installed</Custom> </InstallExecuteSequence> 3,4) As I said, very annoying and looks unprofessional. The thought is that there is something wrong with my installation which is why Windows 7 has to ask permission. This is a cause for concern and phone calls. As a result, my supervisor and salesmen want no messages and no requests for permission. 5) "You can do all this in a plain MSI you just need to do it properly." I would if I could. Please explain. Kurt -----Original Message----- From: Pally Sandher [mailto:pally.sand...@iesve.com] Sent: Wednesday, June 09, 2010 11:40 AM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] MSI vs Windows 7 UAC 1 - Post the Custom Action WiX code. Could be a number of things. 2 - See 1. 3 - That's expected behaviour. Windows Installer won't request elevation until it needs to which is when the InstallExecuteSequence starts (hence anything needing elevation should be in the InstallExecuteSequence between InstallInitialize & InstallFinalize). It's never "always elevated" unless you launch your msi from an elevated process e.g. command prompt started with "Run as Administrator" or a bootstrapper which requests elevation through a manifest. If you run your MSI with basic or no UI you'll see the UAC prompt immediately since there's no InstallUISequence being run. 4 - see 1 & 2. Sounds to me like your vdproj is either scheduling stuff correctly or (more likely) is taking the easy way out & running everything always fully elevated due to a manifest in its setup.exe. You can do all this in a plain MSI you just need to do it properly. Palbinder Sandher Software Deployment & IT Administrator T: +44 (0) 141 945 8500 F: +44 (0) 141 945 8501 http://www.iesve.com **Design, Simulate + Innovate with the <Virtual Environment>** Integrated Environmental Solutions Limited. Registered in Scotland No. SC151456 Registered Office - Helix Building, West Of Scotland Science Park, Glasgow G20 0SP Email Disclaimer -----Original Message----- From: Kurt Jensen [mailto:kurt.jen...@ophir-spiricon.com] Sent: 09 June 2010 17:54 To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] MSI vs Windows 7 UAC P.S. I have incorporated the tools in 2-4, without any of these problems, in our current installation using Visual Studio vdproj. Surely there is some setting I am missing but have not found yet. -----Original Message----- From: Kurt Jensen [mailto:kurt.jen...@ophir-spiricon.com] Sent: Wednesday, June 09, 2010 10:23 AM To: wix-users@lists.sourceforge.net Subject: [WiX-users] MSI vs Windows 7 UAC First I need some guidance. I have several problems which all appear related to dealing with UAC on Windows 7. But they may each require separate solutions. Should I post these separately? 1) On a Windows 7 computer with the default UAC setting, my installation appears to be failing because SFXCA fails to extract my custom action to a temporary directory. The relevant messages I get in the log are: SFXCA: Extracting custom action to temporary directory: C:\Program Files\Spiricon\BeamGage Standard\CustomAction.Install.WiX.CA.dll-9\ SFXCA: Failed to extract to temporary directory. Cabinet error code 11. CustomAction CAInstall returned actual error code 1603 This message is followed immediately by Rollback messages. 2) We use a program, written many years ago, that calls CM_Reenumerate_DevNode in order to simulate Find New Hardware. Originally I thought that this program was causing the install to fail but I removed it and found the failure described above. When I tried to just run it, UAC said it needed elevated privileges. When I ran it as administrator it appeared to execute without error. But, I keep an error message in the log as if it was not being run at elevated privileges. I thought deferred custom actions, and Impersonate="no", were executed with elevated privileges. Any ideas how I can debug this? 3) When I click through the installation dialogs, I always get a UAC dialog before the actual install starts. I always thought MSI was elevated and would "just run". My MSI is not (yet) signed. Would this help? 4) I am using a third tool to install third part drivers. I run this tool three times. And three times I get a UAC dialog. This is not only annoying, it looks very unprofessional. This tool is run in a custom action. Again, I thought deferred custom actions were executed with elevated privileges. Please note that I am using WiX v3.0. TIA! Kurt Jensen Senior Software Engineer Ophir-Spiricon Ph: 435-755-5429 Cell: 435-764-2122 www.ophir-spiricon.com <http://www.ophir-spiricon.com/> kurt.jen...@ophir-spiricon.com <mailto:kenneth.fer...@ophir-spiricon.com> The True Measure of Laser Performance(tm) ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.clearswift.com ********************************************************************** ------------------------------------------------------------------------ ------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------ ------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------ ------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------ ---- -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------ ------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------ ------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------ ------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------ ------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
