No announcement yet.

Run program after InstallFiles sequence with same elevated permissions as installer

  • Filter
  • Time
  • Show
Clear All
new posts

  • Run program after InstallFiles sequence with same elevated permissions as installer

    I need my software to run a file that is also run under the permissions/elevated privileges as the user that installs the software.

    So, for example, if a non-admin installed the software, they are asked for administrative credentials. This is typically the local Administrator account or a domain account that is a member of the local Administrators group (i.e. Domain Admins).

    The problem is when I run an executable under Custom Actions (Immediate/Async no wait/InstallExecuteSequence/After (InstallFiles), the program runs but not under the same credentials. It runs under the current username logged into Windows. Which can be a non-admin.

    How do I run the program under the same credentials that started the installation?

  • #2
    To get around using the installation credentials, I changed the external exe to "requireAdministrator" in its manifest.

    BUT...the external exe WILL NOT RUN if it's manifest is set to "requireAdministrator". It runs fine if its manifest is set to "asInvoker" or "highestAvailable", but that doesn't prompt for credentials.

    Is there a special Custom Action to run a program from within the .msifact file so it can run with "requireAdministrator" in the external exe's manifest?


    • #3
      1. Create a Custom Action to run this executable.
      2. Set CA to be scheduled as deferred and clear the "impersonate" option. Deferred Custom Actions must be timed between InstallInitialize and InstallFinalize.

        If scheduled as Deferred, the CA will be executed before the files in the MSI package are written to the disk (in script). This is for actions "as admin" before the deployment.
        If scheduled as Deferred - Commit, the CA will be run after the installation of the software is complete.


      • #4
        Thanks, that clears it up! The help file didn't provide much insight into this.


        • #5
          Question - I have the CA Deferred, Impersonate is unchecked, and the Timing is "After InstallFiles". When the program is run, it is running under username SYSTEM, *not* the username that I enter to start the installation of the .msi file.


          • #6
            I suspect that Windows Installer does not give you this kind of granularity. Or you run a CA with the user account - without elevation - or with the elevated token obtained once acquired by the service.