Archive: Windows Vista Standard session => Manifest without rights : Install = KO


Windows Vista Standard session => Manifest without rights : Install = KO
Under Windows Vista on standard session user,
It is not possible to have an install in Program Files Path.
Manifest file is not complete.
On build with NSIS v2.21 we have this Manifest :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="X86"
name="Nullsoft.NSIS.exehead"
type="win32"
/>
<description>Nullsoft Install System v2.21</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
</assembly>

For a right install on Standard User session with highest privileges we must have this Manifest :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="X86"
name="Nullsoft.NSIS.exehead"
type="win32"
/>
<description>Nullsoft Install System v2.21</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="highestAvailable"
uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>

</assembly>


I think the most expected into the next build version of NSIS, it will be to have a new variable in NSIS script :
1) for adding requestedPrivileges into manifest on compilation process,
2) for choosing the requestedExecutionLevel of requestedPrivileges.

Regards,

Yves


NSIS 2.21 is exactly the version that added this feature. Use RequestExecutionLevel.


I tested V.2.21 under Vista RC1 and was not able to install a nsis script.

RequestExecutionLevel admin was set. The UAC didn't pop up, but the installation to C:\Program files was denied.

Changing RequestExecutionLevel to user made the UAC pop up and then installing to C:\Program files worked.


Regards,
Flizebogen

Strange - I tried it again and not it worked as expected.


Windows Vista RC2 (or RTM out real soon) might change behaviour still.

Let us know if your defect encountered still is there on these versions.


Ok, I see it but for "RequestExecutionLevel" it exists another one. This one :

highestAvailable

It is the most important level otherwise it is not possible to install files to "Program Files" dir.

Add it for next version is needed.

Regards,

Yves


I have done a new test and I have changed manifest in ressource :
requestedExecutionLevel level="requireAdministrator"
by
RequestExecutionLevel level="highestAvailable"

After than I have launched by arg /NCRC for seeing what's happening.
unfortunately, installation on standard user session in "Program Files" is no more done.

I don't understand why because, it is OK with Installshield v12.0.

Regards,

Yves


Oups,

I had some files before to install in Windows folder and that stopped intall progress process.
For me it is 'OK' for installation in "Program Files" but I think it will be better to add "highestAvailable" parameter for "RequestExecutionLevel".

Regards,

Yves


I've tested it again on Vista build 5728. With an administrator account, I was able to write to the Program Files folder with everything but `user` execution level. When using the power user, it asked me for the administrator's password. When using highest, it also gave me an option to use the power user's privileges which were not good enough to write to the Program Files folder. `user` was a failure with the power user as well. With normal user and guest accounts, `admin` worked and `highest` and `user` failed. Providing no manifest always worked because it used administrator's privileges.

According to this tests, `admin` allows you to do anything, `highest` gives you the best the user has to offer and `user` allows nothing. This matches what MSDN has to say about the issue and almost matches what the current documentation of NSIS has to say. I've mistakenly written that `user` will allow the best the user has to offer. That's actually `highest`. I've added `highest` to the latest version and modified the documentation to match.

Something else might have happened to you while trying to write to Program Files. According to MSDN and tests `administrator` gives you administrator's privileges which should be sufficient to write to the Program Files folder.

flizebogen, the UAC pop-up should always appear when using `admin`. Can you rerun the tests to make sure?