2. NSIS Discussion
  3. ExecShell with normal rights from within an elevated installer?

Archive: ExecShell with normal rights from within an elevated installer?


psyki
16th July 2008 15:50 UTC

ExecShell with normal rights from within an elevated installer?
Hi,

I have the following problem:
My installer needs to run with administrator rights in Vista (elevated) because it needs to write file in the program files directory.

I did that by adding the following line:

RequestExecutionLevelhighest




                
                
                

        
However.
At the end of my installer, I'd like to run an executable as a normal, non-elevated user.

I start a process as follows:

        PHP Code:
        
                

                
                
                        
ExecShell"""explorer.exe"
Why do I want this?
Well.
If you run explorer in elevated mode, you won't be able to drag and drop files to it from non-elevated explorer windows.

Very annoying.

So, is there a simple way to run a process unelevated from within an elevated installer?

psyki
16th July 2008 16:24 UTC

Hmmmz.
I suspect I could do this with the UAC plugin, but it seems like a whole workaround for just the one line of code, no?

Anders
16th July 2008 19:03 UTC

yeah, the UAC plugin was created to solve this problem, but it is a pain in the ass to use. Did you try ExecShell "explore" "$instdir" (Should open a new explorer window as non admin, atleast that works on pre Vista)?

psyki
17th July 2008 08:32 UTC

The code I put above, was an example.

I don't want to open explorer.
I want to open my own application (and that one needs to open explorer, which is giving me the dragdrop issues)

psyki
17th July 2008 10:32 UTC

Found a working, easy solution, using a 3d party dll, but hey.

If anyone else should come across this problem:

The 3d party dll, with source and a good explanation can be found here:

CodeProject source files

Since regular links don't seem to work:

http://www.codeproject.com/KB/vista-security/RunNonElevated.aspx
In NSIS, it's easy to use as well.
I've attached a sample NSIS installer, that does nothing but start explorer, non-elevated, from withing an elevated installer.

Anders
17th July 2008 14:21 UTC

Originally posted by psyki

CodeProject source files
That dll injects code into another process that MIGHT be there to do its dirty stuff, not exactly clean. The UAC plugin supports elevation on 2000 and later, not just Vista unlike that code

psyki
17th July 2008 15:36 UTC

On non-vista machins, it will just do shell execute, as expected.

My only worry with it, is that a servicepack might block it.

And i don't see the UAC plugin as clean either.

Anders
17th July 2008 20:24 UTC

Originally posted by psyki
On non-vista machins, it will just do shell execute, as expected.
How is that as expected, you can run into the same sort of trouble on 2000/XP as with Vista(Not D&D tho, but other issues)

Originally posted by psyki

And i don't see the UAC plugin as clean either.
No, its not exactly clean, but at least it follows the MS guideline on how to do this with a inner and outer process

psyki
18th July 2008 10:51 UTC

The only issue I have with the administrator permissions is that explorer doesn't allow me to dragdrop.

And that only happens on Vista.
So I don't need to catch it specifically for 2000, xp, ...

Anders
18th July 2008 11:01 UTC

then you are missing the whole point, the problem on older systems (and on vista with non admin elevation with another account) is that any process you start runs as the admin, and not the "logged in" user. Granted, with explorer, this is unlikely since its probably already running (and in the default config) but if its not, or its set up to use one process per cabinet window, explorer will end up running as the wrong user

Fork me on GitHub