umeca74
27th February 2009 11:23 UTC

RunAs administrator then execute as desktop user
Hi

I have this situation for PRE-vista installations. If a normal user wants to install, I force him to use runas with admin privileges, so the installer runs elevated compared to the desktop logged user.

Q1. How do I know that this is the case? (ie differentiate runas vs normal admin user)

If my installer detects this is the case then it needs to run a step using the desktop user credentials. Is there any way to do this? (I have looked at UAC plugin but I don't think it would work under this scenario - it needs the installer to start as the desktop user?)

what I need is CreateProcessAsUser equivalent for NSIS

thanks
nikos

Anders
27th February 2009 12:09 UTC

I don't 100% understand what you mean, but using the uac plugin (calling UAC::ExecCodeSegment) should be able to do what you need

v_automation
27th February 2009 12:43 UTC

Re: RunAs administrator then execute as desktop user
Hi

Setting RequestExecutionLevel to highest will ask user for admin rights if user is from admin group, but install will continue with normal user rights if user is normal user, but not admin and cannot run applications with admin rights

umeca74
28th February 2009 07:07 UTC

can UAC work in this scenario in "old" windows? (before vista)

* NORMAL user starts the installer with "runas" to elevate

* the installer runs as admin but some portions of it use the desktop user

from my understanding how UAC works, it finds out who the desktop user is when it is first launched as the desktop (ie. normal) user

v_automation
28th February 2009 11:05 UTC

To run as desktop user means you cannot modify registry keys except these in HKCU and cannot access system files and folders.

So you decide what will do your installer when it is started from whatever account type.

If your installer edit registry keys only in KHCU and does not copy files in system folders then no matter it is started with admin rights is will be limited to access rights of normal user

To check if installer is started with admin rights or with rights of normal user, you can try to access some registry key or folder that is not available for normal user (for example $SYSDIR). If key/folder can be accessed your installer is started with admin rights. If you get error then installer is started from normal user account

Yathosho
28th February 2009 14:33 UTC

a while ago i tried to build a fake-uac (via nsDialogs) for pre-vista windows, but i had problems when a user had an empty password. sorry, i don't recall the exact the scenario, but there were similiar problems - which made me abandon the idea at some point.

Anders
28th February 2009 15:59 UTC

the UAC plugin works on ANY version of windows, the part where it actually elevates and uses two processes works on 2000 and later.

umeca74
28th February 2009 16:20 UTC

the UAC plugin works on ANY version of windows, the part where it actually elevates and uses two processes works on 2000 and later

Anders
28th February 2009 16:33 UTC

yes, if the user does runas first, then the game is over, but you should not fight this, its the users choice, you don't know which user they really want to install as...