donose.mihai
25th June 2012 08:41 UTC

NSIS - Do you want to allow the followin program...
Hello,

I've created an installer using NSIS and used the ACCESSCONTROL to set the permission even for users:

AccessControl::GrantOnFile "$INSTDIR" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-5-21)" "FullAccess"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-1-0)" "FullAccess"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-5-32-545)" "FullAccess"
AccessControl::GrantOnFile "$INSTDIR" "(Users)" "FullAccess"
AccessControl::GrantOnFile "$INSTDIR" "(BU)" "FullAccess"
AccessControl::EnableFileInheritance "$INSTDIR"


Question:

How can i get the software to run as administrator (without the message pooping up: " Do you want to allow..." )

Do i need to make some registry settings?

Any help will be greatly appreciated.

Thanks

MSG
25th June 2012 08:45 UTC

Originally posted by donose.mihai
How can i get the software to run as administrator (without the message pooping up: " Do you want to allow..." )

donose.mihai
25th June 2012 08:51 UTC

Yes i am referring to the UAC, but how other software can run from program files (x86), without the message from the UAC popping up?
Can i make some registry settings from NSIS to run as administrator?

MSG
25th June 2012 08:57 UTC

You can *run* from the program files directory, you just cannot *write* to it without admin access. The apps installed in those protected directories were installed at admin level.

Your app should write to a subfolder of $APPDATA or $LOCALAPPDATA, not to $INSTDIR.

(You can also add an admin request to your application's manifest, but that will only work on Vista and newer if UAC is enabled. But of course that will popup a confirmation dialog.)

donose.mihai
25th June 2012 09:18 UTC

Let me ask you another thing because i didn't get it.

Let's say i'm installing WinAmp in Program Files (x86), the UAC appears for the 1st time and after that i can run winamp without the UAC message popping up every time....and i found only an ini file and a temp file for winamp in the subfolders $APPDATA.



Thanks for answering to a beginner :)

MSG
25th June 2012 09:39 UTC

Like I said, any user can run an app from a protected directory such as program files, because reading is allowed. Writing is however not allowed. For writing you need admin access, which is why the installer throws a UAC admin request. As far as I know, Winamp itself does NOT try to write to its own folder. Instead, it writes all its stuff either to HKCU registry or to $APPDATA / $LOCALAPPDATA.

(If I'm wrong and it *does* try to write to its installation folder, then winamp is broken and needs to be fixed.)

donose.mihai
27th June 2012 10:39 UTC

It is posibble...i've done it!!!

The UAC message is not appearing anymore:

I've used the access control plugin from nsis + i've worked with the registry:

;--------------------------------
; THIS TO WORK REQUIRES TO INSTALL THE ACCESSCONTROL PLUGIN INTO NSIS
; FIND THE PLUGIN IN NET, UNPACK AND COPY THE .dll FILE INTO NSIS PLUGINS FOLDER
;--------------------------------
AccessControl::GrantOnFile "$INSTDIR" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-5-21)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-1-0)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-5-32-545)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(Users)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(BU)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnRegKey \
HKLM "Software\SoftwareName"" "(BU)" "FullAccess"
AccessControl::GrantOnRegKey \
HKLM "Software\SoftwareName" "(S-1-5-32-545)" "FullAccess"

; Write the installation path into the registry
WriteRegStr HKLM SOFTWARE\SoftwareName "Install_Dir" "$INSTDIR"

WriteRegStr HKLM "Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers" \
"$NameOfTheExeFile.exe" "RUNASADMIN"

Afrow UK
27th June 2012 11:07 UTC

Why on Earth are you doing that? Where are you installing to that requires you to change folder permissions?

Either way I see some issues with your code:

1. Your first call to AccessControl will always fail - the username/SID argument is not optional (i.e. this will result in stack corruption).
2. S-1-5-21 is not a valid security identifier.
3. S-1-5-32-545, Users and BU are all the same BUILTIN\Users group!

donose.mihai
27th June 2012 12:04 UTC

1. True, i've notice now that it has no identifier.

2. It is a valid identifier S-1-5-21 - According to Microsoft is the Domain Admin - http://support.microsoft.com/kb/243330

3. Use the SID "(S-1-5-32-545)" instead of "(BU)" for Windows 7 - "(BU)" doesn't work. This may also help for non-English installations.

http://nsis.sourceforge.net/Talk:AccessControl_plug-in

Afrow UK
27th June 2012 12:26 UTC

Originally posted by donose.mihai
2. It is a valid identifier S-1-5-21 - According to Microsoft is the Domain Admin - http://support.microsoft.com/kb/243330

donose.mihai
27th June 2012 15:39 UTC

thanks...you're right regarding the S-1-5-21, but bottom line is that i've done it....no UAC message appears and the application updates itself without any issues.