Archive: NSIS - Do you want to allow the followin program...


NSIS - Do you want to allow the followin program...
Hello,

I've created an installer using NSIS and used the ACCESSCONTROL to set the permission even for users:

AccessControl::GrantOnFile "$INSTDIR" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-5-21)" "FullAccess"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-1-0)" "FullAccess"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-5-32-545)" "FullAccess"
AccessControl::GrantOnFile "$INSTDIR" "(Users)" "FullAccess"
AccessControl::GrantOnFile "$INSTDIR" "(BU)" "FullAccess"
AccessControl::EnableFileInheritance "$INSTDIR"


Question:

How can i get the software to run as administrator (without the message pooping up: " Do you want to allow..." )

Do i need to make some registry settings?

Any help will be greatly appreciated.

Thanks


Originally posted by donose.mihai
How can i get the software to run as administrator (without the message pooping up: " Do you want to allow..." )
If by the popup you mean the UAC popup, you can't. You cannot run something as admin without the user explicitly allowing you (or without the user entering the admin password).

Yes i am referring to the UAC, but how other software can run from program files (x86), without the message from the UAC popping up?
Can i make some registry settings from NSIS to run as administrator?


You can *run* from the program files directory, you just cannot *write* to it without admin access. The apps installed in those protected directories were installed at admin level.

Your app should write to a subfolder of $APPDATA or $LOCALAPPDATA, not to $INSTDIR.

(You can also add an admin request to your application's manifest, but that will only work on Vista and newer if UAC is enabled. But of course that will popup a confirmation dialog.)


Let me ask you another thing because i didn't get it.

Let's say i'm installing WinAmp in Program Files (x86), the UAC appears for the 1st time and after that i can run winamp without the UAC message popping up every time....and i found only an ini file and a temp file for winamp in the subfolders $APPDATA.



Thanks for answering to a beginner :)


Like I said, any user can run an app from a protected directory such as program files, because reading is allowed. Writing is however not allowed. For writing you need admin access, which is why the installer throws a UAC admin request. As far as I know, Winamp itself does NOT try to write to its own folder. Instead, it writes all its stuff either to HKCU registry or to $APPDATA / $LOCALAPPDATA.

(If I'm wrong and it *does* try to write to its installation folder, then winamp is broken and needs to be fixed.)


It is posibble...i've done it!!!

The UAC message is not appearing anymore:

I've used the access control plugin from nsis + i've worked with the registry:

;--------------------------------
; THIS TO WORK REQUIRES TO INSTALL THE ACCESSCONTROL PLUGIN INTO NSIS
; FIND THE PLUGIN IN NET, UNPACK AND COPY THE .dll FILE INTO NSIS PLUGINS FOLDER
;--------------------------------
AccessControl::GrantOnFile "$INSTDIR" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-5-21)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-1-0)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-5-32-545)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(Users)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(BU)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnRegKey \
HKLM "Software\SoftwareName"" "(BU)" "FullAccess"
AccessControl::GrantOnRegKey \
HKLM "Software\SoftwareName" "(S-1-5-32-545)" "FullAccess"

; Write the installation path into the registry
WriteRegStr HKLM SOFTWARE\SoftwareName "Install_Dir" "$INSTDIR"

WriteRegStr HKLM "Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers" \
"$NameOfTheExeFile.exe" "RUNASADMIN"


Why on Earth are you doing that? Where are you installing to that requires you to change folder permissions?

Either way I see some issues with your code:

  1. Your first call to AccessControl will always fail - the username/SID argument is not optional (i.e. this will result in stack corruption).
  2. S-1-5-21 is not a valid security identifier.
  3. S-1-5-32-545, Users and BU are all the same BUILTIN\Users group!

Stu

1. True, i've notice now that it has no identifier.

2. It is a valid identifier S-1-5-21 - According to Microsoft is the Domain Admin - http://support.microsoft.com/kb/243330

3. Use the SID "(S-1-5-32-545)" instead of "(BU)" for Windows 7 - "(BU)" doesn't work. This may also help for non-English installations.

http://nsis.sourceforge.net/Talk:AccessControl_plug-in


Originally posted by donose.mihai
2. It is a valid identifier S-1-5-21 - According to Microsoft is the Domain Admin - http://support.microsoft.com/kb/243330
No, the domain administrator's SID is S-1-5-21domain-512 where domain is taken from the domain or machine SID. Similarly the local administrator's SID is S-1-5-21domain-500. S-1-5-21 on its own means nothing (try it in the active directory object browser).

Stu

thanks...you're right regarding the S-1-5-21, but bottom line is that i've done it....no UAC message appears and the application updates itself without any issues.