VISTA MSP Elevated mode for Regular User

ContactEZ.net International Bilingual Services

Free Information 100% Sponsored by Southern Belle Giftware

How to create a MSP to run in elevated mode by Non-Administrator Users - VISTA

User Account Control (UAC) Patching
User Account Control (UAC) patching enables the authors of Windows Installer installations to identify digitally-signed patches that can be applied in the future by non-administrator users.

Related topics: MSI Automation, MSI Tables Overview, MSI Command Line, Create MSI Tables, MSI UAC VISTA, MSI Error Table, BootStrapper VISTA, Install MSI SDK Tools V3.1.4, Create CAB File, Build MSPs

If a non-administrator attempts to apply a patch to an application, and the following conditions have not been met, Windows Vista will notify the user that administrator authorization is required before installing the patch. A non-administrator can continue installing the patch, without needing to obtain additional administrator authorization, provided the following conditions are met.

The application was installed on Windows Vista or Windows XP using Windows Installer 3.0 or later.
Windows Server 2008: Not supported.
If the application was installed on Windows XP, the application must also have been installed from removable media, such a CD-ROM or DVD disk.
This restriction does not apply if the application was installed on Windows Vista.
The application was not installed from an administrative installation source image.
The application was originally installed per-machine. For information about how to enable non-administrators to apply patches to per-user-managed applications after the patch has been approved as trusted by an administrator, see Patching Per-User Managed Applications (uses the SourceListAddSource method).
The MsiPatchCertificate table is present in the Window Installer package (.msi file) and contains the information needed to enable UAC. The table and information may have been be included in the original installation package or added to the package by a Windows Installer patch file (.msp file).
The patches are digitally signed by a certificate listed in the MsiPatchCertificate table. For more information about digital signature certificates, see Digital Signatures and Windows Installer.
The digital signature on the patch package can be verified against the certificate in the MsiPatchCertificate table. For more information about the use of digital signatures, digital certificates, and WinVerifyTrust, see the Security section of the Microsoft Windows Software Development Kit (SDK).
The signer certificate used to verify the digital signature on the patch package is valid and has not been revoked.
Least-privilege patching has not been disabled by setting the MSIDISABLELUAPATCHING property or the DisableLUAPatching policy.

A patch that has been applied using UAC patching can also be removed by a non-administrator.

Administrators can apply patches to per-machine installed products regardless of the application's UAC setting.

You can determine whether least-privilege patching is enabled for an application by using the MsiGetProductInfoEx function to query for the INSTALLPROPERTY_AUTHORIZED_LUA_APP property, or by using the ProductInfo method to query for the "AuthorizedLUAApp" property. If the value of either property is 1, the application is enabled for least-privilege user account patching.

An administrator can disable least-privilege patching on the computer by setting the DisableLUAPatching policy to 1. You can set the MSIDISABLELUAPATCHING property to 1 during the initial installation of an application to prevent least-privilege patching for that application only.

This functionality is available beginning with Windows Installer version 3.0. User Account Control (UAC) patching was called least-privilege user account (LUA) patching in Windows XP. LUA patching is not available on Windows 2000 and Windows Server 2003.

For more information about application compatibility and developing applications that are compatible with User Account Control (UAC), see the UAC information that is provided on Microsoft Technet ().

Patch certificates

Although you cannot sign a patch using an expired certificate, evaluation of a digital signature on a patch does not fail if the certificate has expired. Evaluation uses the current MsiPatchCertificate table, which consists of the MsiPatchCertificate table in the original package and any changes to the table by patches sequenced prior to the current one. A patch can add new certificates to the MsiPatchCertificate table to evaluate patches sequenced after the current patch. A revoked certificate is always rejected.

Petit conseil sympa:
Pour decompacter un fichier msp afin de récupérer son contenu tapez la commande suivante:

msiexec /P "MYPatch.msp" /a "c:\rel\MYProduct.MSI" /qn

Tous les fichiers seront exportés ainsi que leurs mises à jour dans les dossiers C:\rel\Archivos de programa\MyProduct … C:\rel\Microsoft Shared\Dao … C:\rel\System32\Redist\MS\System… C:\rel\Windows\system32\Ansi ... ou C:\rel\Fichiers de Programmes selon la langue du fichier d'instructions MSI...

La commande msiexec /a "c:\rel\Myproduct.MSI" TARGETDIR="C:\MSP\MSPOUT\out" /qn vous permet d'exporter tous les fichiers d'une installation Windows dans le dossier out.

About Dominique Gérard Schneider since 1995 - Developing solutions that really help!
Participation on Google Participation on Yahoo! Tek-Tips Forums dgschnei	Listed since 1996 ixquick International Services Vivísimo platform sdk dgschnei	Cooperation on Google About Me Gifts Home Decoration

Return Home - Index