D. G. Schneider Lions Club Volunteer Project

How to create a MSP to run in elevated mode by Non-Administrator Users

User Account Control (UAC) Patching
User Account Control (UAC) patching enables the authors of Windows Installer installations to identify digitally-signed patches that can be applied in the future by non-administrator users.

Related topics: MSI Automation, MSI Tables Overview, MSI Command Line, Create MSI Tables, MSI UAC VISTA, MSI Error Table, BootStrapper VISTA, Install MSI SDK Tools V3.1.4, Create CAB File, Build MSPs

If a non-administrator attempts to apply a patch to an application, and the following conditions have not been met, Windows will notify the user that administrator authorization is required before installing the patch. A non-administrator can continue installing the patch, without needing to obtain additional administrator authorization, provided the following conditions are met.

A patch that has been applied using UAC patching can also be removed by a non-administrator.

Administrators can apply patches to per-machine installed products regardless of the application's UAC setting.

You can determine whether least-privilege patching is enabled for an application by using the MsiGetProductInfoEx function to query for the INSTALLPROPERTY_AUTHORIZED_LUA_APP property, or by using the ProductInfo method to query for the "AuthorizedLUAApp" property. If the value of either property is 1, the application is enabled for least-privilege user account patching.

An administrator can disable least-privilege patching on the computer by setting the DisableLUAPatching policy to 1. You can set the MSIDISABLELUAPATCHING property to 1 during the initial installation of an application to prevent least-privilege patching for that application only.

This functionality is available beginning with Windows Installer version 3.0. User Account Control (UAC) patching was called least-privilege user account (LUA) patching in Windows XP. LUA patching is not available on Windows 2000 and Windows Server 2003.

For more information about application compatibility and developing applications that are compatible with User Account Control (UAC), see the UAC information that is provided on Microsoft Technet ().

Patch certificates

Although you cannot sign a patch using an expired certificate, evaluation of a digital signature on a patch does not fail if the certificate has expired. Evaluation uses the current MsiPatchCertificate table, which consists of the MsiPatchCertificate table in the original package and any changes to the table by patches sequenced prior to the current one. A patch can add new certificates to the MsiPatchCertificate table to evaluate patches sequenced after the current patch. A revoked certificate is always rejected.

Petit conseil sympa:
Pour decompacter un fichier msp afin de récupérer son contenu tapez la commande suivante:

msiexec /P "MYPatch.msp" /a "c:\rel\MYProduct.MSI" /qn

Tous les fichiers seront exportés ainsi que leurs mises à jour dans les dossiers C:\rel\Archivos de programa\MyProduct … C:\rel\Microsoft Shared\Dao … C:\rel\System32\Redist\MS\System… C:\rel\Windows\system32\Ansi ... ou C:\rel\Fichiers de Programmes selon la langue du fichier d'instructions MSI...

La commande msiexec /a "c:\rel\Myproduct.MSI" TARGETDIR="C:\MSP\MSPOUT\out" /qn vous permet d'exporter tous les fichiers d'une installation Windows dans le dossier out.

About Dominique Gérard Schneider since 1995
Participation on Google on YouTube

Tek-Tips Forums dgschnei
Listed since 1996 ixquick
Community Services

platform sdk dgschnei
About Me

Return Home - Index