Written by D. G. Schneider ContactEZ.net


How to create a MSP to run in elevated mode by Non-Administrator Users

User Account Control (UAC) Patching
User Account Control (UAC) patching enables the authors of Windows Installer installations to identify digitally-signed patches that can be applied in the future by non-administrator users.

Related topics: MSI Automation, MSI Tables Overview, MSI Command Line, Create MSI Tables, MSI UAC VISTA, MSI Error Table, BootStrapper VISTA, Install MSI SDK Tools V3.1.4, Create CAB File, Build MSPs.

If a non-administrator attempts to apply a patch to an application, and the following conditions have not been met, Windows will notify the user that administrator authorization is required before installing the patch. A non-administrator can continue installing the patch, without needing to obtain additional administrator authorization, provided the following conditions are met.

A patch that has been applied using UAC patching can also be removed by a non-administrator.

Administrators can apply patches to per-machine installed products regardless of the application's UAC setting.

You can determine whether least-privilege patching is enabled for an application by using the MsiGetProductInfoEx function to query for the INSTALLPROPERTY_AUTHORIZED_LUA_APP property, or by using the ProductInfo method to query for the "AuthorizedLUAApp" property. If the value of either property is 1, the application is enabled for least-privilege user account patching.

An administrator can disable least-privilege patching on the computer by setting the DisableLUAPatching policy to 1. You can set the MSIDISABLELUAPATCHING property to 1 during the initial installation of an application to prevent least-privilege patching for that application only.

This functionality is available beginning with Windows Installer version 3.0. User Account Control (UAC) patching was called least-privilege user account (LUA) patching in Windows XP. LUA patching is not available on Windows 2000 and Windows Server 2003.

For more information about application compatibility and developing applications that are compatible with User Account Control (UAC), see the UAC information that is provided on Microsoft Technet ().

Patch certificates

Although you cannot sign a patch using an expired certificate, evaluation of a digital signature on a patch does not fail if the certificate has expired. Evaluation uses the current MsiPatchCertificate table, which consists of the MsiPatchCertificate table in the original package and any changes to the table by patches sequenced prior to the current one. A patch can add new certificates to the MsiPatchCertificate table to evaluate patches sequenced after the current patch. A revoked certificate is always rejected.

To unpack a msp to export its content, type the following command:

msiexec /P "MYPatch.msp" /a "c:\rel\MYProduct.MSI" /qn

All the files (upated files as well) will be exported in their respective folders:
C:\rel\Archivos de programa\MyProduct
C:\rel\Microsoft Shared\Dao
C:\rel\Windows\system32\Ansi ... (ou C:\rel\Fichiers de Programmes selon la langue du fichier d'instructions MSI...)

The command msiexec /a "c:\rel\Myproduct.MSI" TARGETDIR="C:\MSP\MSPOUT\out" /qn will export all the files of an installation package in the OUT folder.

Return Home - Index