How to create a MSP to run in elevated mode by Non-Administrator Users
User Account Control (UAC) Patching
User Account Control (UAC) patching enables the authors of Windows Installer
installations to identify digitally-signed patches that can be applied in the
future by non-administrator users.
Related topics: MSI Automation,
MSI Tables Overview,
MSI Command Line,
Create MSI Tables,
MSI UAC VISTA,
MSI Error Table,
Install MSI SDK Tools V3.1.4,
Create CAB File,
If a non-administrator attempts to apply a patch to an application, and the
following conditions have not been met, Windows will notify the user that
administrator authorization is required before installing the patch. A
non-administrator can continue installing the patch, without needing to obtain
additional administrator authorization, provided the following conditions are
A patch that has been applied using UAC patching can also be removed by a
- The application was installed on Windows Vista or Windows XP using
Windows Installer 3.0 or later.
Windows Server 2008: Not supported.
- If the application was installed on Windows XP, the application must also
have been installed from removable media, such a CD-ROM or DVD disk.
This restriction does not apply if the application was installed on Windows
- The application was not installed from an administrative installation source
- The application was originally installed per-machine. For information about how
to enable non-administrators to apply patches to per-user-managed applications
after the patch has been approved as trusted by an administrator, see Patching
Per-User Managed Applications (uses the SourceListAddSource method).
- The MsiPatchCertificate table is present in the Window Installer package (.msi
file) and contains the information needed to enable UAC. The table and
information may have been be included in the original installation package or
added to the package by a Windows Installer patch file (.msp file).
The patches are digitally signed by a certificate listed in the
MsiPatchCertificate table. For more information about digital signature
certificates, see Digital Signatures and Windows Installer.
- The digital signature on the patch package can be verified against the
certificate in the MsiPatchCertificate table. For more information about the use
of digital signatures, digital certificates, and WinVerifyTrust, see the
Security section of the Microsoft Windows Software Development Kit (SDK).
- The signer certificate used to verify the digital signature on the patch package
is valid and has not been revoked.
- Least-privilege patching has not been disabled by setting the
MSIDISABLELUAPATCHING property or the DisableLUAPatching policy.
Administrators can apply patches to per-machine installed products regardless of
the application's UAC setting.
You can determine whether least-privilege patching is enabled for an application
by using the MsiGetProductInfoEx function to query for the
INSTALLPROPERTY_AUTHORIZED_LUA_APP property, or by using the ProductInfo method
to query for the "AuthorizedLUAApp" property. If the value of either property is
1, the application is enabled for least-privilege user account patching.
An administrator can disable least-privilege patching on the computer by setting
the DisableLUAPatching policy to 1. You can set the MSIDISABLELUAPATCHING
property to 1 during the initial installation of an application to prevent
least-privilege patching for that application only.
This functionality is available beginning with Windows Installer version 3.0.
User Account Control (UAC) patching was called least-privilege user account (LUA)
patching in Windows XP. LUA patching is not available on Windows 2000 and
Windows Server 2003.
For more information about application compatibility and developing applications
that are compatible with User Account Control (UAC), see the UAC information
that is provided on Microsoft Technet ().
Although you cannot sign a patch using an expired certificate, evaluation of a
digital signature on a patch does not fail if the certificate has expired.
Evaluation uses the current MsiPatchCertificate table, which consists of the
MsiPatchCertificate table in the original package and any changes to the table
by patches sequenced prior to the current one. A patch can add new certificates
to the MsiPatchCertificate table to evaluate patches sequenced after the current
patch. A revoked certificate is always rejected.
To unpack a msp to export its content, type the following command:
msiexec /P "MYPatch.msp" /a
All the files (upated files as well) will be
exported in their respective folders:
C:\rel\Archivos de programa\MyProduct
C:\rel\Windows\system32\Ansi ... (ou C:\rel\Fichiers de Programmes selon
la langue du fichier d'instructions MSI...)
The command msiexec /a "c:\rel\Myproduct.MSI" TARGETDIR="C:\MSP\MSPOUT\out" /qn
will export all the files of an installation package in the OUT folder.