How to write installers in Vista that work correctly under UAC

If you haven't read our introduction to developing programs under UAC or our tip on how to elevate UAC privileges correctly, you may want to read those as well.

It's common for installers to ask users if they want to launch a newly installed application or its read-me file, but you need to be careful if you do this in Vista or the upcoming Windows 7. If your installer is installing its application to the whole machine -- as opposed to on a per-user basis -- it will need to elevate its privileges using UAC. But programs can't un-elevate, so once your installer goes into administrator-access mode, any process it launches will itself be elevated. This can have some pretty important security ramifications. For instance, if you open an HTML read-me file, you've now launched an elevated browser instance that the user may then use to browse the Internet. This can expose an elevated (and thus insecure) portal that hackers can exploit.

If the installer was launched by a standard user, using it to launch the application's first instance also invites configuration problems, Cowan said. When a standard user runs an elevated program, they're shown an over-...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Testing and Security Test-driven development in .NET yields complete unit test coverage How to elevate programs' privileges correctly using Vista's UAC Internet Explorer 8 beta's development tools add source visualizations Microsoft previews new features in Visual Studio 2010 Advanced Windows Debugging Book Chapter and Podcast Book excerpt: Advanced Windows Debugging Book excerpt: Pragmatic unit testing in C# with NUnit Security interoperability with .NET/WSE and WebLogic Workshop 8.1 How to avoid regression bugs while adding new features NDepends: How you look at code Windows Vista security and .NET Framework 3.0 User Account Control (UAC): How to develop code for standard users How to elevate programs' privileges correctly using Vista's UAC Introduction to Vista's user account control (UAC) for developers Beginning Windows CardSpace development Five Windows Vista security tips .NET developers should know Windows CardSpace standards, user controls sway online banker .NET 3.0 Roadshow: An introduction to Windows CardSpace .NET 3.0 Roadshow: Instance management, security in WCF What's up with Windows CardSpace Get your code ready: Windows Vista is just around the corner .NET Framework 3.5 and Visual Studio 2008 development Microsoft's message at TechEd: make the most of what you have How to speed up Visual Studio 2008's slow WPF designer How to list fonts in WPF using markup extensions and data templates How to convince management to buy Microsoft Visual Studio 2008 Moonlight 1.0 release brings Silverlight to Linux Microsoft cuts Visual Studio 2008 upgrade prices as VS 2010 looms User Account Control (UAC): How to develop code for standard users How to elevate programs' privileges correctly using Vista's UAC Introduction to Vista's user account control (UAC) for developers Microsoft offers startups free development tools, MSDN subscription

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Cosmos  (SearchWinDevelopment.com) IronRuby  (SearchWinDevelopment.com) Visual Studio Express (VSE)  (SearchWinDevelopment.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

the-shoulder (OTS) prompt instead of the standard UAC prompt. An OTS prompt requires an administrator's password, and Vista handles this by actually launching the program as that administrator. That means any first-run configuration work will be done on that administrator's account. The next time the user launches your application, it will use the normal account, and the user will be confused as to why all of his configurations have disappeared. For instance, a user might import his music files to a newly installed music player, not realizing that they have been imported to the administrator's account and not his own.

The easiest fix is to just do all of your initial configuration at first run, rather than at the last stage of installation, Cowan said. Your installer should start as a standard user and then launch a privileged version of the installer. The first, unprivileged process will then wait for the privileged installer to finish before offering to open a read-me or first instance. Alternatively, the installer can remember the invoking user when it launches an elevated process.

Yuval Shavit is the associate editor for searchWinDevelopment.com. Email Yuval to tell him what you thought about these tips. These tips are based on a talk by Crispin Cowan, product manage for Vista's UAC team, which he gave at Microsoft PDC. The talk, "Windows 7: Best Practices for Developing Windows Standard User" is available online.

Rate this Tip To rate tips, you must be a member of SearchWinDevelopment.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.