Tip

How to write installers in Vista that work correctly under UAC

Yuval Shavit, Associate Editor
UAC Tips for developers
1. Overview of UAC for developers
2. What is UAC?
3. Elevating privileges correctly
4. Writing installers with UAC
Vista's new user account control (UAC) feature helps programs enforce good security models, like the principle of least access: programs run in standard user mode as long as possible and only elevate to administrator privileges as needed. But developing programs with UAC means changing your ways a bit, said Crispin Cowan, senior project manager at Microsoft's UAC team at a talk he gave at PDC in October. This tip addresses installers written under UAC specifically.

If you haven't read our introduction to developing programs under UAC or our tip on how to elevate UAC privileges correctly, you may want to read those as well.

It's common for installers to ask users if they want to launch a newly installed application or its read-me file, but you need to be careful if you do this in Vista or the upcoming Windows 7. If your installer is installing its application to the whole machine -- as opposed to on a per-user basis -- it will need to elevate its privileges using UAC. But programs can't un-elevate, so once your installer goes into administrator-access mode, any process it launches will itself be elevated. This can have some pretty important security ramifications. For instance, if you open an HTML read-me file, you've now launched an elevated browser instance that the user may then use to browse the Internet. This can expose an elevated (and thus insecure) portal that hackers can exploit.

If the installer was launched by a standard user, using it to launch the application's first instance also invites configuration problems, Cowan said. When a standard user runs an elevated program, they're shown an over-the-shoulder (OTS) prompt instead of the standard UAC prompt. An OTS prompt requires an administrator's password, and Vista handles this by actually launching the program as that administrator. That means any first-run configuration work will be done on that administrator's account. The next time the user launches your application, it will use the normal account, and the user will be confused as to why all of his configurations have disappeared. For instance, a user might import his music files to a newly installed music player, not realizing that they have been imported to the administrator's account and not his own.

The easiest fix is to just do all of your initial configuration at first run, rather than at the last stage of installation, Cowan said. Your installer should start as a standard user and then launch a privileged version of the installer. The first, unprivileged process will then wait for the privileged installer to finish before offering to open a read-me or first instance. Alternatively, the installer can remember the invoking user when it launches an elevated process.

Yuval Shavit is the associate editor for searchWinDevelopment.com. Email Yuval to tell him what you thought about these tips. These tips are based on a talk by Crispin Cowan, product manage for Vista's UAC team, which he gave at Microsoft PDC. The talk, "Windows 7: Best Practices for Developing Windows Standard User" is available online.

This was first published in December 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.