If you haven't read our introduction to developing programs under UAC or our tip on how to elevate UAC privileges correctly, you may want to read those as well.
It's common for installers to ask users if they want to launch a newly installed application or its read-me file, but you need to be careful if you do this in Vista or the upcoming Windows 7. If your installer is installing its application to the whole machine -- as opposed to on a per-user basis -- it will need to elevate its privileges using UAC. But programs can't un-elevate, so once your installer goes into administrator-access mode, any process it launches will itself be elevated. This can have some pretty important security ramifications. For instance, if you open an HTML read-me file, you've now launched an elevated browser instance that the user may then use to browse the Internet. This can expose an elevated (and thus insecure) portal that hackers can exploit.
If the installer was launched by a standard user, using it to launch the application's first instance also invites configuration problems, Cowan said. When a standard user runs an elevated program, they're shown an over-the-shoulder (OTS) prompt instead of the standard UAC prompt. An OTS prompt requires an administrator's password, and Vista handles this by actually launching the program as that administrator. That means any first-run configuration work will be done on that administrator's account. The next time the user launches your application, it will use the normal account, and the user will be confused as to why all of his configurations have disappeared. For instance, a user might import his music files to a newly installed music player, not realizing that they have been imported to the administrator's account and not his own.
The easiest fix is to just do all of your initial configuration at first run, rather than at the last stage of installation, Cowan said. Your installer should start as a standard user and then launch a privileged version of the installer. The first, unprivileged process will then wait for the privileged installer to finish before offering to open a read-me or first instance. Alternatively, the installer can remember the invoking user when it launches an elevated process.
Yuval Shavit is the associate editor for searchWinDevelopment.com. Email Yuval to tell him what you thought about these tips. These tips are based on a talk by Crispin Cowan, product manage for Vista's UAC team, which he gave at Microsoft PDC. The talk, "Windows 7: Best Practices for Developing Windows Standard User" is available online.
This was first published in December 2008