Problem solve Get help with specific problems with your technologies, process and projects.

How to write installers in Vista that work correctly under UAC

UAC prompts, and their cousins the over-the-shoulder (OTS) prompts, present unique challenges to developers writing installers in Vista and Windows 7. Learn how to use UAC and OTS correctly to write safe, intuitive installers that work in standard user mode.

UAC Tips for developers
1. Overview of UAC for developers
2. What is UAC?
3. Elevating privileges correctly
4. Writing installers with UAC
Vista's new user account control (UAC) feature helps programs enforce good security models, like the principle of least access: programs run in standard user mode as long as possible and only elevate to administrator privileges as needed. But developing programs with UAC means changing your ways a bit, said Crispin Cowan, senior project manager at Microsoft's UAC team at a talk he gave at PDC in October. This tip addresses installers written under UAC specifically.

If you haven't read our introduction to developing programs under UAC or our tip on how to elevate UAC privileges correctly, you may want to read those as well.

It's common for installers to ask users if they want to launch a newly installed application or its read-me file, but you need to be careful if you do this in Vista or the upcoming Windows 7. If your installer is installing its application to the whole machine -- as opposed to on a per-user basis -- it will need to elevate its privileges using UAC. But programs can't un-elevate, so once your installer goes into administrator-access mode, any process it launches will itself be elevated. This can have some pretty important security ramifications. For instance, if you open an HTML read-me file, you've now launched an elevated browser instance that the user may then use to browse the Internet. This can expose an elevated (and thus insecure) portal that hackers can exploit.

If the installer was launched by a standard user, using it to launch the application's first instance also invites configuration problems, Cowan said. When a standard user runs an elevated program, they're shown an over-the-shoulder (OTS) prompt instead of the standard UAC prompt. An OTS prompt requires an administrator's password, and Vista handles this by actually launching the program as that administrator. That means any first-run configuration work will be done on that administrator's account. The next time the user launches your application, it will use the normal account, and the user will be confused as to why all of his configurations have disappeared. For instance, a user might import his music files to a newly installed music player, not realizing that they have been imported to the administrator's account and not his own.

The easiest fix is to just do all of your initial configuration at first run, rather than at the last stage of installation, Cowan said. Your installer should start as a standard user and then launch a privileged version of the installer. The first, unprivileged process will then wait for the privileged installer to finish before offering to open a read-me or first instance. Alternatively, the installer can remember the invoking user when it launches an elevated process.

Yuval Shavit is the associate editor for Email Yuval to tell him what you thought about these tips. These tips are based on a talk by Crispin Cowan, product manage for Vista's UAC team, which he gave at Microsoft PDC. The talk, "Windows 7: Best Practices for Developing Windows Standard User" is available online.

Dig Deeper on Windows Vista security and .NET Framework 3.0

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.