1

I have an installer built with wix that includes a custom action run in deferred mode and needs administrative rights on the local machine.

The installer works fine when using the administrator account on the local machine but doesn't not when I use an account in the administrator group. I get exceptions about insufficient privileges as I am trying to ass keys to the registry. Using Impersonate="no" is not an option as this action needs to have admin rights on the local machine as well, from time to time access to different network shares. I would like for the level of "network share access" to be determined by the account used to install the application(not the admin account) but can't seem to some up with a solution - any would be gladly appreciated.

Improve this question
2
  • Can you show us your code? Commented Sep 4, 2013 at 15:38
  • The InstallScope is perMachine and the CustomAction looks like this <CustomAction Id='LaunchFile' ExeCommand='[SourceDir]' Return='check' Execute='deferred' FileKey='SetupHelper' ></CustomAction> @gparyani Commented Sep 5, 2013 at 13:59

1 Answer 1

Reset to default
1

It sounds like you aren't handling UAC properly. My guess is that the install works with the Administrator user because your security policy disables UAC for that user account only, but enables UAC for all other members of the Administrators group.

When a custom action impersonates a user with UAC enabled, it uses the filtered (non-Administrators) security token. Your custom action assumes it can do things that members of the Administrators group can do, but since your security token doesn't include the Administrators group, it's getting access denied.

How you need to fix this depends on what your custom action is doing. You're correct that it needs to impersonate to access network shares as the user; perhaps you can break your custom action into two separate actions: one that impersonates and accesses the network shares, and one that doesn't which performs Administrators-level tasks.

If you have full control over the computers you're installing this on, perhaps a workaround would be to disable UAC during the installation. You could then re-enable it after the installation is complete.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the link - wish I would have found this a week ago, I sorta figured this is out by a bunch of trial and error- good to read this article as confirmation. I considered using two custom actions as you suggest but in the end I was able to get around the issue by not touching the registry. Thanks @Stephen

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.