Wednesday, December 15, 2010

UAC prevents execution of custom actions during msi installation

In the previous post there was a link to the Robert Flaming's blog where he describes how MSI works with UAC. But I have some additional comments and want write them here:

In the following post Robert describes how permissions change under UAC:

















But what does the NoImpersonate bit means? There are different explanations in different articles. Based on my testing I've found out the following:
When you set Impersonate="no" in WIX for you custom action, it means that the custom action will be executed under the Local System account. And it is fine if you need to do changes with your local system. But if your custom action accesses a remote server it fails.

So, the only way that I've found is to prohibit the msi execution under unprivileged user. You should set the MSIUSEREALADMINDETECTION property to 1 and add a Launch Condition for Privileged that gives an error message about running via an elevated command prompt and then quits the installation.

<Property Id="MSIUSEREALADMINDETECTION" Value="1" />

<Condition Message="The installation should be running with full administrative account. Please run an administrative command prompt and launch installation using msiexec.">
Privileged
</Condition>