Wix Installer: Write to HKLM/HKCR in per-user installation without elevated rights

2
votes

I created a "perMachine" installer with the wix toolset. The installer has to be started with admin rights, because it writes multiple registry keys to HKLM and HKCR.

I'd like to change the installer to a "perUser" installation. Is it possible to do this and still write to HKLM and HKCR? The registry entries have to be there to register a shell icon overlay handler...

Greets

EDIT: There does not seem to be a way to write to HKLM as non-admin user. But is there a way to get wix installer to promt for admin pw? If so, I could live with the following solution:

  • user knows admin pw (or admin provides pw): the icon overlay component is installed
  • user does not provide admin pw: the icon overlay component is skipped.

So my questions are: 1. How to promt the user for the admin pw? 2. How to skip/install a component based on the users action?

EDIT2: I have tried multiple combinations of:

InstallPrivileges="elevated" InstallScope="perUser"

Property "ALLUSERS" set to empty string

Property "MSIUSEREALADMINDETECTION" set to 1

Property "MSIINSTALLPERUSER" set to 1

Condition for said component: "Privileged / AdminUser"

Nothing has worked so far. It all comes down to the Condition not beeing read correctly. I have tried on several PCs with an admin user. In order to get the product to install with ALL features, I have to start the installer explicitly as administrator over the context menu. Otherwise the icon overlay handler won't get installed.

2
wixwindows-installer
I am also trying to read a value from HKLM so far nothing has worked. Did you get this to work?DaImTo

2 Answers

2
votes

Pointing out something that the OP doesn't seem to understand fully...

Per machine and per user have nothing to do with the privilege required to write to HKLM. Windows Installer won't break security rules either way. If the install requires privilege and doesn't have it, then it fails in both cases. In WiX, the Package InstallPrivileges is what tell Windows whether to elevate so that the install will work. If the installing user doesn't have the privilege the elevation prompt will allow entry of admin credentials. So the answer to your 1 is that InstallPrivileges=elevated should allow entry of an admin account if the user is not admin. otherwise a plain elevation.

You could try a condition on the components containing the restricted registry entries, try a condition of Privileged so they install only if the install is elevated. I have never tried this, but it should work.

https://msdn.microsoft.com/en-us/library/aa370852(v=vs.85).aspx

Other alternatives are:

Group Policy will allow the setup to be pushed to machines of limited users. This is common in corporate environments.

It occurs to me that the shell icon overlay function might be available on a user by user basis. This is a SWAG, and I'm not aware of all the registry entries required, but you can certainly register your COM classes in HKCU, for example. If you use the WiX HKMU key, the items will be created for the machine in a per machine and for the user in a per user. An example here: http://www.merlinia.com/mdt/WiXTutorial1.msl

1
votes

No, a per-user install has write-access to only per-user resources like the registry and c:\users when configured for per-user. This has the effect in Vista and later of not requiring elevation and thus not requiring UAC.