Old 25th June 2012, 08:41   #1
donose.mihai
Junior Member
 
Join Date: Jun 2012
Posts: 6
NSIS - Do you want to allow the followin program...

Hello,

I've created an installer using NSIS and used the ACCESSCONTROL to set the permission even for users:

AccessControl::GrantOnFile "$INSTDIR" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-5-21)" "FullAccess"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-1-0)" "FullAccess"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-5-32-545)" "FullAccess"
AccessControl::GrantOnFile "$INSTDIR" "(Users)" "FullAccess"
AccessControl::GrantOnFile "$INSTDIR" "(BU)" "FullAccess"
AccessControl::EnableFileInheritance "$INSTDIR"


Question:

How can i get the software to run as administrator (without the message pooping up: " Do you want to allow..." )

Do i need to make some registry settings?

Any help will be greatly appreciated.

Thanks
donose.mihai is offline   Reply With Quote
Old 25th June 2012, 08:45   #2
MSG
Major Dude
 
Join Date: Oct 2006
Posts: 1,892
Quote:
Originally Posted by donose.mihai View Post
How can i get the software to run as administrator (without the message pooping up: " Do you want to allow..." )
If by the popup you mean the UAC popup, you can't. You cannot run something as admin without the user explicitly allowing you (or without the user entering the admin password).
MSG is offline   Reply With Quote
Old 25th June 2012, 08:51   #3
donose.mihai
Junior Member
 
Join Date: Jun 2012
Posts: 6
Yes i am referring to the UAC, but how other software can run from program files (x86), without the message from the UAC popping up?
Can i make some registry settings from NSIS to run as administrator?
donose.mihai is offline   Reply With Quote
Old 25th June 2012, 08:57   #4
MSG
Major Dude
 
Join Date: Oct 2006
Posts: 1,892
You can *run* from the program files directory, you just cannot *write* to it without admin access. The apps installed in those protected directories were installed at admin level.

Your app should write to a subfolder of $APPDATA or $LOCALAPPDATA, not to $INSTDIR.

(You can also add an admin request to your application's manifest, but that will only work on Vista and newer if UAC is enabled. But of course that will popup a confirmation dialog.)
MSG is offline   Reply With Quote
Old 25th June 2012, 09:18   #5
donose.mihai
Junior Member
 
Join Date: Jun 2012
Posts: 6
Let me ask you another thing because i didn't get it.

Let's say i'm installing WinAmp in Program Files (x86), the UAC appears for the 1st time and after that i can run winamp without the UAC message popping up every time....and i found only an ini file and a temp file for winamp in the subfolders $APPDATA.



Thanks for answering to a beginner
donose.mihai is offline   Reply With Quote
Old 25th June 2012, 09:39   #6
MSG
Major Dude
 
Join Date: Oct 2006
Posts: 1,892
Like I said, any user can run an app from a protected directory such as program files, because reading is allowed. Writing is however not allowed. For writing you need admin access, which is why the installer throws a UAC admin request. As far as I know, Winamp itself does NOT try to write to its own folder. Instead, it writes all its stuff either to HKCU registry or to $APPDATA / $LOCALAPPDATA.

(If I'm wrong and it *does* try to write to its installation folder, then winamp is broken and needs to be fixed.)
MSG is offline   Reply With Quote
Old 27th June 2012, 10:39   #7
donose.mihai
Junior Member
 
Join Date: Jun 2012
Posts: 6
It is posibble...i've done it!!!

The UAC message is not appearing anymore:

I've used the access control plugin from nsis + i've worked with the registry:

;--------------------------------
; THIS TO WORK REQUIRES TO INSTALL THE ACCESSCONTROL PLUGIN INTO NSIS
; FIND THE PLUGIN IN NET, UNPACK AND COPY THE .dll FILE INTO NSIS PLUGINS FOLDER
;--------------------------------
AccessControl::GrantOnFile "$INSTDIR" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-5-21)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-1-0)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(S-1-5-32-545)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(Users)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnFile "$INSTDIR" "(BU)" "ListDirectory + GenericRead + GenericExecute + GenericWrite + GenericExecute + Delete"
AccessControl::GrantOnRegKey \
HKLM "Software\SoftwareName"" "(BU)" "FullAccess"
AccessControl::GrantOnRegKey \
HKLM "Software\SoftwareName" "(S-1-5-32-545)" "FullAccess"

; Write the installation path into the registry
WriteRegStr HKLM SOFTWARE\SoftwareName "Install_Dir" "$INSTDIR"

WriteRegStr HKLM "Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers" \
"$NameOfTheExeFile.exe" "RUNASADMIN"
donose.mihai is offline   Reply With Quote
Old 27th June 2012, 11:07   #8
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
Why on Earth are you doing that? Where are you installing to that requires you to change folder permissions?

Either way I see some issues with your code:
  1. Your first call to AccessControl will always fail - the username/SID argument is not optional (i.e. this will result in stack corruption).
  2. S-1-5-21 is not a valid security identifier.
  3. S-1-5-32-545, Users and BU are all the same BUILTIN\Users group!

Stu
Afrow UK is offline   Reply With Quote
Old 27th June 2012, 12:04   #9
donose.mihai
Junior Member
 
Join Date: Jun 2012
Posts: 6
1. True, i've notice now that it has no identifier.

2. It is a valid identifier S-1-5-21 - According to Microsoft is the Domain Admin - http://support.microsoft.com/kb/243330

3. Use the SID "(S-1-5-32-545)" instead of "(BU)" for Windows 7 - "(BU)" doesn't work. This may also help for non-English installations.

http://nsis.sourceforge.net/Talk:AccessControl_plug-in
donose.mihai is offline   Reply With Quote
Old 27th June 2012, 12:26   #10
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
Quote:
Originally Posted by donose.mihai View Post
2. It is a valid identifier S-1-5-21 - According to Microsoft is the Domain Admin - http://support.microsoft.com/kb/243330
No, the domain administrator's SID is S-1-5-21domain-512 where domain is taken from the domain or machine SID. Similarly the local administrator's SID is S-1-5-21domain-500. S-1-5-21 on its own means nothing (try it in the active directory object browser).

Stu
Afrow UK is offline   Reply With Quote
Old 27th June 2012, 15:39   #11
donose.mihai
Junior Member
 
Join Date: Jun 2012
Posts: 6
thanks...you're right regarding the S-1-5-21, but bottom line is that i've done it....no UAC message appears and the application updates itself without any issues.
donose.mihai is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Developer Center > NSIS Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump