All,

I know that quite a few of you are having a hard time converting existing
applications to Vista.

Under Windows XP, most users normally live in Administrator login mode.
This is not the case in Vista - UAC mode allows you to login as a Standard
User, but still perform admin tasks. It's very important to provide a
"mixed mode" application (runs fine as Administrator and Standard User) for
Vista because most users live in Standard Mode. Your application should
always work fine in a "locked environment" and should never request
administrator execution level privileges.

An application should request "asInvoker" execution level privileges. Such
applications cannot write to a protected resource, such as Program Files or
HKEY_LOCAL_MACHINE in the Registry.

If "virtualization" is not an option for you or does not work and time is
an issue, we may have a solution powered by SetupBuilder 6.5. Microsoft
does not like that workaround at all and it should only be used as a
temporary workaround or as a "lifesaver"! We have tested this on both
Vista-32 and Vista-64 machines.

Download the following demo files:

1. Vista-aware "asInvoker" Clarion Demo Application (144 KB)

http://www.lindersoft.com/vista.zip

This includes a simple "vista.exe" Clarion 6.3 build 9056 test executable.

2. SetupBuilder 6.5 Demo Installer (142 KB)

http://www.lindersoft.com/UAC_Workaround_Bin.zip

This includes a simple SetupBuilder 6.5 installer (code-signed).

3. (optional) SetupBuilder 6.5 Project Script (full source code) (88 KB)

http://www.lindersoft.com/UAC_Workaround_Script.zip

This includes a the project script (source code) for SetupBuilder 6.5
Developer Edition. It does *not* work for SetupBuilder 6.5 Professional
Edition!

---

Okay, "virtualization is not an option and we would like to write from our
application to the "ServerName" value in the
HKEY_LOCAL_MACHINE\JoeUserSoftware key (protected resource).

*** First Try (will fail)

1. On Vista (UAC enabled, Administrator or Standard User), start vista.exe
by double-clicking the file name. Do not "Run as administrator"

2. Because HKEY_LOCAL_MACHINE\JoeUserSoftware is a protected resource,
you'll get a "Unable to set the ServerName" error.

*** Second Try (the workaround)

1. Start the UAC_Workaround.exe SetupBuilder application and install it.

2. Start vista.exe again by double-clicking the file name. Do not "Run as
administrator"

3. This time your asInvoker application was able to write to
HKEY_LOCAL_MACHINE\JoeUserSoftware and update the ServerName value. You
can use RegEdit to check this.

In other words, your application can write to HKEY_LOCAL_MACHINE now. The
same can be done with C:\Program Files\YourApp

4. Uninstall the demo by running UAC_Workaround.exe again - select Remove
(uninstall) in the maintenance dialog.

Use it at your own risk. Feel free to discuss Pros and Cons. You should
always try to follow the new Vista rules, but I know (from 80-90 private
emails) that sometimes it's not easy or even impossible to do so.

Friedrich

Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6.5
Create Windows Vista ready installations in minutes

-- Official Comodo Code Signing and SSL Certificate Partner

Friedrich,

I for one am grateful for the work you are putting in to ease the Vista
migration.
It's the reason I purchased SB6.

So, could I ask you this question: is it 'ok' for the *installer* to write
to HKEY_LOCAL_MACHINE, for instance, to set up some paths, which will later
be *read* by the application program?

And (if yes), I assume the installer would then need Admin. rights?

Steve

> I for one am grateful for the work you are putting in to ease the Vista
> migration.
> It's the reason I purchased SB6.

That was a good decision Steve<g>.

> So, could I ask you this question: is it 'ok' for the *installer* to write
> to HKEY_LOCAL_MACHINE, for instance, to set up some paths, which will later
> be *read* by the application program?
>
> And (if yes), I assume the installer would then need Admin. rights?

Yes and Yes.

The installer can write data th HKLM and your app can read it later with no
problems.

The installer should be set to Require Administrator.


One thing to watch out for:

Don't RUN your program at the end of the install if it writes anything to
the registry or creates any user specific files.

Actually the safe recommendation is simply NOT to run it at the end of the
install at all.

The reason for this is because the program will be running as Administrator
(due to the fact that it was executed out of the session that has the
elevated Administrator status).

As a result, any data written to HKLU or to the CSIDL_Personal would be
written to the "Administrator" locations.

After the install ended, your user (even if the same person) would be
running as a "normal" user and the locations for CKLU and CSIDL_Personal
would be different.

So the safe bet is simply to NOT run the app at the end of the install (or
do anything "user specific" during the install.


Good luck on your projects!

Charles



--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

www.clarionproseries.com - "Serious imaging tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

Hello,

Thank you!

-Robert

Hi Charles, Friedrich,

>So the safe bet is simply to NOT run the app at the end of the install (or
>do anything "user specific" during the install.

I absolutely rely on this in some installs, particularly webupdates
that run the installed program after install.

What would be the appropriate steps to do that in order to not run
into problem with the installer being in admin mode???

Best regards,

Arnór Baldvinsson
Icetips Creative, Inc.
San Antonio, Texas, USA
www.icetips.com


Subscribe to information from Icetips.com:
http://www.icetips.com/subscribe.php

Arnór,

It seems this is non-trivial <g>
One thread someone passed along to me is here:
http://www.codeproject.com/vista-security/RunNonElevated.asp
I forwarded it to Friedrich, and he indicated that he is pursuing a similar
idea.

Jane

Hi Jane,

>It seems this is non-trivial <g>
>One thread someone passed along to me is here:
>http://www.codeproject.com/vista-security/RunNonElevated.asp
>I forwarded it to Friedrich, and he indicated that he is pursuing a similar
>idea.

Thanks a lot for the link:) Hope Friedrich get's it implemented but I
do wonder how long it's going to take MS to plug this "security
hole"?<g>

Best regards,

Arnór Baldvinsson
Icetips Creative, Inc.
San Antonio, Texas, USA
www.icetips.com


Subscribe to information from Icetips.com:
http://www.icetips.com/subscribe.php

> Thanks a lot for the link:) Hope Friedrich get's it implemented but I
> do wonder how long it's going to take MS to plug this "security
> hole"?<g>

Hopefully they won't see it as one.

;-)

Another (less desirable) alternative would be to add your post install
instructions to the RUNONCE registry key and then use SetupBuilder to tell
the user that a reboot was required.

You could also (with some apps) refuse to run until a registry flag (reset
by your post installer) was ran. Wouldn't help you in the source stuff of
course.

Fun, fun, fun 'eh?

;-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

www.clarionproseries.com - "Serious imaging tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

The way Andrei devised isn't really a security hole.
It runs the app non-elevated and as the logged-on user, rather than as the
over-the-shoulder administrator.
I've posted a demo app and SB6 script in another thread.

Jane

Ok, you finally convinced me to dump my ancient WISE InstallMaster,
purchasing SetupBuilder now...

Chris Bordeman