Hi All,

My customer complained that my application did not install properly.
Their system is Windows 7 - 64Bit. I can't be certain which version of
SetupBuilder was used to compile the EXE but this particular installer
has been working just fine for over a year with no problems, including
many 64 Bit Win 7 machines.

I did a remote support session with my customer and this is what I found.

1. All files were successfully installed into the correct folder
2. My installer asks for permission to add an icon/link on the desktop
3. Answered "Yes" but link and icon failed to install
4. SetupBuilder should create 1 main item on the "Start Menu" and 8 sub
menus beneath the main menu. Only 2 of the 8 were installed.

There was no message or any indication that the install was unsuccessful
except for the fact the desktop icon failed to appear.

I right clicked on the SetupBuilder installer and selected "Run As
Administrator" just to see if that made any difference. The attached
message is what I received back from the OS.

Does anyone have any idea why SetupBuilder was denied the privilege of
adding the desktop icon and 6 menu items? The customer has had no
problem installing software from other vendors.

I have instructed the customer to contact whom ever set that policy up
on their computer and get it changed but I would really like to find out
*why* SetupBuilder was not allowed to complete the install properly.

What can I do in my installer to either detect the denial or better yet,
force the install to complete correctly?

--
*Regards*,

Lee
www.cya2day.com
CYA - Computerize Your Assets Don't Leave Home Without One

Why are you trying to install an executable file (cya.exe) on a user's
desktop?

jf

*I'm not.*

The desktop icon/link is for the installed application located in the
installed folder which is installed by SetupBuilder.

CYA.EXE is the downloaded installer which was saved onto the desktop for
easy retrieval.

*Regards*,

Lee
www.cya2day.com
CYA - Computerize Your Assets Don't Leave Home Without One

Lee,

You get that "group policy" error when the secpol is set to automatically
deny elevation requests to non-admin users. This only happens if you are
not an admin trying to run an elevated program.

As I understand it, your setup.exe is an "asInvoker" manifested
application?! Installations on UAC-aware systems should be per-machine, and
not per-user. Because you do not request administrator execution level
privileges, the Shortcut creation for per-machine locations fail.

BTW, Shortcut creation errors are non-fatal errors and so the installer does
not automatically fail. But you can always check the return value
(%_SB_ERRORCODE%) to see if the action failed.

- If the Shortcut function succeeds, the %_SB_ERRORCODE% return value is
nonzero.
- If the Shortcut function fails, the return value is zero.

And if you really need a true "per-user" install, try to use the "Set
Installer Flag" script function to switch the installer into per-user mode:

Set Installer Flag $SB_ALLUSERSFLAG$ to "0"

In this case, the Shortcuts are created in a "per-user" location.

Friedrich

BTW, and make sure that your "cya.exe" is a Win7-aware, code-signed
installer!

And if your intention is to install your software "system wide"
(per-machine), always request administrator execution level privileges!

Friedrich

Lee,

I downloaded your "cya.exe" (v2.5) setup and you only request
"highestAvailable" execution level privileges. NEVER EVER DO THIS!!! This
is incorrect for a system-wide installer and can cause a support nightmare
for you.

And this "cya.exe" is not Win7-aware (compiled with an old SetupBuilder v6).
Perhaps you have a later version available that was compiled with a
Win7-compliant installer. But the v2.5 is not Win7-aware.

HTH,
Friedrich

Hi Friedrich,

As I explained in my other post this is an *older* install.

I am already working on getting a new one built.

Thanks.

*Regards*,

Lee
www.cya2day.com
CYA - Computerize Your Assets Don't Leave Home Without One

That installer was compiled a little over 2 years ago so it probably has
all sorts of little problems with it.

I better get off my a** and get a new one built.

Thanks again.

*Regards*,

Lee
www.cya2day.com
CYA - Computerize Your Assets Don't Leave Home Without One

Hi Friedrich,

Thank you - This makes sense.

This is just the first time anything like has happened. Still learning
about all this UAC stuff.

I still don't quite understand why 2 of the 8 menu items installed and
the other 6 failed but it will probably make more sense after all this
sinks in.

*Regards*,

Lee
www.cya2day.com
CYA - Computerize Your Assets Don't Leave Home Without One

Hi Lee,

> Thank you - This makes sense.
>
> This is just the first time anything like has happened. Still learning
> about all this UAC stuff.
>
> I still don't quite understand why 2 of the 8 menu items installed and
> the other 6 failed but it will probably make more sense after all this
> sinks in.

Because this is a good example of what can go wrong if the installer is
outdated and the required (requested) execution level does not match the
deployment strategy, I would like to take this opportunity to describe in
detail what happened.

There are only VERY MINOR issues in the installer that cause the problems!
A recompile with the latest Win7-aware SetupBuilder will already fix most
issues. Then a few minor deployment strategy modifications and you are
done.

Environment: Windows 7 (64-bit), UAC enabled, Standard User account,
installer is not Win7-aware, requested Execution Level Privilege set to
"higestAvailable".

1. What does error "This program is blocked by group policy. For more
information, contact your system administrator." mean? (see PIC1.JPG)

There are different UAC-related "Group Policy Object" (GPO) settings in
UAC-aware operating systems. The "User Account Control: Behavior Of The
Elevation Prompt For Standard Users" setting determines how elevation
prompts will be shown to Standard Users. The default setting, "Prompt For
Credentials", requires the user to provide logon information for an
Administrator user every time an application or process requests elevated
permissions. In specific environments, administrators might want to prevent
elevation from occurring at all. That's the purpose of the "Automatically
Deny Elevation Requests" option (see PIC2.JPG)

The "This program is blocked by group policy" error comes up if a Standard
User tries to run an application (e.g. setup.exe) in an elevated state.
This behavior is out of your control.

Important: another commonly used GPO is "User Account Control: Only Elevate
Executables That Are Signed And Validated". If this GPO is enabled and the
installer is not code-signed, Windows aborts the elevation process with a
cryptic "A referral was returned from the server." error message. In future
Windows releases, the only way to run an application elevated will be to
have a signed application. But this is just a side note, because your
installer was correctly code-signed.

2. Missing Shortcuts

If the Execution Level Privilege is set to "higestAvailable", the
application runs with the highest privileges the current user can obtain.
For example, on an Admin account, it will request administrator execution
level privileges and will be launched with the full access token of an
administrator. On a Standard User account, it will launch non-elevated.

So why are only 2 of the 8 menu items installed (see PIC3.JPG)? Because the
installer created the "Check for New Version" and "Remove CYA From My
Computer" shortcuts as "per-user" items (to the
'C:\Users\JoeUser\AppData\Roaming\Microsoft\Window s\Start Menu\Programs'
folder). But the missing 6 Shortcut items were "per-machine" items (located
in the protected 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs'
location).

BTW, I can't reproduce this behavior with a Win7-aware SetupBuilder 7
install, so it's possible that this is caused by the "legacy" SetupBuilder 6
install. I can check this in your .sb6 project if you want.

3. Program Assistant Compatibility (PCA) and Windows 7

If your installation and/or application is not Win7-aware, your Windows 7
customers will see a "This program might not have installed correctly"
message every time the setup program or application closes (see PIC4.JPG).

"Program Assistant Compatibility" (PCA) is a Windows component that tries to
help older applications work on new versions of Windows. In Windows Vista,
PCA looked for the presence of a manifest in an .exe that set the
"RequiredExecutionLevel". If found, the PCA assumed that the executable was
built to target Windows Vista, and that it was tested on Vista. If not, and
the executable was detected as an installer, PCA would check the "Add/Remove
Programs" list to see if the installation succeeded. If no "Add/Remove
Programs" entry was made, PCA would offer to re-run the .exe in Windows XP
SP2 compatibility mode.

For Windows 7, PCA no longer looks at the RequiredExecutionLevel setting.
It uses the new Compatibility section of the manifest to identify
executables built for Windows 7.

Your installer is Vista-aware, but it's not Windows 7-aware. A recompile
with SetupBuilder 7 solves this issue.

4. wupdate.exe to check for updates.

The "wupdate.exe" client always runs elevated to check for updates. This is
suboptimal because it prompts for credentials on UAC-aware operating
systems. The "wucheck.exe" Web Update Check Client in SetupBuilder 7 lets
you check for web updates completely silent (even from applications running
non-elevated on an UAC-aware operating system or from applications running
under a Limited User account on XP).

Again, only very few modifications are required in order to make your setup
procedure Win7-compliant.

If you need any help, just let me know.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

Hi Friedrich,

Everyone needs to print this out and hang it on the wall for future
reference. I sure have.

Your comments and illustrations regarding what can go wrong with just
very minor mistakes in the installer has really opened my eyes.

Thank you again for your expertise and explanation of the facts.

*Regards*,

Lee
www.cya2day.com
CYA - Computerize Your Assets Don't Leave Home Without One

Hi Lee,

> Everyone needs to print this out and hang it on the wall for future
> reference. I sure have.
>
> Your comments and illustrations regarding what can go wrong with just very
> minor mistakes in the installer has really opened my eyes.
>
> Thank you again for your expertise and explanation of the facts.

You are very welcome :-)

Friedrich

Hi Friedrich,

Thank you - This makes sense.

This is just the first time anything like has happened. Still learning
about all this UAC stuff.



*Regards*,

Lee
www.cya2day.com
CYA - Computerize Your Assets Don't Leave Home Without One