PDA

View Full Version : Here's an interesting one!



NewsArchive
10-11-2011, 03:47 AM
The standard SB window allows someone to change the installation folder of
an application. Always has and always will. I do not really believe it
should be disabled.

So - what is there to prevent someone from installing an application
somewhere they should not (say C:\AppFolder ....)?

What I am looking for is a way to prevent then from (a) installing to a non
Vista/Windows 7 folder and similarly with data (b) preventing them from
installing to somewhere like Program Files which is not allowed?

For data I expect I could check the install path starts with CSIDL or
something.

Thanks

John Fligg

NewsArchive
10-11-2011, 04:50 AM
John,

> The standard SB window allows someone to change the installation folder of
> an application. Always has and always will. I do not really believe it
> should be disabled.
>
> So - what is there to prevent someone from installing an application
> somewhere they should not (say C:\AppFolder ....)?
>
> What I am looking for is a way to prevent then from (a) installing to a
> non Vista/Windows 7 folder and similarly with data (b) preventing them
> from installing to somewhere like Program Files which is not allowed?
>
> For data I expect I could check the install path starts with CSIDL or
> something.

Very easy to do. Just check if the folder contains an "invalid" path (to
prevent someone from installing data to "Program Files") or if the folder
does not contain a specific path (e.g. to force someone to install into
"Program Files").

Similar to the attached code-snippet.

Friedrich

NewsArchive
10-11-2011, 04:50 AM
Thanks Friedrich - I think I am getting into a minefield here according to
Google. So to simplify this ....

If I adopt Strict MS rules would you say that:

(a) Applications must be installed to Program Files ....
and
(b) Data is stored in a CSIDL folder?

Because anything else could potentially kick in Virtualization.

I note that there are still some on the NG's who still think they can
install both Application and Data to C:\ ....

I personally feel that it is best (like it or not) to stick to the MS rules
and the above seems to be what is best practice (I think).

Thanks

John

NewsArchive
10-11-2011, 04:51 AM
> If I adopt Strict MS rules would you say that:
>
> (a) Applications must be installed to Program Files ....
> and
> (b) Data is stored in a CSIDL folder?
>
> Because anything else could potentially kick in Virtualization.
>
> I note that there are still some on the NG's who still think they can
> install both Application and Data to C:\ ....
>
> I personally feel that it is best (like it or not) to stick to the MS rules
> and the above seems to be what is best practice (I think).

You can't go wrong with playing by the MS rules.

It takes a little more effort to get your app to play along ( tools like
SetupBuilder and our ProPath templates make that easier of course ).

However in the end you don't have to worry about your app not running
correctly because you did not follow the guidelines.

With every new version of the Operating System, Windows gets tighter and
tighter about conformance because it does make the system more secure.

UAC rules are never going away, so the sooner you get onboard, the better
off you will be.

Also more and more companies, universities, etc. are enabling the "User
Account Control: Only elevate executables that are signed and validated"
security policy on Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 systems.

If you try to install to C:\SomeFolder on systems where that is enabled (or
if you were not following the guidelines on code signing and manifesting),
your app will simply not run at all.

Charles

--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
10-11-2011, 04:51 AM
Oh I agree Charles. I have been fully compliant for some time.

But I still get clients turning off UAC and trying to install to C:\ etc.

And now it just got worse as I now have a scenario where they can change the
data location.

Thanks

John

NewsArchive
10-11-2011, 04:52 AM
Hi John,

> Thanks Friedrich - I think I am getting into a minefield here according to
> Google. So to simplify this ....
>
> If I adopt Strict MS rules would you say that:
>
> (a) Applications must be installed to Program Files ....
> and
> (b) Data is stored in a CSIDL folder?
>
> Because anything else could potentially kick in Virtualization.
>
> I note that there are still some on the NG's who still think they can
> install both Application and Data to C:\ ....
>
> I personally feel that it is best (like it or not) to stick to the MS
> rules and the above seems to be what is best practice (I think).

IMO, you should respect the recommended (default) locations for applications
and data files, but provide users with an option to select another
installation location for both. If a user tries to install applications to
C:\ or data to "Program Files" then you should allow it, but display a
"warning".

Virtualization is disabled if your installer and application is UAC-aware.
So if users install the data to the wrong (protected) folder then there is
no virtualization at all. But all write actions fail in this case.

Microsoft recommends to install application files under the "Program Files"
folder tree and per-user data to the correct per-user profile folder. You
can place "global" data in an all-user (per-machine) folder. CSIDL gives
you access to both per-user and per-machine locations.

Friedrich

NewsArchive
10-11-2011, 06:52 AM
> But I still get clients turning off UAC and trying to install to C:\ etc.
>
> And now it just got worse as I now have a scenario where they can change the
> data location.

That is the problem when your clients are not smarter than THEIR
clients<g>.

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
10-12-2011, 01:57 AM
Problem being, they keep changing the rules

--
Dan Scott
C55 - C6.3 Legacy
Garage Partner Pro / Invoice Partner
www.garagepartner.com
Plan A is always more effective when the device you are working on
understands that Plan B involves a larger hammer

NewsArchive
10-12-2011, 01:58 AM
> Problem being, they keep changing the rules

True, but that keeps you in a job!

As it is you can tell your customers:

"Look folks - you know that MY software is so good that it never needs
updating and you never need to pay for support, but these MICROSOFT jerks
keep changing the rules of the game.

That is why I am going to have to spend extra time on it and charge YOU for
this update. If you don't like it, call THEM and complain!

Remember that **I** am your friend and would never do that to you!"

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
10-12-2011, 01:59 AM
I'm gonna disagree to a certain extent, Charles.

Still using Vista on my main work machine, with UAC enabled.

Sometimes as a user I accept the defaults.

Other times, I install stuff where I want to. Dagnabit!

For example - My C8 is installed in (wait for it... c:\c8)

My C7 is in c:\c7

I spend too much of my life at the command prompt, and would much rather do
a CD to something simple.

I hate having data installed 98 levels deep into some folder in my user
profile.

My default location for SB projects is c:\virtual1\setup.

My current C8 projects are in c:\C8proj.

One program I sell installs data into c:\MyProgram\DATA. Makes it a lot
easier for users to find... and perhaps even (oh you dreamer!) to back up...

John, you won't have virtualization issues as long as you manifest your
applications. That will normally (except for heuristic things like exe
names that include "install" or "setup") also determine whether they run
elevated.

"Nobody ever got fired for buying IBM." You won't get fired for toeing the
MS line. But if you understand the implications, you can exercise a certain
amount of freedom.

Jane

NewsArchive
10-13-2011, 12:30 AM
I use pretty much the same methods as you, but the folder names were
changed to protect the innocent.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve

NewsArchive
10-13-2011, 12:31 AM
Jane
I pretty much follow that except I have 4 HDs with a total of 16
partitions and I don't install anything on C

Jim

NewsArchive
10-13-2011, 12:31 AM
> I pretty much follow that except I have 4 HDs with a total of 16
> partitions and I don't install anything on C

I guess it all depends on your wants and needs.

I WANT the UAC protection - especially where I work or store my valuable
data.

On the commercial side, if you sell software that people will download and
install on their own ( especially if it has a demo they can try BEFORE they
contact you ), then you simply have to play by the rules.

Not installing to the proper locations and using proper data locations
makes your software appear "dated" at best ( or it makes you look like you
don't know what your doing in many cases ). Also some people won't trust
it and even try it out - so you lose a sale before you even start.

IMHO not using the suggested locations is right up there with not code
signing or manifesting at all.

But I guess it depends on your market...


Just my $.10 ( sorry for the rate change, but we are preparing for higher
taxes under Obamanomics as well as increased healthcare costs from
Obamacare and had to raise the price from $.02 to $.10 to cover it ).

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
10-13-2011, 12:32 AM
Our app is multi-user. It's way simpler for people to manage, when the
data lives underneath the app folder. We have a lot of customers who
pay a whole lot of money for our app. Not one of their IT people has
said anything about the way we install our app. We're on over 70% of
USAF bases, and they have some really good IT people.

If all we sold to were single users, then it would make sense to do
things differently.

>
>IMHO not using the suggested locations is right up there with not code
>signing or manifesting at all.
>
>But I guess it depends on your market...

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve

NewsArchive
10-13-2011, 12:32 AM
Maybe.
But single users can have more trouble understanding deeply buried data
paths.

jf

NewsArchive
10-13-2011, 12:33 AM
That's a good point, but some users don't want to know<g>

In our app, we have several "explore" menu choices that open up the
various folders that our app uses. e.g. "Explore Data Folder",
"Explore Documents Folder", etc. Saves our support people a lot of
grief.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve

NewsArchive
10-13-2011, 12:33 AM
I do the same thing.
Also shows any command-line switches, etc.

Jane Fleming

NewsArchive
10-13-2011, 12:34 AM
> That's a good point, but some users don't want to know<g>
>
> In our app, we have several "explore" menu choices that open up the
> various folders that our app uses. e.g. "Explore Data Folder",
> "Explore Documents Folder", etc. Saves our support people a lot of > grief.

Exactly.

They don't care where it is as long as they can click a button or menu
option to get there.

Charles

--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
10-13-2011, 12:34 AM
> Maybe.
> But single users can have more trouble understanding deeply buried data
> paths.

That is why we just put a menu option to open the data folder (we use the
ProPath #CODE template, but you can do it via ShellExecute).

Then they don't have any problem finding the data (either the main or
system data as needed).

It also takes care of the whole thing of CSIDL paths being in different
places on the different OSs ( such as XP vs Vista/Win7).

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
10-13-2011, 12:35 AM
> Our app is multi-user. It's way simpler for people to manage, when the
> data lives underneath the app folder. We have a lot of customers who
> pay a whole lot of money for our app. Not one of their IT people has
> said anything about the way we install our app. We're on over 70% of
> USAF bases, and they have some really good IT people.

I think the key factor there is that they have IT people<g>.

> If all we sold to were single users, then it would make sense to do
> things differently.

Agreed.

:-)

Charles




--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
10-13-2011, 12:35 AM
Show me how putting your data in an "approved" location provides more UAC
protection for it than putting it into your own data folder somewhere and
setting the permissions as you want.

UAC on the exe/dll installations is another matter altogether.

jf

NewsArchive
10-13-2011, 12:36 AM
Charles,

> Just my $.10 ( sorry for the rate change, but we are preparing for higher
> taxes under Obamanomics as well as increased healthcare costs from
> Obamacare and had to raise the price from $.02 to $.10 to cover it ).

Just a thought, leave the political stuff in chat.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Enhanced Reporting: http://CreativeReporting.com


Product Release & Update Notices
http://twitter.com/DeveloperPLUS

NewsArchive
10-13-2011, 12:37 AM
They install where I tell them or it voids the warranty and free
support. (no demo)

Jim

NewsArchive
10-13-2011, 12:37 AM
> They install where I tell them or it voids the warranty and free
> support. (no demo)

That is good for you if your market will let you get away with it.

Of course the big thing is that properly done - there is zero pain in just
doing it right, then it is a non-issue and the customers don't care.

For me, there is just no reason not to use UAC locations and CSIDL paths.
It is industry standard, seamless and it works.

Plus I never have to justify myself to customers as to why I don't play by
the rules...

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
10-13-2011, 12:37 AM
I thought it was knownfolderid, nowadays (Vista & Later).

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve

NewsArchive
10-13-2011, 12:38 AM
> I thought it was knownfolderid, nowadays (Vista & Later).

While there are new things that can be done with it, KnownFolderID is
basically just a superset of CSIDL locations that give access to new places
added in Vista/later.

CSIDL locations still work fine and for most Clarion developers (since
Clarion only does 32 bit apps), it gives them everything they need.


Charles



--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
10-13-2011, 12:39 AM
Sounds as if you and Jeff and I need to form a support group <g>

Jane Fleming

NewsArchive
10-13-2011, 12:39 AM
BYOB<g>

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve

NewsArchive
10-13-2011, 12:40 AM
"olive" doesn't start with a "B" ??

Jane Fleming

NewsArchive
10-13-2011, 12:40 AM
Bring your olives, BeachBunny<G>

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve

NewsArchive
10-13-2011, 12:41 AM
<G>

Jane Fleming

NewsArchive
10-14-2011, 12:37 AM
They're the new MS-imposed industry standard. Who am I to do what I
want? :)

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve

NewsArchive
10-14-2011, 12:38 AM
> They're the new MS-imposed industry standard. Who am I to do what I
> want? :)

touché

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
10-14-2011, 12:38 AM
If anyone's interested, here's a good reference:

http://msdn.microsoft.com/en-us/library/bb776911(v=VS.85).aspx

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve

NewsArchive
10-17-2011, 12:43 AM
Jeff,

Kinda OT, but does that multiuser app use tps files or a variant of SQL?
Just curious..

Skip