PDA

View Full Version : Running web update non-elevated



Colin101
04-27-2017, 12:31 PM
Hello,

The initial install of our application requires administrator elevation, but we would like to push out updates that can be executed silently by wucheck.exe without administrator elevation.

Can this be configured in the Setupbuilder GUI, or will the wucheck.exe / wupdate.exe scripts need to be modified?

Thanks,

Colin

linder
04-28-2017, 03:16 AM
Colin,

wucheck.exe runs non-elevated by default. You can use the wucheck.exe client to check for updates and to download & execute updates.

Does this help?

Friedrich

Colin101
04-28-2017, 08:10 AM
Hi Friedrich,

Every time I call wucheck.exe using powershell I am hit with the UAC elevation prompt (calling the wucheck.exe as a 'User' not administrator). Is there anything else during the setup I might be missing? This is on a windows domain.

Thanks,

Colin

linder
04-30-2017, 04:08 AM
Hi Colin,

wucheck.exe is "asInvoker" manifested. It does not request administrator execution level privileges!

BTW, just for fun, do a "Check for Updates" from the SetupBuilder IDE (uses wucheck.exe). You'll not see any elevation prompt.

Friedrich

Colin101
05-02-2017, 09:22 AM
Thanks Friedrich. Seems like I was asking the wrong question.

You are right, the wucheck.exe runs asInvoker, so I guess the problem is coming from my WebUpdate application. Even though my compiled Web Update application is set to asInvoker, it still requires user elevation. Is this because the WebUpdate project is based off of my original Installer.sbp which has a UAC execution level of requireAdministrator?

linder
05-03-2017, 03:29 AM
Hi Colin,

The original "wucheck.exe" is a standalone application. Because it is "asInvoker" manifested, it runs "non-elevated" by default and will only request administrator execution level privileges if the "parent" process instructs wucheck.exe to run elevated. For example, if you run wucheck.exe elevated through ShellExecuteEx (using the "runas" verb).

But are you sure that "wucheck.exe" triggers the elevation prompt? Perhaps it is the following:

Let us assume, you have a new web update on your server. Because you do a per-machine update (to write to protected Windows resources), the update is "requireAdministrator" manifested. Okay, you do the following:

wucheck.exe /S

wucheck.exe checks for a new web update. This is done non-elevated by default (so there is no elevation prompt). If an update is available, it downloads and executes it. Because your update (located on the server) is "requireAdministrator" manifested, the update (and not wucheck.exe) gives the elevation prompt.

What do you think?

Friedrich

Colin101
05-05-2017, 10:26 AM
Hi Friedrich,

I agree with everything you are saying; wucheck.exe executes as invoker. It is not wucheck.exe that is triggering the elevation prompt, it is the update itself.

My confusion is with how the update itself is manifested. In my update project's generator settings, I have it set to 'asInvoker', but I am still being hit with elevation prompt when it is called through wucheck. The elevation prompt is not for wucheck, it is for my WebUpdate.exe. Since it is compiled 'asInvoker', shouldn't it not require administrator credentials? Is it because it is trying to write to a protected directory (program files)?

Thank you for all the help Friedrich.

Colin

linder
05-08-2017, 02:20 AM
Colin,

First of all, if you have to write to protected Windows areas (e.g. the "Program Files" folder tree or HKEY_LOCAL_MACHINE registry) then your update has to run elevated. Otherwise, the update does not have any write access. If you only write to "un-protected" areas, then you can run the update non-elevated. But in this case, you have to compile and include your own version of wucheck.exe (\Redist\1033\wucheck.sbp) -- just uncheck the "Run elevated from non-elevated SetupBuilder application" option in Line 219 and 221 and you are done.

Does this help?

Friedrich