7

I am stuck at some UAC issue (I guess).

My question is: What does this UAC Shield Icon on some applications mean? And how would I get this icon to my Inno Setup setup.exe?

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
Christian Rockrohr
  • 1,045
  • 1
  • 14
  • 29

2 Answers2

6

Inno Setup installers require Admin Privileges by default (if not customized by installer creator). UAC popup will be triggered if user did not change UAC settings in Windows.

http://www.jrsoftware.org/ishelp/index.php?topic=setup_privilegesrequired

[Setup]: PrivilegesRequired

Valid values: none, poweruser, admin, or lowest

Default value: admin

Description: The effect of this directive depends on which version of Windows the user is running:

RobeN
  • 5,346
  • 1
  • 33
  • 50
  • 1
    Note that this won't add the shield icon as it elevates at runtime. You shouldn't explicitly run an Inno setup as admin. – Deanna Jan 24 '13 at 12:35
  • @Deanna, why does it elevate at runtime?, can you point to the rationale on this behaviour?. – Jaime Hablutzel Sep 11 '16 at 15:38
  • @JaimeHablutzel in many cases the default installation directory is `Program files` and unistall entries are added to `HKLM` - in both cases Admin Rights are required. You can force Setup to use only User Rights, but that determines some restrictions - you can't install to System folders (including PF) and you have to use `HKCU` registry branch for all registry entries (including Uninstall). Such app would be installed for Single User only. – RobeN Sep 11 '16 at 18:21
  • @JaimeHablutzel: So features like `RunAsOriginalUser` work. There is part of the setup that stays unelevated so it has access to the original user context. Once a program has elevated, there is no reliable way to access the original context so it leaves behind a bit of itself that it can talk to. This is also why, when you right click, "Run as Admin", this feature no longer works correctly. – Deanna Sep 16 '16 at 15:40
1

As others have said, Inno Setup requires administrator privileges by default, and will trigger the UAC prompt. You can change that with PrivilegesRequired. The problem with this is that it doesn't show the shield icon on the executable.

The best way to do it is to use the Microsoft's Manifest Tool and change the manifest embedded in the executable. It is usually included in Microsoft SDKs, which are free to download from Microsoft. Once you install it, the Manifest Tool is usually located in C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\bin\mt.exe. Note that some SDKs don't include it. I also found it in https://github.com/eladkarako/mt, if you don't want to install the SDK.

  • To extract the manifest from the executable, execute this in the command line: "path to mt.exe" -inputresource:"path_filename.exe";#1 -out:"path_filename.exe.manifest"
  • Now change asInvoker to requireAdministrator in path_filename.exe.manifest (manifest files are actually XMLs, so you can edit them with a text editor)
  • To put the manifest into the executable: "path to mt.exe" -manifest "path_filename.exe.manifest" -outputresource:"path_filename.exe";1

There you go! The executable now has the shield icon no matter what!

There's another method, which is far less useful. You can change the executable to run as administrator in the registry (same as right clicking it --> Properties --> Compatibility --> checking Run as Administrator on). To do this, create a string value that has the name set as the path+filename of the executable, and contains the data/text RUNASADMIN; the value has to be created in:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers if you want to change it for the current user
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers if you want to change it for all users (this usually requires you to have administrator privileges)

The problem with it is that it doesn't carry over if you move the executable (you have to do it all over again) or give it to someone else (they have to do it, or have to run some tool to do it). This is not useful.

Quirinus
  • 442
  • 1
  • 5
  • 9
  • 1
    Note that modifying the manifest invalidates the signature. So you cannot have Inno Setup sign the installer. You have to build the installer, add the manifest and then sign the installer yourself. Or you can "abuse" the signing callback to both add the manifest and sign the installer. For an example (not involving manifest, but other modifications of the installer), see [Microsoft SmartScreen - suspended using Inno Setup installer?](https://stackoverflow.com/q/29067877/850848#29072495) – Martin Prikryl May 16 '21 at 06:12