InstallShield Run As local account if not ran by admin

Question

I have a InstallShield InstallScript project that needs to be ran with administrative rights. In a nutshell from the InstallShield I need to:

Detect if the installer currently has administrative privileges.
If setup.exe is not being ran with admin rights spawn a new instance of the setup.exe using a local admin account/password then close the old (non-privledged) setup.exe.

So far I know I can do something like this to find if I have admin rights:

//---------------------------------------------------------------------------                                                                        
// Run As Utilities Library
//---------------------------------------------------------------------------
// Include Ifx.h for built-in InstallScript function prototypes.
#include "Ifx.h"
//---------------------------------------------------------------------------

export prototype UserRightsCheck();
function UserRightsCheck()
begin
MessageBox(INSTALLPROPERTY_INSTALLLOCATION, INFORMATION);
    if(USER_ADMINISTRATOR) then
        MessageBox("hello Admin", INFORMATION); // testing only
        // do nothing we are an admin

    else
        MessageBox("hello user", SEVERE); // testing only
        RunAsAdmin();
    endif;
end;


export prototype RunAsAdmin();
function RunAsAdmin()
begin
    STRING username = "myUserID";
    STRING password = "myPassword";
    STRING filepath = INSTALLPROPERTY_INSTALLLOCATION;
    RunAsUserAccount(username,password,filepath);
end;

export prototype RunAsUserAccount();
function RunAsUserAccount()
STRING username;
STRING password;
STRING filepath;
begin
    /*
    Is this the best way to do this? this is the function I need help with
    This seems like a hack
    */
    if ( SYSINFO.WINNT.bWinXP ) then
        LAAW_SHELLEXECUTEVERB = "open"; // target PC is on Windows XP
    else
        LAAW_SHELLEXECUTEVERB = "runas"; // Windows 7 (or Vista)
    endif;     

    LaunchApplication(
        filepath
        ,"" // Arguments
        ,"" // Directory
        ,SW_NORMAL // Use Window Mode
        ,0
        ,LAAW_OPTION_WAIT_INCL_CHILD | LAAW_OPTION_USE_SHELLEXECUTE
    );
end;

How do I relaunch the installer though? This can be done in Wise Package Studio and many other tools but I haven't found the answer how to do it in this one yet.

I know I could probably do a runas.exe or psexec.exe but that feels like a hack and sounds like a poor practice. After about a day of reading I am still not sure how to do this though.

Could someone please point me in the right direction of the proper way to do this in InstallShield?

Installscript MSI is almost frighteningly buggy. Why are you using this project type? Perhaps you are using pure Installscript? In other words, not an MSI setup at all? — Stein Åsmul, Jul 23 '14 at 01:39
Correct; we are not deploying an MSI, we are deploying an in-house application with a ton of related 'loose' files. — Dave, Jul 23 '14 at 18:30
Note that `if(USER_ADMINISTRATOR) ...` is incorrect. `USER_ADMINISTRATOR` is a constant that needs to be passed to `Is`. e.g.: `if(Is(USER_ADMINISTRATOR)) ...` — Michael Urman, Jul 24 '14 at 12:00

Stein Åsmul · Answer 1 · 2014-07-23T06:24:02.303

1

Tell the user in the MessageBox to relaunch the setup with admin rights. Explain that they can do this by right clicking the setup.exe in Explorer and then clicking "run as admin" and then OK in the UAC prompt. This is the conceptually "clean" way to do it, since you are doing nothing unexpected.

As I have already stated in the comment above, do think twice about Installscript MSI. It is extremely buggy. The better option is a Basic MSI with Installscript custom action code.

A basic MSI is a standard MSI, and the Installscript custom actions do not interfere with the setup GUI or the overall MSI operation. In Installscript MSI the whole installation sequence is Installscript controlled, and this causes serious bugs - some of which have no workarounds or fixes (even years after their discovery).

edited Jul 23 '14 at 06:24

answered Jul 23 '14 at 06:16

Stein Åsmul

39,960
25
91
164

We are not deploying an MSI, just a basic InstallScript. Deploying as a MSI is not an option either. Right clicking on the task to enter credentials is not an option either.. that is a very poor way to do something when the deployment task is automated. – Dave Jul 23 '14 at 18:34
How will the deployment task be automated? The right way to do it would be to use a deployment system such as SCCM, but I assume this is not available? Such tools arrange for the setup.exe to run with admin rights, which an Installscript expert (not me) states is "...always required for Installscript setups". See his [Basic FAQ](http://forum.installsite.net/index.php?showtopic=9657). – Stein Åsmul Jul 23 '14 at 19:20
Remember that for every version of Windows new obstacles are put in place for deployment. Save yourself a lot of trouble and do it right without any hacks inside the setup. Just abort it if launched without admin rights. – Stein Åsmul Jul 23 '14 at 19:29
On the contrary it is ridiculous for people to suggest deploying software to a ton of users by having tech's remote every box manually to install it. It is common practice to repackage applications with an embedded local service account with admin rights and then deploy the software though an automated tool such as Altiris, KACE, LanDesk, etc. – Dave Jul 23 '14 at 20:54
That's what I wrote above with SCCM? I didn't propose manual install, but to abort the setup if it is run without admin rights interactively, and to use a deployment tool such as SCCM to run the setup with proper admin rights for large scale deployment. – Stein Åsmul Jul 23 '14 at 21:01
The credentials need to be wrapped up in the installer since it is deployed to people multiple ways. This means if someone downloads it from the intranet site, deployed via tool, or it gets pushed by a tech it needs to run reliably under the same credentials. – Dave Jul 28 '14 at 15:40

score 0 · Answer 2 · edited May 23 '17 at 11:58

Perhaps this is along the lines of what you are looking for: How can I make the installer Run as admin. Also check this.

If you use an MSI instead of Installscript and use the built-in MSI concept of elevated rights, you can use MSI properties set at the command line to install anywhere with elevated rights: msiexec /i MySetup.MSI USER=OneUser /PASS=PassWord /qn. Just stating what is possible and perhaps easier.

InstallShield Run As local account if not ran by admin

2 Answers2