3

On Microsoft's website about UAC and in several existing answers and articles (like this one) it is mentioned that the Installer Detection of Windows checks the assembly for certain keywords for detecting if the application is an installer or not:

Before a 32 bit process is created, the following attributes are checked to determine whether it is an installer:

  • Filename includes keywords like "install," "setup," "update," etc.

However, I could not find a full list of those keywords. Only "install," "setup," "update," etc. is mentioned even on Microsoft's website. So what are the "cetera"?

Community
  • 1
  • 1
Michael Geier
  • 1,653
  • 1
  • 16
  • 18
  • Why do you care? Are you just curious or do you need to avoid detection? – Anders Jan 30 '15 at 17:16
  • I played around with ClickOnce and wanted to implement the solution described on http://www.codeproject.com/Articles/506162/ClickOnce-application-autostart-and-clean-uninstal for executing custom tasks on uninstall. – Michael Geier Feb 21 '15 at 09:56
  • ... (e.g. deleting registry entries etc.). The solution suggests to create a custom uninstaller-exe which then starts the actual ClickOnce uninstaller. The problem: if you name your custom uninstaller for example "uninstall.exe", Windows will show a message "Did the application uninstall properly?" (or similar) because the custom uninstall.exe doesn't really complete the deinstallation itself. – Michael Geier Feb 21 '15 at 10:03
  • Having just been bitten by this, I think it's very valid to want to know. I am writing a program with the word "patch" in the name, and was breaking my head trying to understand why it needed elevation when I compiled it for 32-bit. "Patch" is another word on the list, by the way. – FrontierPsycho Feb 07 '17 at 10:10

2 Answers2

4

Probably the closest you'll find to a "full list of keywords" is to read the shim database itself at %windir%\AppPatch\sysmain.sdb. (And possibly other .sdb files in the same folder).

The sdb2xml utility seems to do a good job of parsing it. The XML output from the sysmain.sdb on my Windows 7 x64 system can be found here.

A useful starting point would be to search the file for the string "GenericInstaller". You'll find <exe> profiles matching against filenames ("*instal*", "*setup*", "trustedinstaller.exe", etc.), checksums, file version information strings ("InstallShield*", "RTPatch Executable", etc.) and other various attributes. It sometimes even recognises the presence of other files such as "EULA.rtf".

To extract a full list of filename patterns used for installer detection is a bit nontrivial since there seems to be a number of different classifications for installers ("GenericInstaller", "SpecificInstaller", "MozillaFirefoxSetup", etc.). But I'm sure anyone who's read this far will be able to find the information they need by digging around in the XML.

Cauterite
  • 1,637
  • 17
  • 24
2

The full list is probably undocumented on purpose and might not be the same on all versions of Windows. It might also include ISVs that Microsoft do not want to shame in public.

As MSDN says, the filename is not the only trigger and I know that NSIS installers are detected based on a byte signature.

The correct way to deal with this is to make sure your installer is Vista/UAC compatible and add a requestedExecutionLevel node to your manifest.

If on the other hand you actually wanted to trigger the detection then I assume you can just add a keyword to your version resource or string table...

Anders
  • 97,548
  • 12
  • 110
  • 164