1

I'm seeking some guidance to make a self-updating application UAC compliant. I have an application that checks for updates on launch and then automatically downloads any new binaries and replaces them with newer ones. The problem with this is that under Windows 7, any application that writes to the Program Files folder, seems to require Admin UAC elevation. We've added code to the application manifest to automatically request UAC elevation for the updates to work but naturally this is not an optimal solution as users will see the Admin prompt if users have the UAC prompts enabled. What are my options to be UAC compliant and still maintain the self-updating properties of the application?

Thanks,

Tom

TJF
  • 2,248
  • 4
  • 28
  • 43
  • Check out [What is the best way to auto update a windows application?](http://stackoverflow.com/questions/7395609/what-is-the-best-way-to-auto-update-a-windows-application) – Alexey Ivanov Oct 17 '11 at 17:15

4 Answers4

4

Basically, if you want to install to Program Files then you will need to show the UAC prompts.

Of course, you could modify the access control settings (i.e. what you set in the security page of Explorer properties dialog) for your install folder to make it writeable. But that would be against all known best practice. I would not advocate it.

One alternative is to do what Chrome does and install under the user profile. There are downsides to this approach. Doing it this way requires every user on the machine to install the software, and then each user would need to update individually. You also lose some of the protection that UAC affords.

David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
  • Is that the only way? Are there any options to sign the application with specific certificates, etc? – TJF Oct 17 '11 at 15:32
  • Signing just changes what the prompt looks like, not whether or not there is one. – Factor Mystic Oct 17 '11 at 15:33
  • You could modify the access control for your install folder to make it writeable but that would be against all known best practice. I would not advocate it. Users are quite used to applications requiring elevation to update. Firefox is a classic example. – David Heffernan Oct 17 '11 at 15:35
  • You could install to the Public profile. This is what World of Warcraft does, which means they don't have to prompt the user for permission, to write to their own install directory. – Security Hound Oct 17 '11 at 17:20
  • @Ramhound Yet again the binaries become vulnerable because there's no write protection on them, like in the case with Chrome. Either you install to Program Files and then installer and updater have to be run elevated but thus they're more protected, or you install to user or public profile, in which case the process is a bit more convenient for the users. – Alexey Ivanov Oct 17 '11 at 17:36
2

In addition to what David said, you could also install a background service which manages updates for you. The service would receive update requests from your application and manage writing files to the install directory. From the user's perspective, it would be entirely seamless with no UAC prompts (except for one, at the time of initial install).

Factor Mystic
  • 26,279
  • 16
  • 79
  • 95
  • It would be nice if you could point to any implementation. I am saying this because I googled a lot and saw the same statement that you made, but could never find an implementation. Not even in the Firefox source code. – tmighty Jul 22 '22 at 20:20
2

You should not require administrator privileges to run your application, therefore your application manifest should contain asInvoker level. Otherwise limited users would not be able to run your application, surely this is not what you want.

David mentioned Firefox, this is how it auto-updates. It does not require administrator privileges to run. Firefox downloads update in the background and saves it on the hard disk. The next time user starts Firefox, it sees an update is ready to install and starts the installer of the newer version. Installer has to be run elevated, that's why users see UAC prompt for elevation. When update is done, Firefox starts again non-elevated.

The tricky part is to start Firefox non-elevated when update completes. I would not recommend using tricks to start a non-elevated process from an elevated one. You should keep one process with regular user security token. I don't know how Firefox handles it, yet the simplest way would be: start updater non-elevated (mark it with asInvoker in the manifest), then the updater restarts itself elevated with ShellExecute function and runas verb. When the elevated process completes, it starts the updated application.

Community
  • 1
  • 1
Alexey Ivanov
  • 11,541
  • 4
  • 39
  • 68
0

I really like how Google does this.

Google now updates Chrome and its other products using a Google Update Service running as Local System. UAC is triggered at install time, and then never again. Applications are installed to Program Files, which defeats the twin problems of using AppData: first, that many enterprises block executables launching from AppData; and, more importantly, that multiple users on a machine would each have to make a separate installation into AppData on that machine.

When a new version is available, the Updater Service silently adds a version folder under a base directory (e.g., Program Files\Google\Chrome\Application\45.0.2454.93, and then later, Program Files\Google\Chrome\Application\45.0.2454.101). The Chrome launcher simply runs the Chrome application from the highest versioned folder.

J.T. Taylor
  • 4,147
  • 1
  • 23
  • 23
  • It would be nice if you could point to any implementation. I am saying this because I googled a lot and saw the same statement that you made, but could never find an implementation. – tmighty Jul 22 '22 at 20:20