Mark MSI so it has to be run as elevated Administrator account

Question

I have a CustomAction as part of an MSI.

It MUST run as a domain account that is also a member of the local Administrators account.

It can\'t use the NoImper

Answer 1

You can creating a simple sfx archive file for msi file with Winrar and these options:

• Setup tab > Run after execution input: your msi file name

• Advanced tab > Mark Request Administrative access option checkbox

Answer 2

Answering my own question for any other poor s0d looking at this.

• You can't add a manifest to an MSI. You could add a SETUP.EXE or bootstrapper to shell the MSI and manifest that with requireAdministrator but that defeats some of the point of using an MSI.

• Adding a manifest to a CustomAction does not work as it is ran from msiexec.exe

The way I have tackled this is to set the MSIUSEREALADMINDETECTION property to 1 so the Privileged condition actually works and add a Launch Condition for Privileged that gives an error message about running via an elevated command prompt and then quits the installation.

This has the happy side effect - when an msi is ran from an elevated command prompt deferred CustomActions are ran as the current user with a full Administrator token (rather than standard user token) regardless of the NoImpersonate setting.

More details - http://www.microsoft.com/downloads/details.aspx?FamilyID=2cd92e43-6cda-478a-9e3b-4f831e899433

[Edit] - I've put script here that lets you add the MSIUSEREALADMINDETECTION property as VS doesn't have ability to do it and Orca's a pain.

Answer 3

requireAdministrator in the manifest should work.

You can also use a bootloader .exe file which can use ShellExecute with "RUNAS" as the verb (you can use 7-zip to create the bootloader, or there are many other ways).