Password based uninstalling

[Allan Fernandes]

Hi,

I want to ask a password before uninstalling my application but am facing following challenges.

1) Scripting into InitializeUninstall(), I can ask the user for a Password, but may be an overkill to validate the password from a Database. I cannot store the password in a text file either as it will be unsafe.

b) I can use [UninstallRun] to load a program of mine to ask password, but I cannot abort the process at this point in InnoSetup.

Regards

Allan

[Eivind Bakkestuen]

password during uninstall - for what purpose?

--
You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/innosetup/8121210b-1256-49b7-8424-21a66d66ee8dn%40googlegroups.com.

[Gavin Lambert]

On Monday, May 5, 2025 at 11:16:06 PM UTC+12 Allan Fernandes wrote:

I want to ask a password before uninstalling my application but am facing following challenges.

There's no point in this.  If they can't uninstall it cleanly, they will just uninstall it uncleanly.  Don't make people's lives harder, especially when they're removing your software, otherwise they will never want to go back. 

[Allan Fernandes]

Mine is a Client Server Application (Data Backups) and the Password will be set on the Server by the Customer's IT head who in turn does not want his end users to uninstall the application.

Many Antivirus's do likewise.

[Gavin Lambert]

On Tuesday, May 6, 2025 at 3:45:38 PM UTC+12 Allan Fernandes wrote:

Mine is a Client Server Application (Data Backups) and the Password will be set on the Server by the Customer's IT head who in turn does not want his end users to uninstall the application.

 

If the IT admin wants to restrict what things users can uninstall, they can make users not admins.  They will then automatically not be able to uninstall apps installed by an admin.  This is actually the only way that can be done; someone with local admin can eventually get around anything if it annoys them enough.

Or the IT admin can just tell people to not uninstall it, and/or audit who has uninstalled it and deal with it accordingly.  Don't try to solve social problems with technology; it doesn't work.

Many Antivirus's do likewise.

No, only viruses.

[Allan Fernandes]

I have seen Antivirus's ask password so that End User's cannot uninstall. Also below links will confirm the same 

      https://docs.seqrite.com/docs/seqrite-endpoint-protection-8-3/uninstallation-of-seqrite-endpoint-security/

      https://knowledge.broadcom.com/external/article/175948/sep-client-prompts-for-the-uninstall-pas.html

The IT Head gives Admin login to the End User as the User needs it for other purposes and I cannot ask him to change his policy for the sake of my Application.

I am aware that a User can get around and uninstall, but asking a password will thwart off most from crossing the line.

Any hint will help, the rest  I will manage.

Thank You.

[Eivind Bakkestuen]

If you worry about using text files, encrypt.

If the users aren't trusted with the password, where does it come from in the first place?

--

You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/innosetup/25040e29-8857-47ad-85d8-0db78b08695dn%40googlegroups.com.

[Allan Fernandes]

Encrypting is a good idea. Though I am not sure what would be the options available to me for Decrypting within the Script ? 

Can I run a BAT file ?

Regarding the Passwords, they will come from the Server, set by the IT Head. Only he can come to the End User Machine and Uninstall.

[Tommi Prami]

"Don't try to solve social problems with technology; it doesn't work."

Brilliant.  Have to remember that🙏

Similar to when Swiss solved technical problem with bureaucracy, they made illegal to have 256 cars in their trains.

--

You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/innosetup/acf5772b-8c3b-48b5-9554-2128a213290an%40googlegroups.com.

[Gavin Lambert]

On Tuesday, May 6, 2025 at 9:56:41 PM UTC+12 Allan Fernandes wrote:

Regarding the Passwords, they will come from the Server, set by the IT Head. Only he can come to the End User Machine and Uninstall.

In that case, the password should not be stored on the client machine at all.  Have it communicate with the server and perform password validation that way (using a secure validation algorithm so that the password never goes over the wire).

[Allan Fernandes]

I have received a lot of advice as to how I should perform my tasks and how I should not perform my tasks.

I have diligently responded to each.

JYFI I have the password encrypted with AES256 algo + My own Algo, readily available at the end point in a database.

I can decrypt this using Delphi but is it possible using the  Scripting InitializeUninstall()   or can I exit at a later stage in  [UninstallRun]

If none of this is possible then I will have to do a ShellExec() within InitializeUninstall()  to call my application and return Validity.

[Gavin Lambert]

On Wednesday, May 7, 2025 at 3:43:21 PM UTC+12 Allan Fernandes wrote:

I can decrypt this using Delphi but is it possible using the  Scripting InitializeUninstall()   or can I exit at a later stage in  [UninstallRun]

As you've already noted, [UninstallRun] is too late.

As for InitializeUninstall, that depends on the complexity of your code.  If you're comfortable translating your code to [Code], then you can do it directly.  Otherwise it may be easier to call a DLL function (as shown in the help), or call a helper EXE (though in this case, you would use Exec rather than ShellExec).

[Allan Fernandes]

Thank You Sir. This will do the trick. Will use Exec() and if needed will study [Code] 

[Jernej Simončič]

On Tuesday, May 6, 2025, 06:51:50, Gavin Lambert wrote:

No, only viruses.

Several corporate antivirus products do ask for uninstall password. They can all be bypassed the manual way, but it involves quite a bit of work (and using Safe Mode for specific products).

 

-- 
< Jernej Simončič ><><><><>< https://eternallybored.org/ >

Use it.
       -- Howard's First Law of Theater

[Jernej Simončič]

On Monday, May 5, 2025, 13:14:29, Allan Fernandes wrote:

1) Scripting into InitializeUninstall(), I can ask the user for a Password, but may be an overkill to validate the password from a Database. I cannot store the password in a text file either as it will be unsafe.

Hash the password and store the hash in Registry. When user enters the password, hash it, and compare with stored hash.

 

-- 
< Jernej Simončič ><><><><>< https://eternallybored.org/ >

If God had intended us to go around naked, He would have made us that way.
       -- Olum's Observation (and see Martha's Maxim and Farrow's Finding)

[Ethin Probst]

Do not encrypt your password with AES. It isn't designed for that. Use Argon2ID or similar, as it is an actual hash function designed for passwords, whereas AES requires you to store the encryption key somewhere.

[Gavin Lambert]

On Wednesday, May 7, 2025 at 11:30:48 PM UTC+12 Jernej Simončič wrote:

On Tuesday, May 6, 2025, 06:51:50, Gavin Lambert wrote:

No, only viruses.

Several corporate antivirus products do ask for uninstall password. They can all be bypassed the manual way, but it involves quite a bit of work (and using Safe Mode for specific products).

Yes, like I said, only viruses.

[Allan Fernandes]

Perfect, Thanks

[Allan Fernandes]

That helps, Thanks