uninstall requires admin permissions for software installed as user

75 views
Skip to first unread message

Maarten Bezemer

unread,
Nov 1, 2024, 12:34:30 PMNov 1
to innosetup
Hi,
We have an issue with an installer (not our own) that we can install through intune into the users %localappdata% perfectly fine.

But the uninstall (either triggered from intune or executed manually on local device) fails to work as expected. Intune uninstall fails "silently". Manual uninstall requests admin permissions that our users don't have.

Is this something we can "fix" by somehow amending the uninst000.dat file, or is this something that can only be addressed by the vendor (not very likely they'd be interested in fixing this..)

My fear is that we can now install this version, but once a new version is released, we can't uninstall the current one to replace it with the new version.

I read that if there was no admin privs involved in installing, and the install was not done by an admin user, then the uninstall should work. But maybe the vendor has messed up the config?

Any suggestions on where to start?

Thanks,
Maarten

google...@passmail.nl

unread,
Nov 1, 2024, 12:37:51 PMNov 1
to innosetup
This means you started the installer with administrative privileges even though it didn't need this. You should start it as a normal user to avoid the uninstaller requesting administrative privileges.

Greetings,
Martijn

Op vr 1 nov , Maarten Bezemer <bezemer.id...@gmail.com> schreef:
--
You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/innosetup/1e7f0957-96cd-4a99-ac2c-b01233136fb4n%40googlegroups.com.

Maarten Bezemer

unread,
Nov 1, 2024, 3:35:02 PMNov 1
to innosetup
Thanks for the quick answer.
The installer was started through intune in the User context, not in the System context. For this test case, the user appears to also be a member of the local admins group. But there is no UAC elevation prompt during the (silent) install and the software is installed in the %localappdata% and not in c:\program files.
Does innosetup consider "membership of the local admins group" as "starting the installer with admin privs"? Or does it automatically assume admin privs when installing through intune in user context?

Best, Maarten

Martijn Laan

unread,
Nov 1, 2024, 4:29:55 PMNov 1
to inno...@googlegroups.com
Hi,

Op 1-11-2024 om 20:35 schreef Maarten Bezemer:
the software is installed in the %localappdata% and not in c:\program files.

Inno Setup can run in non-admin install mode even if administrative privileges are available. But if you do that the uninstaller will still require administrative privileges since it can't be sure the script didn't do any admin actions even if Inno Setup itself won't.


Does innosetup consider "membership of the local admins group" as "starting the installer with admin privs"?

If UAC is on then the system does not report users as members of an admin group to a program if that program is running unelevated, even if the user is a member of the group. If UAC is off then it will.

So I still think you're running the installer with admin privileges. At the start of the log it will say 'User privileges: Administrative' if it is and ''User privileges: None'' otherwise.

Note that the administrative requirement of the uninstaller is 'sticky'. Once turned on, it won't ever go off again even if you do an update without admin privileges, until you do an uninstall.

Greetings,
Martijn

Maarten Bezemer

unread,
Nov 1, 2024, 4:58:08 PMNov 1
to innosetup
Hi,

This is what I found in the logs:
2024-11-01 14:49:39.201   User privileges: Administrative
2024-11-01 14:49:39.202   Administrative install mode: No
2024-11-01 14:49:39.202   Install mode root key: HKEY_CURRENT_USER
2024-11-01 14:49:39.202   64-bit install mode: Yes

So maybe intune in user context is running this in elevated mode. Yet it appears to not be running the uninst000.exe in elevated mode, as that fails when I add the test user to the "uninstall" group in intune.
But shouldn't the "Administrative install mode: No" indicate that admin privileges shouldn't be requested?

Or are there some parameters I can pass to uninst000.exe from intune to make it run in elevated mode?
(The supplier is using one single installer file with a separate system service and a separate userland program, with different command lines for installing the two parts... not ideal...)


Best,
Maarten


Bill Stewart

unread,
Nov 1, 2024, 5:43:14 PMNov 1
to innosetup
On Friday, November 1, 2024 at 10:34:30 AM UTC-6 Maarten Bezemer wrote:

We have an issue with an installer (not our own) that we can install through intune into the users %localappdata% perfectly fine.

But the uninstall (either triggered from intune or executed manually on local device) fails to work as expected. Intune uninstall fails "silently". Manual uninstall requests admin permissions that our users don't have.

A properly designed IS installer that runs in per-user mode does not request administrative privilege to install. I think you're going to need to ask this question of whoever developed the IS installer you're using.

Martijn Laan

unread,
Nov 2, 2024, 3:47:27 AMNov 2
to inno...@googlegroups.com
Hi,

Op 1-11-2024 om 22:43 schreef 'Bill Stewart' via innosetup:
No, see my other messages.

Greetings,
Martijn

Martijn Laan

unread,
Nov 2, 2024, 3:52:12 AMNov 2
to inno...@googlegroups.com
Hi,

The installer isn't requesting admin privileges: you're just forcing them on it even though it doesn't want them. After that it can't 'unelevate'.

If you don't want the uninstaller to require admin privileges then you shouldn't give them to the installer.


Or are there some parameters I can pass to uninst000.exe from intune to make it run in elevated mode?

No, but I suppose you could try something like using an external 'requireAdministrator' manifest instead.


(The supplier is using one single installer file with a separate system service and a separate userland program, with different command lines for installing the two parts... not ideal...)

I don't think the problem is with the supplier.

Greetings,
Martijn

Maarten Bezemer

unread,
Nov 2, 2024, 10:15:46 AMNov 2
to innosetup
Hi,

"So I still think you're running the installer with admin privileges."
"I don't think the problem is with the supplier."
I'm only strictly following the supplier's instructions and that's what results in failing uninstalls.
But the supplier is claiming their intune installer file is client-specific and they can't support it for any specific client. So I'm a bit out of luck there.
Also, their .intunewin downloadable (from the client admin dashboard, accessible only to the printer lease company admin and not for end users or even for our company admins) appears to be broken in that it doesn't even deploy anything and throws an error. Unpacking the .intunewin resulted in a single .exe installer (innosetup based), and packing that into a new .intunewin file now does the install as expected. But the uninstall still fails.


Intune application - win32 app - with these settings:
Install behavior: User
Install command: papercut-hive.exe /VERYSILENT /CURRENTUSER  /userkey="--redacted--"
Uninstall command: "%localappdata%\Programs\PaperCut Hive\unins000.exe" /VERYSILENT

So I'm not "doing something" myself, it's only intune doing the install / uninstall. Install works fine, uninstall fails (toast notification showing that it failed, and files not removed either).

Next week I may be able to prep another test device with a test user to look into it in more detail, but still the general idea is that an intune uninstall should work regardless of the user being member of the local admins group. But of course it could still be an issue with Intune assuming "if the user is member of local admins group, then run user context installs as elevated". Yet that wouldn't explain that it wouldn't run the uninstall command as elevated as well.
Or.. from what I understand in configuring inno setup, the vendor could have forgotten to add/change relevant lines to the configuration when creating the installer package. But I only have the installer .exe and no configuration file.


Best,
Maarten

Maarten Bezemer

unread,
Nov 2, 2024, 10:29:21 AMNov 2
to innosetup
Found something here: https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-add states:

"The Win32 app installation and uninstallation will happen under admin privilege (by default) when the app is set to install in user context and the user on the device has admin privileges."

No explanation on the "by default" though. Or how to do it differently than the default. Not too helpful, but could explain what we're seeing...

Best,
Maarten

Eivind Bakkestuen

unread,
Nov 3, 2024, 8:25:32 PMNov 3
to inno...@googlegroups.com
You might want to add /LOG... to your command lines, and send the logs to the install creator.

--
You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.

Bill Stewart

unread,
Nov 4, 2024, 8:46:01 AMNov 4
to innosetup
On Saturday, November 2, 2024 at 1:47:27 AM UTC-6 Martijn Laan wrote:

No, see my other messages.

Thanks for the clarification!
Reply all
Reply to author
Forward
0 new messages