Desktop shortcut to run as administrator?

[John Henderson]

Hi There,

I've downloaded your Innosetup installer and it works perfect. I noticed that is creates a shortcut on the desktop when installing my own application, which is great. 

Is it possible to set the properties of the shortcut to run as administrator? 

This would help tremendously if I could add it to the script file.

Thanks

[Alex Born]

Is it possible to set the properties of the shortcut to run as administrator?

Hi!  Sorry, google translate.

In section Code add next procedure

procedure SetElevationBit(Filename: string);
var
     Buffer: string;
     Stream: TStream;
begin
     Filename := ExpandConstant(Filename);
     Log('Setting elevation bit for ' + Filename);

     Stream := TFileStream.Create(FileName, fmOpenReadWrite);
     try
       Stream.Seek(21, soFromBeginning);
       SetLength(Buffer, 1);
       Stream.ReadBuffer(Buffer, 1);
       Buffer[1] := Chr(Ord(Buffer[1]) or $20);
       Stream.Seek(-1, soFromCurrent);
       Stream.WriteBuffer(Buffer, 1);
     finally
       Stream.Free;
     end;
end;

In section Icon for your shortcut add flag AfterInstall with call SetElevationBit

Example:

[Icons]
Name: "{commondesktop}\{#NameIDApp}"; Filename: "{app}\MyApp.exe"; WorkingDir: "{app}"; MinVersion: 0.0,6.0; AfterInstall: SetElevationBit('{commondesktop}\{#NameIDApp}.lnk')

Done.

[John Henderson]

Thank you very much for your quick response. I will try it, when im back home.

Thank you again

John

--
You received this message because you are subscribed to a topic in the Google Groups "innosetup" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/innosetup/9ULmxjroRTk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to innosetup+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/179c53e3-2c97-4e16-bc6d-69e60ce4ecd1o%40googlegroups.com.

[Jernej Simončič]

On Saturday, September 12, 2020, 11:34:09, 'John Henderson' via innosetup wrote:

> Is it possible to set the properties of the shortcut to run as
> administrator?

That's a compatibility setting needed by broken programs. You shouldn't be distributing broken programs, and instead fix your application to work without requiring admin privileges (if you need admin privileges to perform certain tasks, you need to make your program elevate itself just to perform those specific tasks).

--
< Jernej Simončič ><><><><>< https://eternallybored.org/ >

Never invest in anything that eats.
-- Seymour's Principle of Investment

[Gavin Lambert]

On 13/09/2020 04:38, Jernej Simončič wrote:
>> Is it possible to set the properties of the shortcut to run as
>> administrator?
>
> That's a compatibility setting needed by broken programs. You shouldn't be distributing broken programs, and instead fix your application to work without requiring admin privileges (if you need admin privileges to perform certain tasks, you need to make your program elevate itself just to perform those specific tasks).

Under absolutely no circumstances should you try to set the "run as
admin" in the shortcut.

In the incredibly unlikely case that your program actually does require
admin permissions, the correct way to indicate that is by adding an
admin manifest to your resources. (That's just a setting in the
project, if you're using Visual Studio.)

But Jernej is correct; most apps should not require admin permissions,
and if yours appears to then you should treat it as a bug in your app.

[Stephen Greenfield]

Jernej, Gavin --

So we, too, need to set our actual app to be "Run as Administrator" -- exactly for compatibility reasons.  We've had to do this for the past few years, because our app cannot (at present) be re-compiled (we're working on it, but it's likely to be another full year).

Is that bad?  Yes.  Does it indicate the original architecture was buggy when it was created?  You bet.

But given that we MUST do it, is the above method still the correct way to accomplish that from within Inno Setup?

Stephen

[Gavin Lambert]

On 30/03/2022 09:53, Stephen Greenfield wrote:
> So we, too, need to set our actual app to be "Run as Administrator" --
> exactly for compatibility reasons.  We've had to do this for the past
> few years, because our app cannot (at present) be re-compiled (we're
> working on it, but it's likely to be another full year).
>
> Is that bad?  Yes.  Does it indicate the original architecture was buggy
> when it was created?  You bet.
>
> But given that we MUST do it, is the above method still the correct way
> to accomplish that from within Inno Setup?

Even if you lack the ability to recompile the code, you should be able
to use a resource hacker program or similar to attach a manifest
resource to require admin permissions rather than trying to enable it on
the shortcut.

I believe it's also possible to distribute the manifest as a separate
xxx.exe.manifest file, though I've never tried that.

[Stephen Greenfield]

Gavin, you may have given me an idea --

So my actual core application (the one that can't be compiled but must run as Administrator) is actually "sub-launched" from a launcher app that I CAN easily rebuild.

If I give that modern 64-bit launcher proper admin permissions, and it launches the older 32-bit app, can it confer Admin permissions on the sub-launched app?  Or perhaps combining installer-set UAC settings?

Stephen

[Gavin Lambert]

On 30/03/2022 15:11, Stephen Greenfield wrote:
> So my actual core application (the one that can't be compiled but must
> run as Administrator) is actually "sub-launched" from a launcher app
> that I CAN easily rebuild.
>
> If I give that modern 64-bit launcher proper admin permissions, and it
> launches the older 32-bit app, can it confer Admin permissions on the
> sub-launched app?  Or perhaps combining installer-set UAC settings?

Yes, if the parent process is running as admin, then a child process
will also be launched as admin by default. It takes extra steps to
"switch". (It's also a lot easier to go from non-admin to admin than
the reverse.)

The more things that are running as admin, the more things that can be
attacked for security holes, though.

If you're only launching your other app from a launcher, then you can
still run your launcher non-elevated, but use ShellExecute("runas") to
launch the other app elevated. This mostly just changes the timing of
the UAC prompt.

[Stephen Greenfield]

Gavin, your responses have been uber-helpful and have really moved my project along a lot faster!

Much to my surprise, it already works to launch my 32-bit code as elevated if the desktop shortcut to my 64-bit launcher has the "run as administrator" checkbox selected.  I guess my code is already doing a shellExecute (the launcher is written in Xojo), and I guess that's what FolderItem.Open does.

So perhaps the best thing is to just set that checkbox in the shortcut -- which I assume the code above does correctly?

[Gavin Lambert]

On 30/03/2022 18:13, Stephen Greenfield wrote:
> So perhaps the best thing is to just set that checkbox in the shortcut
> -- which I assume the code above does correctly?

It is not correct behaviour for an installer to try to set that checkbox
in a shortcut, for any reason.

Use a manifest, or run your launcher from a non-elevated shortcut and
then relaunch your other app with elevation, if you insist. Don't try
to touch that checkbox. Test with it off.

[Stephen Greenfield]

Just for future reference, the above code does NOT appear to set that checkbox.  Perhaps it did for Windows 8.x and below, which I haven't tested.  But for Windows 10 & 11, it doesn't.

ALSO, this suggestion about adding the following to the registry doesn't appear to work, either:

Root: "HKLM"; Subkey: "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"; \
    ValueType: String; ValueName: "{app}\tomcat7w.exe"; ValueData: "RUNASADMIN"; \
    Flags: uninsdeletekeyifempty uninsdeletevalue; MinVersion: 0,6.1

For what it's worth, I also tested "~ RUNASADMIN", which is what actually gets added to the registry if you manually set that compatibility checkbox.

[Gavin Lambert]

On 1/04/2022 10:46, Stephen Greenfield wrote:
> Just for future reference, the above code does NOT appear to set that
> checkbox.  Perhaps it did for Windows 8.x and below, which I haven't
> tested.  But for Windows 10 & 11, it doesn't.
>
> ALSO, this suggestion about adding the following to the registry doesn't
> appear to work, either:
>
> Root: "HKLM"; Subkey: "SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\AppCompatFlags\Layers"; \
>     ValueType: String; ValueName: "{app}\tomcat7w.exe"; ValueData:
> "RUNASADMIN"; \
>     Flags: uninsdeletekeyifempty uninsdeletevalue; MinVersion: 0,6.1
>
> For what it's worth, I also tested "~ RUNASADMIN", which is what
> actually gets added to the registry if you manually set that
> compatibility checkbox.

Again, don't do it. Don't even try. There is no documented and
supported method to do it, and Microsoft deliberately break methods that
have been used in the past, because installers are never supposed to do
it in the first place.

The checkbox is there for *users* to work around *broken software*.
Don't release new broken software.

[Stephen Greenfield]

>Don't release new broken software

We aren't.  We're rebuilding a new installer for OLD broken software.

We have no ability to change or rebuild this particular program at the moment.  But we can improve some pain points for thousands of users so they all don't need to manually locate the executable and set the "Run as Administrator" checkbox.  If that checkbox exists for this particular use case, then we want to help those users out.

Your advice, and your cautions, are spot on -- please consider our use case is most unusual.

[Gavin Lambert]

On 1/04/2022 15:52, Stephen Greenfield wrote:
> We aren't.  We're rebuilding a /*new* installer/ for OLD broken software.

>
> We have no ability to change or rebuild this particular program at the
> moment.  But we can improve some pain points for thousands of users so
> they all don't need to manually locate the executable and set the "Run
> as Administrator" checkbox.  If that checkbox exists for this particular
> use case, then we want to help those users out.
>
> Your advice, and your cautions, are spot on -- please consider our use
> case is most unusual.

Your case was already solved though, since you said that you always run
the old software through a new launcher.

Either put an admin manifest on that launcher (such that the UAC prompt
will appear before starting the launcher), or modify your launcher code
to run the old software with ShellExecute("runas") (such that the UAC
prompt will appear when starting the old app).

Neither of these solutions requires messing with the shortcut checkbox.

[Stephen Greenfield]

>Your case was already solved though, since you said that you always run

>the old software through a new launcher.

OK -- you ARE correct. I've experimented with that approach, and I'm hoping that when I sign with an AuthentiCode (OV) certificate (ordered), I'll be able to make the very-scary-looking SmartScreen warning either go away, or be reduced to being not-so-scary.  I've heard that either 1) after some <n> number of users launch the signed app it will no longer put up the SmartScreen warning (just the normal elevated app warning), OR 2) that I can submit the finished installer/sign app(s) to Microsoft so that it stops flagging it (and just puts up the normal elevated warning).

Thanks for your guidance.

[Jaroslav Cap]

Unfortunately this method does not work properly on Innosetup 6.3. You need to replace both calls of Seek with setting the Stream.Position to required value.

Dne sobota 12. září 2020 v 13:31:14 UTC+2 uživatel Alex Born napsal:

[Gavin Lambert]

On Thursday, June 27, 2024 at 8:09:49 PM UTC+12 Jaroslav Cap wrote:

Unfortunately this method does not work properly on Innosetup 6.3. You need to replace both calls of Seek with setting the Stream.Position to required value.

You should not be using that method with any version of Inno.  It's completely the wrong thing to be doing in the first place.