Legacy application installations

We have a number of applications that we have built installation packages to
minimize the questions asked of the installer. These are typically .bat or
..cmd files that call the Windows Installer or setup.exe with a set of
paramaters.

With the Vista security model most of these fail to execute successfully.
We have tried to run these with the "run as administrator" but that does not
help.

One simple example is a bat file that just calls msiexec, which works fine
in XP, but does not in Vista:
msiexec.exe /i "{path to .msi}" /qn /l* "{path to log file}"
If we run the msi directly it works.

Any suggestion would be appreciated.

Dear Customer,

Thank you for posting in newsgroup.

According to the description, the issue happens on Windows Vista but not on
Windows XP. If I have any misunderstanding, please feel free to let me know.

Before we move on, I would like to confirm some information with you
firstly.

Information Needed:
======================

1. Did you fail to run the "msiexec" command with the local administrative
right or the ordinary domain user right on the problematic Windows Vista
computer?

2. What is the detailed error message when you fail to execute the
corresponding command on the problematic Windows Vista computer?

Analysis and Suggestion:
========================

As you descript, the simple example can work fine in Windows XP, but not in
Windows Vista. Based on the experience, this may be an UAC compatibility
issue. Many legacy programs will not run in Windows Vista unless we disable
UAC completely. This behavior frequently occurs when one program starts a
second program. For example, programs that have an update feature sometimes
cannot run unless UAC is disabled. We can run the program as an
administrator. However, the update feature tries to start even though it
does not have administrative permissions. When this behavior occurs, UAC
prevents the update feature from starting.

I would like to suggest that you perform the following steps to disable UAC
on the Windows Vista box, and then check if the issue will re-occur.

1. Open the Control Panel from the Start menu and select Classic View.

2. Double-Click User Account

3. Under "Make Changes to Your User Account" click the link labeled "Turn
User Account Control on or off"

4. Click Continue when prompted "Windows needs your permission to continue"

5. Un-select the check box next to "User Account Control (UAC) to help
protect your computer" and then click OK.

6. When prompted top restart your computer select Restart Now

For more information about UAC, please refer to:

Windows User Account Control Step-by-Step Guide
http://technet2.microsoft.com/Window...-8514-4c9e-ac0
8-4c21f5c6c2d91033.mspx?mfr=true

Hope it helps.

I wait for your reply. Thanks.

David Shen
Microsoft Online Partner Support

1. Did you fail to run the "msiexec" command with the local administrative
right or the ordinary domain user right on the problematic Windows Vista
computer?
The batch file was executed with Admin rights. This failed. (note that the
batch file itself contained no commands to elevate rights).

The .msi file was also executed with Admin rights. This worked.


2. What is the detailed error message when you fail to execute the
corresponding command on the problematic
The error message is: No permissions to write to 'All Users'

Note that I believe that the UAC is enforced by Group Policy and therfore I
can not disable it.
"David Shen [MSFT]" wrote:

Quote:

> Dear Customer,
>
> Thank you for posting in newsgroup.
>
> According to the description, the issue happens on Windows Vista but not on
> Windows XP. If I have any misunderstanding, please feel free to let me know.
>
> Before we move on, I would like to confirm some information with you
> firstly.
>
> Information Needed:
> ======================
>
> 1. Did you fail to run the "msiexec" command with the local administrative
> right or the ordinary domain user right on the problematic Windows Vista
> computer?
>
> 2. What is the detailed error message when you fail to execute the
> corresponding command on the problematic Windows Vista computer?
>
> Analysis and Suggestion:
> ========================
>
> As you descript, the simple example can work fine in Windows XP, but not in
> Windows Vista. Based on the experience, this may be an UAC compatibility
> issue. Many legacy programs will not run in Windows Vista unless we disable
> UAC completely. This behavior frequently occurs when one program starts a
> second program. For example, programs that have an update feature sometimes
> cannot run unless UAC is disabled. We can run the program as an
> administrator. However, the update feature tries to start even though it
> does not have administrative permissions. When this behavior occurs, UAC
> prevents the update feature from starting.
>
> I would like to suggest that you perform the following steps to disable UAC
> on the Windows Vista box, and then check if the issue will re-occur.
>
> 1. Open the Control Panel from the Start menu and select Classic View.
>
> 2. Double-Click User Account
>
> 3. Under "Make Changes to Your User Account" click the link labeled "Turn
> User Account Control on or off"
>
> 4. Click Continue when prompted "Windows needs your permission to continue"
>
> 5. Un-select the check box next to "User Account Control (UAC) to help
> protect your computer" and then click OK.
>
> 6. When prompted top restart your computer select Restart Now
>
> For more information about UAC, please refer to:
>
> Windows User Account Control Step-by-Step Guide
> http://technet2.microsoft.com/Window...-8514-4c9e-ac0
> 8-4c21f5c6c2d91033.mspx?mfr=true
>
> Hope it helps.
>
> I wait for your reply. Thanks.
>
> David Shen
> Microsoft Online Partner Support
>
>

Dear Customer,

Based on the research of the error message and my test, you use the syntax
/qn which means Quiet mode installation. In this way, the command won't be
aware of the elevation to administrative right. When an application is
installed silently, users are not prompted to elevate right.

Analysis:
===========

When we install the programs applications designed to deploy software, and
most write to system directories and registry keys. These protected system
locations are typically writeable only by administrator users; this
restriction means that standard users do not have sufficient access to
install most programs. Windows Vista detects installation programs and
requests administrator credentials or administrator approval in order to
run with access privileges. Windows Vista also detects update and
un-installation programs. A design goal of UAC is to prevent installations
from being executed without the user's knowledge and explicit consent since
installations write to protected areas of the file system and registry.

Suggestion:
============

In this way, I would like to suggest that you disable the UAC feature via
Group Policy management console on the DC.

1. If you use AD-based GPO, please open Group Policy Management Console
(Start > Run > gpmc.msc) from a Windows Server that is a member of the
domain. In the GPMC window, browse to the required GPO that is linked to
the OU or domain where the Vista computers are located, then edit it.

2. In the Group Policy Editor window, browse to Computer Configuration >
Windows Settings > Security Settings > Local Policies > Security Options.

3. Scroll down and double-click "User Account Control: Run all
administrators in Admin Approval Mode" In Properties dialog box, click
Disabled, and then click OK.

4. Scroll down and double-click "User Account Control: Behavior of the
elevation prompt for administrators in Admin Approval Mode", select
"Elevate without prompting" and then click OK.

5. Scroll down and double-click "User Account Control: Detect application
installations and prompt for elevation", click Disabled, and then click OK.

6. Scroll down and double-click "User Account Control: Only elevate
UIAccess applications that are installed in secure locations", click
Disabled, and then click OK.

7. If possible, you may right click the .bat file and click "Run as
Administrator" to manually elevate the permission.

Afterwards, you may check if the issue will re-ocurr.

Hope the issue will be resolved soon.

David Shen
Microsoft Online Partner Support

I will try changing the /qn option to see if that helps.
I do not have GPO rights so I can not make the suggested changes in the GPO
editor.
- Mike

"David Shen [MSFT]" wrote:

Quote:

> Dear Customer,
>
> Based on the research of the error message and my test, you use the syntax
> /qn which means Quiet mode installation. In this way, the command won't be
> aware of the elevation to administrative right. When an application is
> installed silently, users are not prompted to elevate right.
>
> Analysis:
> ===========
>
> When we install the programs applications designed to deploy software, and
> most write to system directories and registry keys. These protected system
> locations are typically writeable only by administrator users; this
> restriction means that standard users do not have sufficient access to
> install most programs. Windows Vista detects installation programs and
> requests administrator credentials or administrator approval in order to
> run with access privileges. Windows Vista also detects update and
> un-installation programs. A design goal of UAC is to prevent installations
> from being executed without the user's knowledge and explicit consent since
> installations write to protected areas of the file system and registry.
>
> Suggestion:
> ============
>
> In this way, I would like to suggest that you disable the UAC feature via
> Group Policy management console on the DC.
>
> 1. If you use AD-based GPO, please open Group Policy Management Console
> (Start > Run > gpmc.msc) from a Windows Server that is a member of the
> domain. In the GPMC window, browse to the required GPO that is linked to
> the OU or domain where the Vista computers are located, then edit it.
>
> 2. In the Group Policy Editor window, browse to Computer Configuration >
> Windows Settings > Security Settings > Local Policies > Security Options.
>
> 3. Scroll down and double-click "User Account Control: Run all
> administrators in Admin Approval Mode" In Properties dialog box, click
> Disabled, and then click OK.
>
> 4. Scroll down and double-click "User Account Control: Behavior of the
> elevation prompt for administrators in Admin Approval Mode", select
> "Elevate without prompting" and then click OK.
>
> 5. Scroll down and double-click "User Account Control: Detect application
> installations and prompt for elevation", click Disabled, and then click OK.
>
> 6. Scroll down and double-click "User Account Control: Only elevate
> UIAccess applications that are installed in secure locations", click
> Disabled, and then click OK.
>
> 7. If possible, you may right click the .bat file and click "Run as
> Administrator" to manually elevate the permission.
>
> Afterwards, you may check if the issue will re-ocurr.
>
> Hope the issue will be resolved soon.
>
> David Shen
> Microsoft Online Partner Support
>
>

Hello Mike,

Thanks for the reply.

For the further research, besides changing the /qn option to see if that
helps, you may also try with the following steps to check if the batch file
can work on Windows Vista box.

1. Find and locate the batch file that contain the corresponding
msiexec.exe command line on the Windows Vista box.

2. Right-click on the batch file and select "Run as administrator".

3. When the system popup with "User Account Control" dialog box, if
possible, please just input the domain admin's credential of local
administrator's credential to elevate the permission to run the batch file.

Hope it helps.

David Shen
Microsoft Online Partner Support

Dear Customer,

I am just writing to see how everything is going. If you have any updates
or need any further assistance on this issue, please feel free to let me
know. I am glad to be of assistance.

David Shen
Microsoft Online Partner Support

Sorry it took so long to get back to you.
In short, we have not found a way to use the command file to start the
install.
Running (with admin) the .msi is the only way it works correctly.
Details follow:
------------------------------
Well I confirmed the symptoms I saw before, if you use /qn the bat file
fails to inherit permissions; /qb gets the permissions but will not process
all the possible input screens, such as whether or not to post a desktop icon
in this case it defaulted to not, who know what screens would be bypassed for
other apps; /qr will install the app but for some reason will not process all
the msi settings; /q does not have permission to even start.


-------------------------------

"David Shen [MSFT]" wrote:

Quote:

> Dear Customer,
>
> I am just writing to see how everything is going. If you have any updates
> or need any further assistance on this issue, please feel free to let me
> know. I am glad to be of assistance.
>
> David Shen
> Microsoft Online Partner Support
>
>

Hello Mike,

Thanks for the reply.

Since you don't have permission to modify the GPO settings, I would like to
suggest that you disable UAC on each client manually by performing the
following steps:

1. Logon the system as administrator

2. Open "Control Panel\User Accounts", and then choose "Turn user Account
Control on or off"

3. Un-select the Checkbox of "Use User Account Control (UAC) to help
protect your computer"

4. Click on Ok and then reboot the computers.

5. Then you may the command line to check if you can install the msi file
with non-administrator account.

Hope it helps.

David Shen
Microsoft Online Partner Support

David,
We are testing our processes to see what we need to modify to migrate to
Vista.
In a production, we are not allowed to turn off UAC.
The installer does have admin privileges on the individual pc, but the
installation only works properly if we run the MSI directly, not if we run
the command file. And the only thing the command file does is to call msiexec
with the appropriate parameters.
- Mike

"David Shen [MSFT]" wrote:

Quote:

> Hello Mike,
>
> Thanks for the reply.
>
> Since you don't have permission to modify the GPO settings, I would like to
> suggest that you disable UAC on each client manually by performing the
> following steps:
>
> 1. Logon the system as administrator
>
> 2. Open "Control Panel\User Accounts", and then choose "Turn user Account
> Control on or off"
>
> 3. Un-select the Checkbox of "Use User Account Control (UAC) to help
> protect your computer"
>
> 4. Click on Ok and then reboot the computers.
>
> 5. Then you may the command line to check if you can install the msi file
> with non-administrator account.
>
> Hope it helps.
>
> David Shen
> Microsoft Online Partner Support
>
>