Tuesday, November 06, 2007

Installing msi on Vista without UAC prompts

I've been using VS2005 to create an .msi to install on Vista without UAC prompts. The installer is fairly simple and there is no real reason for a UAC prompt as the files are not being installed to any system folders however msi files always UAC prompt on Vista unless specifically told not to.

Msiinfo.exe allows you to modify a msi file. In the example below I'm setting a flag to indicate that the msi file does not need to UAC prompt. This flag is only read when the file is installed on Vista.

I've added the following PostBuildEvents to the VS2005 Deployment project.

rem ----------------------------------------------------------
rem First set flag to indicate no UAC on Vista
rem ----------------------------------------------------------
"C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin\msiinfo" "$(BuiltOuputPath)" -w 10


rem ----------------------------------------------------------
rem Code sign the msi file
rem ----------------------------------------------------------
"C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin\signtool.exe" sign /f "$(ProjectDir)CodeSignKey.pfx" /p mypassword /d "Product Name" /du "http://www.productURL" /t "http://timestamp.comodoca.com/authenticode" "$(BuiltOuputPath)"


rem ----------------------------------------------------------
rem Code sign the setup.exe file
rem ----------------------------------------------------------
"C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin\signtool.exe" sign /f "$(ProjectDir)CodeSignKey.pfx" /p mypassword /d "Product Name" /du "http://www.productURL" /t "http://timestamp.comodoca.com/authenticode" "setup.exe"


msiinfo.exe is available in the Windows SDK Components for Windows Installer Developers.

signtool.exe is available in the Microsoft Visual Studio 2005/.NET Framework 2.0

CodeSignKey.pfx is a code signing certificate. I bought mine from http://www.instantssl.com/code-signing/code-signing.html. This file must be manually exported from Internet Explorer 7 if you used Vista to purchase a code signing certificate. In this example i've put the pfx file in the same folder as the project .vdproj file.

mypassword is the password used when exporting the CodeSignKey.pfx from Internet Explorer. When you buy a code signing certificate using Vista it gets automatically installed into your Personal Certificates store in Internet Explorer. This article describes how to export this certificate so it can be used by SignTool. http://www.tech-pro.net/export-to-pfx.html

product name is the name of your installer. This is displayed along with the company name when you execute setup.exe

http://www.productURL is a url that can be used to get more info on the product

http://timestamp.comodoca.com/authenticode is the url of the Comodo time server. Certificates are valid for one year so it's important to time stamp the file when it is created. This allows the file to be protected for ever. If the file was not time stamped it would stop running when the certificate expired.

When installing on Vista launch the .msi file without using setup.exe. Any program called setup.exe automatically UAC prompts on Vista wiping out all the good work above.

Once you have done all this you can launch the msi file and not have to worry about it UAC prompting. In a corporate enviromnent it is a real pain to have to enter an admin password whenever someone wants to install a program. Preventing UAC when it is not required makes the process much easier.