0

I'm using a Visual Studio setup project together with my own C# bootstrapper project that guides the user through the installation of my software (on Windows 11).

My main problem is that I need admin rights for the very first intallation of the software to set some driver data. Afterwards, elevated rights are no longer needed.

The software is installed system-wide using InstallAllUsers=true to the program data folder. The software can be started by the user(s) without admin rights.

Is there any possibility to perform (automatic) updates for the software without needing elevated rights when it was installed by an admin?

[Edit 1]
I need the admin rights to set data for a driver in the registry in HKLM. Ideally, this would happen every time the program starts, but I want to avoid admin rights for my program. Setting it at the first installation caches nearly 95% of the devices. I have another program to set the data afterwards if necessary.

Improve this question
15
  • 3
    Any time you need to modify files in protected directories, you need to elevate to admin privileges; there is no way around this. If there were, an app would be able to do anything to your system once installed, which is super dangerous. Commented Nov 4 at 9:44
  • I'm not using protected directories. The app is installed to program data not to program files. I just need to run the setup as admin, because of the driver data. Commented Nov 4 at 9:46
  • If the app is installed system-wide, then you must be using protected directories. Commented Nov 4 at 9:47
  • C:\ProgramData is by default not writable for regular users. Commented Nov 4 at 9:54
  • 3
    IMHO the correct way would split the program into an installer that contains the driver only and thus requires requires admin permissions and the user part which installed into the user home. Commented Nov 4 at 10:12

1 Answer 1

Reset to default
3

If you install the software for the individual user you should not need admin permissions. This means that all the files should be installed to the %localappdata% folder, or some equivalent folder.

If you need to install some additional component the first time you can split your installer into two parts:

  1. One that only installs the software itself - "Installer"
  2. One that installs the software, and any additional dependencies - "Bootstrapper"

If you are using WiX these would use the Product and Bundle xml nodes respectively.

If you are doing an upgrade you only run the installer, not the bootstrapper. If you are doing automated updates you can just download and run the installer. You could also create your own automated update system if you prefer that approach. As long as your files are stored in a place that the user has write permissions for you should not need admin.

Or you could do the driver configuration thru a group policy that the administrators setup, and make the installer only install the actual software.

If you absolutely need to install the software for all users, the only way to do automated updates is to cheat. You can use your admin permissions during the initial install to change the permissions for your installation directory to allow write access for non admin users. But I would strongly discourage this approach, since it has inherent security issues. It is far better to either install per user, or let the system administrators deploy updates.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

The administrator will love this too - they'll be able to deploy and upgrade any drivers themselves through Group Policies.
I'm using Visual studio setup project. Thats not very nice to handle. I think I need a second bootstrapper thats not using admin rights for the updates. And I already have a working per user installation, but then the app has to be installed for every user by an admin (or am I wrong here?). My admin just asked if there is also the possibility for a system wide solution like it's used by firefox or spotify.
It should be possible to push out software updates with a group policy as long as it is packed as a msi-file. That way the administrators should have full control over what version is running. If you have a separate tool to configure the driver that could be run once on each machine by the Admin (or by group policy). The software itself could then be installed and updated by the users. I'm not sure how firefox handles updates, but I think steam at least used to just change the permissions for the folder to allow non-admin installations.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.