Run application updates with non admin users

Question

I'm using a windows installer package to distribute a winforms application to several clients and because some of them have changed their security policies I need to figure out a way to run the application updates (through the installer) for users without administration rights.

Find below some information regarding the update process: - The installer is created using InstallAware - During the update process the old version is uninstalled and the new version is installed. - The installer needs admin rights because it writes to the registry and installs some windows services. - The application is installed in the program files folder.

At this moment the solution that I'm implementing is create a new scheduler task, that runs a simple console application that check for new updates and if a new version exists it downloads the installer and executes it in silence mode (the entire installation will execute silently, without a user interface, or any user intervention. The default values of dialog controls will be used).

Some consideration about this solution: - It's difficult to handle possible errors during the update process. - It's not possible to alert the user that a update process is running (because the scheduler tasks runs with a different user is not possible interact with the logged user).

Has anyone ever implemented anything similar? Is this the best way to achieve my goal?

Answer 1

If the updates are patches, and you meet a certain set of requirements regarding the first install of the product and sign both the MSI and the patches there is a mechanism for limited users to apply patches, UAC Patching described here:

http://msdn.microsoft.com/en-us/library/aa372388(v=vs.85).aspx

If you search for LUA Patching (its original name) or Least-privilege patching there's more info out there, although it's fairly obscure. If the security policies that they have in place include setting DisableLUAPatching then you won't be able to use it.