Application Compatibility: UAC: Application Update Guidelines
User Account Control: Application Update Guidelines
Feature Impact
Medium
Brief Description
Many existing applications incorporate update functionality. The goal of embedding update functionality is to ensure that the client is running the most up-to-date binary that the independent software vendor (ISV) can offer.
Some applications require more privileges than those of a standard user when they perform their updating functions. For example, the per-machine files that were laid down during installation often need to be serviced. As per the User Account Control (UAC) model for running and installation applications, only the elevated administrator in Admin Approval Mode Admin has sufficient privileges to perform these actions.
Windows Vista® and Windows Server® 2008 includes built-in Installer Detection heuristics to detect many application updaters correctly and elevate the updater process appropriately so that the update completes successfully upon elevation. However, a few areas remain where application updates cannot be completed successfully:
Out-of-process updaters not detected—updaters that do not get detected through Install Detection heuristics.
Multi-purposed executable programs and in-process updates—overloaded executable programs that perform more than one operation. For example, the binary is both the main application and the updating application, or the multi-purposed executable program runs as a thread within the application
Manifestation
Application update functionality fails.
Remedies
Out-of-Process Updaters Not Detected
This issue could occur within any enterprise and could result in that enterprise requiring an application to be run with Administrator privileges. If an application updates itself by using a separate process that is not detected through Install Detection heuristics, this separate process should be marked as requiring Administrator privileges using App Fix.
Updaters that do not work as a user will prohibit an enterprise from running with least privilege. Therefore:
The updater should be written as a separate process with a desired run level of Requires Administrator.
This process should only execute when necessary for updating purposes.
Checking for whether the program needs updates should be done as the user.
Multipurpose Executable Programs and In-Process Updates
On Windows Vista and Windows Server 2008, there is not a good way to create a multipurpose executable program that performs updates because it is not possible to toggle the state under which an executable program runs. Consequently, the executable program will always have to run as Administrator. Instead, applications should follow one of the following methods to perform updates.
Using Patching Technology in MSI
MSI is a key installer technology because it provides the ability to manage updates for you. The latest versions of Windows Installer, InstallShield, Wise for Windows Installer, and so on support this method.
The main advantage of this method over the others is that it works with standard user and keeps the system secure. It provides a better user experience because the standard user account does not have to ask an Administrator to install the patch or request permanent Administrator privileges to run the application.
Use MSI to create your initial installer and embed a certificate in the MsiPatchCertificate table.
Create an update for your application and sign it with the previously specified certificate.
MSI will perform the elevation for the application when applying the patch.
Using Other Custom Installer Mechanisms
This method is discouraged for the enterprise environment because it will prohibit the user from running as a non-Administrator.
The updater should be written as a separate process with a desired run level of Requires Administrator. This process should execute only when necessary for updating purposes. Checking for whether the program needs updates should be done as the user.
Updating While Running as a Standard User Application
Updating can occur as a standard user when using ClickOnce technology. Again, this installation platform allows the user to deploy applications within it and handles the updating for the application writer.
Links to Other Resources
Deploy and Update Your Smart Client Projects Using a Central Server
The following videos about Windows Vista User Account Protection are designed to help developers understand and write code:
Part 1 (watch video)
Part 2 (watch video)
Part 3 (watch video)
Part 4 (watch video)
Part 5 (watch video)
User Account Control Application Compatibility Toolkit (watch video)
User Account Control Demo (watch video)