UAC in MSI Notes: The NoImpersonate Bit Mistake
This is the twelfth in a series of notes about UAC in MSI. Per the earlier caveat, these are just my notes and not an official position from the Windows Installer team. The previous entries
- Architecture Insights
- Common Package Mistakes
Server Custom Actions Modifying the System
Given the pre-Vista operating systems did not enforce the architectural intent to that modifying the system requires the NoImpersonate bit set on a custom action in the InstallExecuteSequence, application compatibility testing found a number of packages that had custom actions failing. Here's the "saw tooth" diagram I draw on my whiteboard to illustrate this mistake.
With the permissions changes in the context of UAC, the server-side custom actions inside are script are executed as Standard User by default causes the Application Compatibility problems to show up. The green circle is where this mistake is generally made. Unlike the previous common custom action mistakes, mitigating this problem does not require moving the custom action. This mistake is generally mitigated by the package author flipping the NoImpersonate bit on the custom action.
Conversations Around this Mistake
If the custom action is logging its errors, the trick is to look for an error code that translates to Access Denied.