Installing software as Admin?

Posted Wednesday, August 11, 2004 2:08 PM by bill

If you run as a least privilege user account, you will have probably noticed you generally can’t install software (other than xcopy deployment).  Don wrote about his experience of this recently, and I had exactly the same happen to me last week when I installed ActiveSync. Unfortunately the story with ActiveSync is a bit more nasty than most well behaved applications.

First you don’t get prompted to run the app, nope it just starts.  So if you ran the installer as Admin, ActiveSync runs as Admin, and next thing you know your pocket PC is syncing with your Admin account not your account (or at least trying to )  Worse, to kill that process you have to use Task Manager !

Software that wants to automatically run after install, really can’t do much about this. Even if it could attempt to work out which is the main UI identitiy, it would be fraught with “guessing” what your intentions are. 

The best approach is to NOT use RunAs to run the Admin account to install software. Either log out and log in as Admin, or elevate your own permission to Administrator for the installation process (note: you can do this per “process” !!).  The later is the way to do it in my books.  To find out more about the “MakeMeAdmin”, see Aaron Margosis' blog.

Filed under:

Comments

# re: Installing software as Admin?

Sunday, August 15, 2004 4:58 PM by bill

Amen, Bill! We're in the Middle Ages of Least Privilege, and running as Admin for installations is the only way to confidently go. But if you do that, be sure to take the option to install for use by all users. Otherwise only the Administrator will be able to run the new software. Sigh.

# re: Installing software as Admin?

Thursday, August 19, 2004 4:56 PM by bill

I have used runas (mostly via Shift-Right Click) to install most software in the last year or three (even Windows Update works!) and it seems to be only setup programs that wrap *.msi installations that cause the MSI install to run as the interactive user, not the one I started the exe as. This is often fixed by just extracting the .msi file (or just copying it before dismissing the error message) and then draging the file to the Administrator Command Prompt window I have minimimised most of the time.