Error 1730 - what am I missing?

[Steven Murray]

I'm trying to push out updates of an application and I
keep getting error 1730 - You must be an Administrator to
remove this application.

According to the MSI documentation, if I set the HKLM
AlwaysInstallElevated key to 1, and the Current_User
equivalent key is not 1, then the installer will have
elevated privileges for managed applications, and the
user's privileges for non-managed applications.

So, I set the HKLM key to 1. The Current_User keyword
doesn't exist, so I left it that way. However, the update
still fails with the same results (unless the user has
admin rights to the machine, of course - which most of our
user's don't).

The documentation says a managed application is an
application where elevated privileges were used to install
the application and where it is a per-machine installation.

I did the initial install (I have admin rights), but the
updates to the application still fail with the same error
message if the user is not also an admin.

What am I doing wrong? Or is the documentation wrong?
TIA.

 

[Chris Gouge [MSFT]]

It is not 100% clear to me exactly what your scenario is, but I can throw out
some ideas.

First - AlwaysInstallElevated is a very dangerous policy to set since it is
global (for all MSI packages). You seem to be aiming for a secure environment
(since you say that most users are not admins) so you should NOT be setting this
policy. If the policy is ever set on a machine, it is not your machine anymore -
a nefarious user can simply wrap their hacker DLL in an MSI package and install
it to any location on the system. Even if you remove the AlwaysInstallElevated
policy, it is too late and the hacker DLL is still on the system. I would
recommend NOT using this policy.

Second, the AlwaysInstallElevated policy is basically an OR of two policies -
user and machine. Only if BOTH are set will the policy take effect, and when
enabled it affects ALL applications. Setting HKLM's copy and not HKCU's copy
means nothing policy-wise (except that you have opened your machine to hack,
since users can control their own registry and can thus set their own
AlwaysInstallElevated policy at their own whim.) When the policy is set in BOTH
locations, all applications install with elevated privileges. The normal state
is that managed applications can install with elevated privileges and
non-managed applications install with user privileges. Note that this is not the
same thing as having permission to uninstall the application. Managed apps are
controlled by the admin (thats why they are managed) and non-admin users can not
uninstall managed applications.

I'm not certain how you are performing this update, but for the sake of
explanation lets say that its just a simple batch file which uninstalls the old
copy and installs the new copy. If thats true, then when you try to uninstall
the application as a non-admin the uninstall will be blocked. Only one of the
two policies is set (the HKLM copy), so the uninstall runs with user rights, and
users can't uninstall managed per-machine applications.

There are several ways that you can approach this problem without resorting to
the dangerous AlwaysInstallElevated policies. The best way is to use a software
deployment tool designed to manage applications. Then you can have the
deployment system uninstall the old version and install the new version.
Alternately, it could simply advertise the new version (making it a managed
application) and the user could then install at his/her convenience. Since the
app is managed it will install with elevated privileges and should be able to
remove the older version.

-Chris Gouge
Microsoft Windows Installer Team

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.

MSI FAQ:
<http://www.microsoft.com/windows2000/community/centers/management/msi_faq.asp>