NSIS: Installing an Application to always Run as Administrator

Question

I have a NSIS script that is working well for a large application. I have read many threads all over the web, but cannot get a clear answer to the following: is it possible to install an application using NSIS which, when launched (regardless of the type of user) automatically is run as administrator? If this is possible how can it be achieved?

Note: I am already imposing that the NSIS package must be run as admin using

RequestExecutionLevel admin

I have tried writing the UAC requirement to the applications registry entry using this method but I could not get the RUNASADMIN command to compile as it is not in the required format for NSIS.

Answer 1

To ensure that the installer is running as administrator usually I recommend this little example:

Outfile RequireAdmin.exe
RequestExecutionLevel admin ;Require admin rights on NT6+ (When UAC is turned on)

!include LogicLib.nsh

Function .onInit
UserInfo::GetAccountType
pop $0
${If} $0 != "admin" ;Require admin rights on NT4+
    MessageBox mb_iconstop "Administrator rights required!"
    SetErrorLevel 740 ;ERROR_ELEVATION_REQUIRED
    Quit
${EndIf}
FunctionEnd

Page InstFile

Section
SectionEnd

The installed application should perform similar steps if it always needs to run as admin, for a Win32 app that would be:

• Add a requestedExecutionLevel element to the manifest with the level attribute set to requireAdministrator
• Call IsUserAnAdmin or CheckTokenMembership to make sure you really are admin.

If by "automatically is run as administrator" you mean bypass the UAC elevation, then no that is not really possible, the whole point of UAC is to allow the user to confirm/deny privileged operations! Some applications get around this by installing a NT service that performs whatever operation they require on behalf of the application. I would not recommend this because it fills the users machine up with services and could weaken the security of the system if the service is not coded correctly.

If you did not write the application you are installing then your options are a bit more limited. If the application does not have a manifest at all you could use a external (myapp.exe.manifest) manifest.

Setting the RUNASADMIN string under the AppCompatFlags key is not really something the installer should be doing, those compatibility options are supposed to be controlled by the user, not applications.

The forum thread you linked to also tell you about two ways to set the SLDF_RUNAS_USER flag on a shortcut, this will not ensure that the application is started as admin in all situations, only when the application is started from the shortcut but it might be your only option if you cannot change the application itself...