Is it possible to see which permissions an application installer needs while it is running? I'm thinking sort of like a debugger or monitor to see what windows is checking for.
The situation is that we have an in-house developed windows app that updates itself regularly, and users have always been running under local admin accounts so that this update works. I find that to be a bit too much for my liking and would like to grant only the necessary permissions for this installer to work properly.
It may be impossible for me to change the behavior of the installer, or to even examine the steps that it is taking directly.
Is it possible to see exactly which permissions windows is stopping at while running this installer?
I've been able to determine that the installer needs write access to C:\Windows and C:\Windows\System32 because of specific error messages, but after that, it stops at a rather generic "You do not have access to make the required system configuration modifications. Please rerun this installation from an administrators account."
Yes, it's called Process Monitor from SysInternals (now part of MS), and it's a godsend.
Also, get your management to buy off on this idea, and make your devs/QA test this crap as regular users on test systems, so that they're not making you do more work to fix their mistakes.
Rather than figuring out the perfect permissions, you could launch the update process using the "runas" utility
OK, so other than the idea of Process Monitor to find the required permissions, or
RunAsto provide the administrative permissions, you could always run the updater in a system context to avoid the whole mess, couldn't you?Use AD startup scripts or software installation settings to run the updater under a system context, or instead of setting the updater service to run under user context, change it to run as
NTAUTHORITY\Local ServeiceorSYSTEM. Also easily achieved through a GPO or script.