Stopping MSI from launching an EXE in the SYSTEM context

StackOverflow https://stackoverflow.com/questions/29760

Question

I've got a problem here with an MSI deployment that I'm working on (using InstallShield). We have a program running in the background that needs to run per-user, and it needs to start automatically without user intervention.

The problem is with Group Policy Object/Active Directory (GPO/AD) deployment the application is started in the SYSTEM context before anyone is logged in rather than as the user who is about to log in. The application can only run once per user, and it seems that the SYSTEM process prevents the USER process from starting. This means the PCs need to be rebooted twice before the software can be deployed to the users. How do we to stop this?

Basically the current workflow is:

  1. Installation/upgrade runs... kill background application
  2. Install new files
  3. Startup background application

This works for published applications and interactive MSI installations - it's only 'assigned' applications that seem to have the problem. As step 3 happens in the SYSTEM context rather than the user context :(

Ideally, I'd have the development team patch the EXE file to prevent launching in the SYSTEM context, but that's a release cycle away, and I'm looking for an installer-based solution for the interim.

(I don't know Installscript... So I'm guessing VBScript is probably the way to go if there's no native InstallShield stuff I can use.)

Was it helpful?

Solution

You can use the LogonUser property of Windows Installer as a condition to the action launching the EXE.

OTHER TIPS

I wouldn't rely on a Windows installer property to accomplish this. If I understand correctly you want to run an EXE file once per user - probably to set up user defaults? The only time you can guarantee that you are in the right context is when the user actually logs in. With the amount of impersonation going on these days in the average deployment scenario I just don't trust anything but a real user login as the correct stage to run EXE files.

There are too many problem sources: custom permission and priviledge lockdowns, terminal server lockdown, virtualization redirects, impersonation run by the deployment system, operating system overrides for registry writes etc...

Microsoft has a feature called Active Setup which will allow you to run "something runnable" once per user, on logon. This can be anything from a script to an executable. See my answer here for more details: Updating every profile's registry on Windows Server 2003

AHA! I knew there had to be a cleaner solution... the code I was working on was starting to look something like this:

On Error Resume Next 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery _
    ("Select * from Win32_Process Where Name = 'BackgroundProcess.exe'")
For Each objProcess in colProcessList
    colProperties = objProcess.GetOwner(strNameOfUser,strUserDomain)
    If strNameOfUser = "SYSTEM" Then    
        objProcess.Terminate()
    End If
Next
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top