I have an application running on x64 windows2008. Installation and uninstallation running well, because Windows ask me for allowance – UAC is enabled.

The problem I have is in maintenance mode: there, windows didn’t ask me to elevate –allow installation and so some custom actions failed with permission issues.

I have set a .msi package to install for all users (ALLUSERS=1). Also, the package is set to be run only with privileges – property Privileges = 1.

What I need to set to ask me for allowance in maintenance mode?

Thanks in advance.



0 Comments   [ + ] Show Comments


Please log in to comment



This is expected behavior built into the Windows Installer service that ships with Windows. Since a per-machine (managed) installation required admin privileges to be installed, a successful install of such a package indicates it was approved by an administrator on the machine. Therefore, subsequent maintenance operations (except for a full uninstall) will not present a UAC prompt (MSI always runs in the LocalSystem context, and therefore can perform any modification to the system as needed; it impersonates a launching user when user privileges/context are needed).

you will need to contact microsoft to ask for this feature request...( good luck;-)


 by installing the package you are building  in a per-user context. This can be done by deleting the ALLUSERS property from the Property Manager, and anything else in the package that might set the ALLUSERS property to a value of 1 or 2 (the CustomerInformation dialog's Next button behavior will also need to be changed to not set ALLUSERS).

Answered 05/15/2013 by: jaybee96
Red Belt

  • source of information : (GOOGLE) http://community.flexerasoftware.com/showthread.php?193420-UAC-in-Maintenance(Change)-Mode
  • Thank you jaybee96 for the answer.
    I have per machine installation! The problem I have is that during Maintenance mode in an immediate phase when deferred phase was finished, some custom action failed with "access denied" or "permissions denied" error.
    I suppose that LocalSystem account should have permissions to remove some files from the file system, so obviously installation is not run under LocalSystem account. Also, start/stop the services (I cannot user regular MSI mechanism to do that) doesn’t work. The same permissions error.
    In regular installation/uninstallation there is no problem because UAC pop-up “allow†dialog and permit to run elevated.
    Any suggestion?
    Thanks in advance.
  • (custom) actions that make changes on system needs to be placed in Deferred ( between InstallInitialize and InstallFinalize) , this way the System Account will execute these actions for you. Immediate actions are run in User context.
  • Thanks for answer.
    Yes I know that, but during deferred phase I have limited number of properties and I need to do somekind of workaround: for example first put properties into registry and during deferred phase read their values from there instead from memory.
    This is not just what I want to do - more code more possibilities for failures. Also, the installation will be slower.
  • if you want to reuse PUBLIC properties, you can use the SecureCustomProperties Property.. just add your Properties there and you are able to reuse them later ( after InstallFinalize ) eg. ProductCode which is needed for uninstall action (Major Upgrade)
  • Hi again.
    Actually that's my first implementation where I got those permission denied stuff.
    Currently I solved the issue by moving problematic action to deferred phase with elevated permissions. This is not the 100% OK because in a log file it is seen a password from one property.
    Anyway, currently works!

    Thanks for information.

    Best regards,
  • Use Hidden Property trick to avoid to see this in Log:
  • I know that trick.
    But in my case doesn't work: I have a deferred custom action which is declared to run a command declared in a property table. As one of arguments for the command I have to quote also a property which represents a password.
    During installation there's whole command recorded in a log file - all properties are expanded even that my password property in quoted also in MsiHiddenProperty property. Also, I run the custom action as deferred action (because of elevation right) and these kind of actions are specially recorded in a log file.
    Using this trick works in all other cases - the value of "hidden" properties are represented by dots.

    Best regards,
Please log in to comment
Answer this question or Comment on this question for clarity