[SOLVED] InstallForge changing all write permissions to Admin Only

You have trouble using InstallForge? Then this is the right place for you.
Post Reply
Science1
Posts: 11
Joined: Mon May 29, 2023 3:33 am

Hi,
I have a 64-bit, Windows 11 Pro laptop.

I have written an application in python (using PyQt6) that has close to 500 data files. The app has an integrated editor to modify these data files, so being able to read and write to the files is central to the application's function.
I bundled everything up using pyinstaller, and verified that the app operates fine from the .exe file that pyinstaller created for me. The next step was to use InstallForge to bundle everything into a nice, tidy installation utility.

InstallForge successfully creates the setup utility (including the desktop icon). However, when I launch the app, everything works fine until I try to edit a data file and save it. At that point the app shuts down silently.
The lack of error message is on me. I coded my app to fail silently. Still, WHERE it crashed was highly suggestive; so I examined the data files permissions and, sure enough! InstallForge changed ALL security permissions to Administrator Only, (and added additional security classes.)

To verify that this was the problem, I ran the app as an administrator: It ran, edited and saved just fine. But it is a source of frustration to ask my users to remember to launch the app in administrator mode, (as well as a potential security risk to give them all that ability.) Next, I altered the user permissions on ONE data file to allow full user access. This fixed the issue, confirming that changes made by InstallForge are indeed at fault. In theory I could write an app to change all 500 file permissions back, but this is a very clunky work-around that complicates the installation process. Is there a better solution?

Possible fixes.
A.) Is there a way to prevent InstallForge from changing the permissions of my data files as it bundles and compresses everything into the setup utility?
B.) Or is there a way to have InstallForge set the security level of the app to 'Run as Administrator' automatically and every time the app launches?
C.) Or is there some other option to allow my app permission to have access to create, delete, edit it's own data files?

Obviously, option A is the way to go if it can be done.
Option B is a hassle for my users, and I can see where it could be a huge potential security risk. There are plenty of bad actors out there.
Option C? Well, I found a recent post by Soner in the "setup without admin privilege" thread, where he suggested editing the .manifest files in the 'res' sub folder, to:
level = 'asInvoker'.

The thread didn't seem an exact fit to my problem, but I thought it worth a try. After that edit to InstallForge, the setup utility crashed out with the message, "Setup Error! Could not create installation folder: C:\Program Files (x86)\Periodic_Table\"

That change made the problem worse, but I didn't really expect it to work anyway. (I uninstalled and reinstall InstallForge.)
But maybe Soner's suggestion is on the right track. Maybe Option C.) can be...

C.) Is there a way to set the security in the .manifest files to allow all users to edit, write and delete the application's data files? Where would I fond documentation on that?

Thank you for any advice you can give.

-Science_1
Last edited by Science1 on Wed Jun 07, 2023 9:15 pm, edited 3 times in total.
Science1
Posts: 11
Joined: Mon May 29, 2023 3:33 am

Revised Update:

I spent more time exploring this issue this evening. When I ran the installation utility created by InstallForge on my Windows 10 desktop, my app at first seemed to work, but only because I had InstallForge launch the app on completion of installation, and InstallForge (so it turns out) launched the app from Admin mode, so of course it worked. But when I tried to launch the app from the icon in regular mode, the app failed for reasons identical as to those under Windows 11.

Bottom line: Both versions of Windows suffer from the same issue; permissions prevent altering of files unless the app is launched in Admen mode or unless security permissions have been changed on the data files to allow Users to alter files. The best solution (at this point) is to changes file permissions after installation is complete to allow User level access to altering files. If you have a LOT of file permissions to change, as I do, a programed utility to make those security permission changes may be the best way to go.

Question: Is there some away through InstallForge settings to effectively do the same thing?

-Science_1
Last edited by Science1 on Tue Jun 06, 2023 6:31 pm, edited 1 time in total.
Science1
Posts: 11
Joined: Mon May 29, 2023 3:33 am

Update and Partial Solution:

After several days of studying the problem, I have some findings to report.
First, the issues I was experiencing were -NOT- caused by InstallForge changing all of my file's write permissions to Admin like I initially thought. No. I didn't have to change file permissions on 500+ data files.

The crux of the problem is that Install Forge adds several permission groups to the folders at installation, including a 'Users' group, and seems to over-write this group's permissions if the group already exists on the folder. The default permissions for the 'User's group is Execute and Read only. It does not by default include permission to 'Write'. (This seems to be a Window's thing, not an InstallForge thing.) Install Forge could have set this permission by default (Install Forge runs in Admin Mode), but it does not do so, for whatever reason.

The good news is that, after using InstallForge's package to place your app on a computer, you only need to change the 'user's permissions on a single folder (not on all of the files in that folder). The bad news is that you have to ask your users to change the app folder's 'Users' group permissions after they install your app on their system. It's an imposition that doesn't feel very professional, and you have to trust that your users are up to the task. An added wrinkle is that, deceptively, if your user allows the installation package to launch the app after installation, the app SEEMS to run fine, but only because InstallForge launches the app from Admin Mode. The next time your user tries to launch the app (using the icon, outside of Admin Mode), your app can fail because it doesn't have permission to write files. This is an issue that really needs to be corrected.

Here is a partial solution:

1.) Create an Installation Package with InstallForge.
2.) Run the Installation Package to install the app to a computer, but don't allow the package to launch the app.
3.) Locate your application's folder at whatever path you chose. (Default:C:\Program Files (x86)\)
4.) Click the [Security] tab for the App's folder.
5.) Click the [Edit] button to change the folder permissions.
6.) Check-mark the 'write' permission box.
7.) Click the [Apply] button
8.) Click [Ok]
9.) Close the navigation window.

Your Application should run without issue from there on.
If anyone knows how to get InstallForge to change this permission automatically, please share it with us.

Cheers!
-Science1
User avatar
markbell
Posts: 13
Joined: Tue May 30, 2023 6:56 pm

Hello -Science1,

thanks for your detailed posts. Having strong experiences with InstallForge, I would like to provide some notes:
is there a way to have InstallForge set the security level of the app to 'Run as Administrator' automatically and every time the app launches?
InstallForge is not capable of doing this and should not do this. You need to change the manifest file for your executable, see https://stackoverflow.com/questions/159 ... sual-studi.
Well, I found a recent post by Soner in the "setup without admin privilege" thread, where he suggested editing the .manifest files in the 'res' sub folder, to:
level = 'asInvoker'.
I went through Soner's post. He is addressing admin rights of the setup packages you create with InstallForge

The issue you are experiencing is due to the fact that your setup package is configured to perform the installation in C:\Program Files (x86). In order to write to this folder, applications usually need admin rights. The solution here would be that your application does not write anything into this folder. In case we are talking about configuration files, those should be stored in the APPDATA folder, see also this discussion: https://stackoverflow.com/questions/427 ... e-registry
InstallForge Power User
Science1
Posts: 11
Joined: Mon May 29, 2023 3:33 am

Thank you for your insights, Markbell.

I will study the links you provided and see if I can apply them to my issue. I think you may have put your finger on the key issue behind my problems, that my app installs by default to the C:\Program Files (x86)\ path, where Admin Privileges are required. Perhaps the best solution, as you say, is to change the default away from this location. I will experiment and see if some other intuitive location suggests itself (one that isn't restricted in this way) and if I can make it the default installation location for InstallForge. (I'm new to InstallForge and still learning.)

If I can work it all out, I will write up a conclusion to this thread for others who may run into the same issue.
You have offered promising guidance, Markbell, it it is greatly appreciated.

Cheers!
-Science1
User avatar
markbell
Posts: 13
Joined: Tue May 30, 2023 6:56 pm

You are welcome! :)

If you want your application to be installed on a per-user base, you would normally do this in C:\Users\{Username}\AppData\Local\Programs\. However, I am not sure whether InstallForge supports a constant for that. Perhaps, Soner could provide some clarification.
InstallForge Power User
User avatar
invntefx
Posts: 3
Joined: Thu Jun 08, 2023 3:51 am

I have used this for many years and it works with all versions of MS Windows.
What I like most about it is that is is a 'run as admin' one time only command.
It does not permanently affect the UAC setting.

Program Files (x86) is Admin Locked by Microsoft by Default.
It is possible to install with UAC Admin control only for
those with Administrator Accounts.
Even this script will not 'override' this level of security
and so any User must have their own UAC Administrator Privileges for this to function.
As stated, once the Program is exited it reverts to Admin Lock.
So if someone wanders off from a cubicle for a quick coffee break
after temp shutdown it's safe. ''MoleProof'

I would not suggest usage otherwise.

My only request is that you do not use it to alter InstallForge Build itself.
To do so , such as adding it directly into the InstallForge IFP Project
as a command variable would require approval by solicus.
Perhaps Soner could advise and/or mediate.
If he were to examine the script and consider it acceptable.
Maybe even incorporate it into InstallForge if he so desires.

Incorporate this into your Post-Compiled Manifest as an UAC elevation command.
I suggest you assign it to the Master Executable in your program.
If your 'py' wants more ... just make more with different filenames .BAT

Save the following as a batch script
Example Filename: adminrun.bat

NOTE: You will need to change the cd (change directory) path
and name of myprogram.exe to match your program

NOTE: The only Caveat is that a batch script change of drectory must always
direct the command prompt to the directory in which the executable exists.
So, you could either 'lock' the <InstallPath> by not including a change of
Install Directory option when building it in InstallForge.
Or, add a message at the beginning of setup that notifies users of a no admin
auto-run if they change InstallPath.

So Why Use It In MS-DOS .BAT Format?
"Better Safe Than Sorry"

====== START OF .BAT SCRIPT =====

:: RUN AS ADMINISTRATOR ::

@echo off
if _%1_==_payload_ goto :payload

:getadmin
echo %~nx0: elevating self
set vbs=%temp%\getadmin.vbs
echo Set UAC = CreateObject^("Shell.Application"^) >> "%vbs%"
echo UAC.ShellExecute "%~s0", "payload %~sdp0 %*", "", "runas", 1 >> "%vbs%
"%temp%\getadmin.vbs"
del "%temp%\getadmin.vbs"
goto :eof

:payload

:: CHANGE DIRECTORY ::

cd "<InstallPath>/<AppName>/"


:: RUN PROGRAM ::

"myprogram.exe"

exit /b

exit

===== END OF .BAT SCRIPT =====
Science1
Posts: 11
Joined: Mon May 29, 2023 3:33 am

Wow, this is VERY cool, invntefx. I really like the idea of an app invoking a one-off admin privilege level for root C: (provided the user has Admin privileges already) and then locking it all down again once the app ends. It is very impressive! There is so much here to take in and digest! Your script will save on user annoyance, a very good thing. And it meets the issue I put forward in my original post when I (mistakenly) thought the problem was of InstallForge changing permissions to 'Admin Only', and there by locking out the ability to write to my data files. (InstallForge was not to blame.)

As I gained insight into the nature of the actual issue that was frustrating me, the nature of what I was seeking has changed. Your post is an excellent ending point for the current thread.

I will start another thread for my revised problem.

Thank you, invntefx!
Last edited by Science1 on Wed Mar 06, 2024 2:24 pm, edited 1 time in total.
Science1
Posts: 11
Joined: Mon May 29, 2023 3:33 am

Hot damn, I solved it!
I'll post about it in the new thread for others who may be new to InstallForge.
Here is a link to the new thread: viewtopic.php?t=841
Post Reply