creative555
asked on
not able to run MSI as local system on Windows 10. I can on Win 7
Hello,
We use a custom application. So we have a service on user's computers that runs as local system.
It is working on Window 7 machine. So there is an executable that you run, and then it will run MSI that will run under system context because it calls the service that is running as Local System.
So, I should be able to run Appname.exe even from the regular user prompt because Appname.exe calls MSI that runs as local system.
Now this works on Windows 7 when I run Appname.exe as a regular user. But when I login as regular user it doesn't work on Windows 10
On Win 10, if I login as Local Administrator and run Appname.exe from the command prompt - this works.
The question is. What is in Win 10 that is different from Win 7 so that I can't run MSI as local system from the regular prompt and need to be a local admin.
Thank you very much.
We use a custom application. So we have a service on user's computers that runs as local system.
It is working on Window 7 machine. So there is an executable that you run, and then it will run MSI that will run under system context because it calls the service that is running as Local System.
So, I should be able to run Appname.exe even from the regular user prompt because Appname.exe calls MSI that runs as local system.
Now this works on Windows 7 when I run Appname.exe as a regular user. But when I login as regular user it doesn't work on Windows 10
On Win 10, if I login as Local Administrator and run Appname.exe from the command prompt - this works.
The question is. What is in Win 10 that is different from Win 7 so that I can't run MSI as local system from the regular prompt and need to be a local admin.
Thank you very much.
Last Comment
ASKER
See in line
1 is this for MSI deployment? If so, why don't you use the built-in way (GPO software publishing allows MSI installation even as standard user)
Good question. Actually enabling MSI installation is one of the other options we are using. But allowing regular user to run MSI is a security risk as well.
The 2nd option we use is to have a service that runs under local system, so even regular user can run the software that triggers that service that will run msi under local system context. For this option, usually SCCM is used or logon script.
So, we used to be able to just execute exe that would call up service that would run MSI under local system. But now when I execute exe from a regular command prompt the MSI doesn't run. We use this for manual testing that suppose to work and it works on Win 7.
Do you know what is the difference Win 7 vs Win 10 Os that stops MSI from running as local system when user logged on?
2 how does your app trigger the service? What does the service execute exactly?
Service contacts the other server over https, then downloads msi, then installs msi that does re-acling of the files (Security translation). Actually in the log, on Win 10 it stops at Security Translation step.
1 is this for MSI deployment? If so, why don't you use the built-in way (GPO software publishing allows MSI installation even as standard user)
Good question. Actually enabling MSI installation is one of the other options we are using. But allowing regular user to run MSI is a security risk as well.
The 2nd option we use is to have a service that runs under local system, so even regular user can run the software that triggers that service that will run msi under local system context. For this option, usually SCCM is used or logon script.
So, we used to be able to just execute exe that would call up service that would run MSI under local system. But now when I execute exe from a regular command prompt the MSI doesn't run. We use this for manual testing that suppose to work and it works on Win 7.
Do you know what is the difference Win 7 vs Win 10 Os that stops MSI from running as local system when user logged on?
2 how does your app trigger the service? What does the service execute exactly?
Service contacts the other server over https, then downloads msi, then installs msi that does re-acling of the files (Security translation). Actually in the log, on Win 10 it stops at Security Translation step.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
good answer!! the option we used for MSI is allowing users to execute MSI vs publishing MSI where users would have to install it.
I can find out if we can publish MSI. those are two different options.
I can find out if we can publish MSI. those are two different options.
ASKER
Looks like we have an old version of subinacle that existed a lot earlier before many changes that were made to the security subsystem.
Do you know any other tools alike subinacle that can do security translations?
https://www.microsoft.com/en-us/download/details.aspx?id=23510
After extensive troubleshooting we determined it hangs on subinacl process.
Do you know any other tools alike subinacle that can do security translations?
https://www.microsoft.com/en-us/download/details.aspx?id=23510
After extensive troubleshooting we determined it hangs on subinacl process.
Please explain what role subinacl plays. Is it part of your msi, or...?
ASKER
thank you so much!
OS Security
Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.
22K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
1 is this for MSI deployment? If so, why don't you use the built-in way (GPO software publishing allows MSI installation even as standard user)
2 how does your app trigger the service? What does the service execute exactly?