Installers don't register addins

Add-in Express™ Support Service
That's what is more important than anything else

Installers don't register addins
Andrei Smolin

Add-in Express team

Posts: 18019
Joined: 2006-05-11
Hi Robin,

Robin Guest wrote:
2) Yes, it does work properly if I run setup.exe*.

Running a setup.exe does two things: 1) it elevates permissions and 2) it checks if prerequisites are installed and installs them if they are missing on the PC.

Let' me dwell on the "run .MSI" case. Let's assume that the user is administrator, its name is "Administrator", UAC is enabled. The target folder is "Program Files". The add-in is per-machine, not per-user.

Note that you may have the AlwaysInstallElevated policy enabled on the PC. If so, running an .MSI installer consists of the following three phases:
- the installer is run with the permissions of the standard user (it's the result of using UAC)
- before the files are copied to Program Files, you get a UAC popup, then the permissions are elevated (that's what UAC is used for) and the files are copied with administrative permissions
- the custom actions are run with the permissions of the user SYSTEM (it's the result of enabling the policy)

You can check whether this policy is enabled if you set adxregistrator.exe /runasinvoker=false, install the add-in and check the Process Owner field in the registrator's log. If it is SYSTEM, the policy is enabled, if it is Administrator, the policy is disabled. Please note that "runasinvoker=false" does exactly the same as CustomAction_NoImpersonate.js.

When registering a per-user add-in, doing this for the user SYSTEM doesn't make sense. You can avoid this problem by setting /runasinvoker=true. In this case, adxregistrator.exe will be run with the permissions of the user that STARTED the installer, not with the permissions of the user who copies files.

For a per-machine add-in having runasinvoker=false, when the adxregisrator needs to write to HKLM, the UAC popup isn't shown (because adxregistrator is run on behalf of the user SYSTEM) and the registrator completes peacefully. But due to registry mapping, actual registry keys are created in a location that Office is not aware of. The result is: the users report your add-in isn't there. This is why "runasinvoker=true" must be used for per-machine add-ins, too.

But in your case the invoker is a standard user (name = "Administrator") and it cannot write to HKLM! To avoid this misfortune, you need to make sure that the installer is run with administrative permissions AND elevated privileges (check the header of adxregistrator.log). To achieve this, you run setup.exe, not .MSI. Another way is to run msiexec.exe in a command prompt which is run with elevated privileges.

Regards from Belarus (GMT+2),

Andrei Smolin
Add-in Express Team Leader
Posted 22 Jun, 2011 11:36:14 Top
Robin Guest

Posts: 10
Joined: 2011-06-16
Thanks for the comprehensive reply Andrei. We've started the process of thinking through any implications of this.

Cheers, Robin
Posted 30 Jun, 2011 05:58:34 Top