1

I have an "Install Just for me" option on my InnoSetup installer. If this option is chosen the program files are written to a folder off the users local settings application data folder, rather than C:\Program Files.

It seems that other admin users can still poke around and find this folder and therefore execute the app, which I want to avoid if the user is installing "just for me".

How do I specify that this folder (nominally {userappdata}\MyApp\Program Files\) has permissions removed for everyone except the user running the installer?

Bob Arnson
  • 21,377
  • 2
  • 40
  • 47
rossmcm
  • 5,493
  • 10
  • 55
  • 118

1 Answers1

3

You can use cacls.exe or use the various permission directives. But no matter what you do, an administrators can always give themselves permission to access the file. They are administrators after all...

kichik
  • 33,220
  • 7
  • 94
  • 114
  • Hmmm. So it's not possible for AdminUser1 to "hide" a folder from other admin users? – rossmcm Jul 24 '11 at 05:07
  • Technically, no. That would make it possible for any program to hide itself from the computer administrator and that's not a desired feature. But there are always methods. What is your goal here? – kichik Jul 24 '11 at 05:13
  • My goal is to make a "Just for me" installation as much like a "just for me, and only me" installation as possible. It is for a situation where it is desirable to restrict access to an application, even from other users who might be admin users. – rossmcm Jul 24 '11 at 05:22
  • (Win XP) If I create a folder "Folder1" as AdminUser1 in {userappdata}, right-click it, Properties, Sharing, check "Make this folder private", switch user to AdminUser2, navigate to AdminUser1's local settings Application data, I can see Folder1, but I can't open it, so at this level it would achieve what I want - even though it may still be possible for a more determined admin user to get in. I'm just not sure how I would set the equivalent permissions on the folder using innosetup directives. – rossmcm Jul 24 '11 at 05:35
  • But AdminUser2 can go to that folder's properties and change it back. But cacls, SetACL InnoSetup's built-in stuff should do it. The original purpose of "Just for me" vs. "All users", to the best of my understanding, is not to spam all users or to install without permissions just for the local user. It was not to hide stuff. There are many other tools available online meant for hiding files. – kichik Jul 24 '11 at 07:57
  • Sure. I'm not looking for a bulletproof solution. The majority of not-so-tech-savvy users on getting an "Access denied" message won't try any harder. As I say, I was able to simulate the effect I want by checking the "Make this folder private" box, I just don't know how I would configure IS so that it did the same at setup time. – rossmcm Jul 24 '11 at 10:21
  • To hide the program further, you can write uninstall data into HKEY_CURRENT_USER, create program shorcuts only user's profile. This way, other users of the machine won't easily know it exists. – Alexey Ivanov Jul 24 '11 at 15:52
  • If you give permission only to the current user, it should work. To do this, use SetACL, cacls or the InnoSetup directive I linked to. – kichik Jul 24 '11 at 19:19
  • The InnoSetup way is the path of least resistance. According to the docs we have `Permissions: -`. "User or group" can be one of `admins`, `authusers`, `everyone`, `powerusers`, `system`, or `users`. "Access type" can be one of `modify`, `full`, or `readexec`. So I'm picking what I need is `Name: "{app}" ; Permissions: "system-readexec" ; check: JustMeInstall`. I'm assuming "system" is the one I need to grant access to the current user only ('cause none of the others seem sensible choices). – rossmcm Jul 25 '11 at 05:06
  • Aarrgghh! @kichik: `Name: "{app}" ; Permissions: "system-readexec" ; check: JustMeInstall` doesn't seem to work. What's the magic incantation to set the folder as the "Make this folder private" checkbox does? – rossmcm Jul 25 '11 at 13:39