Deploying application with .NET framework without admin privileges

问题

Disclaimer: If this question does not belong on SO, please leave a hint where to move it.

Hello everyone,

the company I work for has developed an application that has accumulated a bunch of dependencies over time:

.NET 3.5 with updates
.NET 4.0 with updates
VC++ Redist 2010
VC++ Redist 2013
VC++ Redist 2015
Our proprietary device driver

Everything was then packaged into an Inno Setup executable and distributed to the clients. Recently, the need for an auto-update mechanism has been pointed out, which causes us to run into privilege problems. Here are some of the product demands I need to meet (and cannot figure out how):

Installer (and product) must support legacy hardware and software (read as Windows XP and later)
The installation (including auto update installations) may require an admin login exactly once (during first installation). This means that the auto-update installer must be able to run silently under a non-admin account.
The installer should install to the {commonappdata} folder (locked) and the end application should behave the same
The dependencies must be included in the application installer. They do not need to be included in the auto-update installers.

This may seem trivial at first glance, but every combination I try, I run into the "access denied" message either during installation or at update time. Does anyone know of a reliable way to do this?

回答1:

You cannot update an application installed to Administrator-only folder without Administrator privileges.

The only way to implement an auto update of such application is to implement, what Windows Update, Mozilla Maintenance Service, Google Chrome Elevation Service, Adobe Acrobat Update Service and similar services do:

On the first installation with Administrator privileges, install a service with Administrator privileges.
Either have the service itself check regularly for updates and start the auto update;
Or if you need to trigger the update otherwise, implement an API for the service that someone (e.g. the application itself running without Administrator privileges) can call to trigger the auto update.

Installing a service with Administrator privileges to a client system is a huge breach. So if you decide to do that, make sure you do it 200% right, not to introduce holes into the client system.