admin can launch app, but users can't

I have a customer who says my app will run as admin, but not for users. The usual fix is to have him set the ProgramData\MyApp folder to have read/write permissions for the users (and the 2 files it contains). He says he did that but it didn’t work. Anything I can tell him to try? I’m not really a Windows guy so I’m not sure what else to tell him.

Are you using an installer for your app ?

Are you trying to write to the app executable folder (Program Files etc.) as that is a no-no these days? Settings/License or Preferences etc.?

I can’t remember if ProgramData can be picky or not.

I install my apps into Users/[username]/AppData/Roaming/[company]/[program]/ and none of my users have had any problems

So are you actually using an installer or simply copying the file ? Plus you don’t install the app in C:\Program Files or C:\Program Files (x86).

Recent versions of Windows, especially Windows 10, and some corporate versions of older versions, need programs to be installed with an installer in the Program Files directories, so the proper keys that tell the system what the app is are placed into the Registry. The installer also will if necessary require the app to be run as administrator.

EXE that are not put in place by an installer may also attract undue scrutiny from anti virus programs.

Put the files somewhere else, like SpecialFolder.ApplicationData. It doesn’t matter what the permissions are, Windows can be very finicky about what you try to do in Program Files. You might be able to just have your app copy those files from next to the app into ApplicationData on first run (check if they exist in AppData, if not then copy them).

I do use an installer, I use Actual Installer Pro 6.4 and never had a problem with any installs. One of the options I select, configures it to install in the directory structure I specified earlier…

That does make your installs user specific and no other users could see that app in the other users Roaming profile

But they could if it was in ProgramFiles - a more “normal” or “usual” place for installation

My programming is primary in hospitals and security is pretty tight so it’s not been a problem…When I do have apps that need to be in general pop, I do place them in the appropriate place…also, the hospitals pretty much dictate where things need to go anyways

Do they make much use of roaming profiles ?
If not things wont matter much
Otherwise it should be an issue
But then with roaming profiles apps would probably be installed on a server not on individual machines

Like I said, where you install them is just very unusual
Not that it wouldn’t work

Yeah, alot of our software is installed on servers, plus they use alot of VM and citrix there…so maybe that’s why. I will install it wherever as long as it works…LOL

Hi Patrick,

Although programs can be installed without an installer, my suggestion is that Windows apps should (almost?) always have an installer, and here are a few reasons for my thoughts (feel free to correct me, as there are always exceptions :slight_smile: ):

  1. Create an installer, then the installer places the programs on the Windows OS by having administrator priviledges to install the program
  2. 32-bit apps typically are installed in the C:\Program Files(x86) directory, and 64-bit are usually installed in the C:\Program Files directory.
  3. Users usually have the default permissions to execute programs in these directories
  4. It is recommended that databases not be placed in the C:\Program Files(x86), or C:\Program Files directories because of executable permissions. A common place to add a database (like SQLite) is in the Application Data folder (%appdata% environment string or \Users\UserName\AppData\Roaming\ path). All users can modify backup data from their own folders and there are usually no security vulnerabilities. When the main app is deleted, all users get to keep their data!
  5. Non-admin users cannot modify files in the shared or Program Files folders.
  6. When executables are in a different folder (other than Program Files), Administration privileges are often needed - which is a security vulnerability.

The above are some good beginning rule-of-thumbs for Windows (Yes, there are many more rules-of-thumb). There are other Xojo contributors who are much better with Mac and Linux than I, and can talk more about apps on those OS’s :slight_smile:

Since as you say they have pretty tight security, they may have on that user particular machine set Roaming permissions as administrator only. I would first try Program Files and see if that solves the problem.

Hey Michel, I’m not the one having any problems, I think it was Patrick that did

OOps.Sorry.

No problem

Michel points to the right Direction. Group Policies, SAFER and AppLocker may prevent the start of your App by unpriviledged users. This is nothing new and goes back to NT4 times. As Admin I configure Group Policies first to ensure that all Executables from AppData or Temp Folders cannot be started. This is the place where most Threats put their payload first. Only the known and hand-installed Programs from the regular Progam folders (and secured by ACL) can be executed by the unpriviledged User. This kind of Application Whitelisting is the only one and most secure way to deal with threats like Locky and others. This makes every WIndows PC as robust and hardend as any Mac or Linux. Don’t trust Anti-Virus Software, they are a plague too.

So to help you and your problem, check if there are any active Group Policies or AppLocker Settings.

Here are some links for deeper information:

https://technet.microsoft.com/en-us/library/hh147307(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

And if Your PCs are not running within a Domain you can enable SAFER too. Here is a german how-to source, use Google translate:
http://schneegans.de/computer/safer/