Detecting Administrator and Elevated Privileges

InstallShield 2022

Basic MSI Projects

On systems with Windows XP and earlier or Windows Server 2003 and earlier, two properties for detecting user privileges are AdminUser and Privileged. The AdminUser property is set if the end user has Administrator privileges. The Privileged property is set if the installation is running with elevated privileges (that is, if the end user has administrative privileges, if the installation has been assigned by a system administrator, or if both the user and machine AlwaysInstallElevated policies are set to true). In most cases, the Privileged property is more appropriate.

On Windows Vista and later and Windows Server 2008 and later, the AdminUser property is by default assigned the same value as the Privileged property. To restore the distinction between AdminUser and Privileged on these systems, you can set the MSIUSEREALADMINDETECTION property to 1 in the Property Manager view.

Note that for Windows Vista and later and Windows Server 2008 and later, AdminUser and Privileged are always set during the User Interface sequence; therefore, they cannot detect whether an installation is actually running with elevated privileges during the User Interface sequence. However, custom actions running as deferred in system context have the correct value for Privileged (and for AdminUser, if MSIUSEREALADMINDETECTION is also set). Because only actions running as deferred in system context should modify the system, distinguishing privileged from non-privileged installations is significant only for that type of action. One consequence of this behavior is that AdminUser and Privileged should not be used in a project’s install conditions for targeting Windows Vista and later or Windows Server 2008 and later.

InstallScript and InstallScript MSI Projects

The following InstallScript expression returns TRUE if the end user has Administrator privileges, except for some cases on Windows Vista or later systems and Windows Server 2008 or later systems:

Is(USER_ADMINISTRATOR, "");

On Windows Vista and later systems and Windows Server 2008 and later systems, Is returns TRUE if the SE_GROUP_USE_FOR_DENY_ONLY security identifier (SID) attribute is not set for the group. That is, if the current user is in the Administrators group but that user is running the installation with a standard access token on Windows Vista, Is returns FALSE.