Most installers run elevated due to RequestExecutionLevel or the Windows Compat Shim.
When an NSIS installer runs, all of the Exec/ExecShell commands run at the Integrity Level of the installer.
The problem is that this means that Exec/ExecShell invocations run as Admin.
You really don't want to launch a web browser at Admin-level integrity (surfing the web without the security sandbox) and launching the installed application on exit can be problematic because the first run of the app occurs at Admin and all future runs run at MediumIL.
The workaround here would be to offer a way for scripts to explicitly Exec/ExecShell at MediumIL. While there's no one API exposed to do this, there are two major techniques that work (both used by Microsoft and others) which can be found here:
The code involved is relatively straightforward but would be very difficult to mimic from a install script without having a feature built-in to NSIS for this.
(MSI-based installers typically can avoid this problem by having only part of the MSI running at Admin, then performing "user-level" actions outside of that portion).
Log in to post a comment.