MORE INFORMATION

An application is called a "managed application" if elevated (system) privileges are used to install the application. A situation in which you might need to install a managed application is if you are installing an application on Windows NT or Windows 2000 and do not have administrative privileges on that computer. By using the following methods, an administrator can enable a nonadministrator user to install managed applications.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

• On a computer running Windows NT 4.0 or Windows 2000, an administrator can set the AlwaysInstallElevated registry keys for both per-user and per-machine installations on the computer. If you want to make sure that all Windows Installer packages are installed with elevated (system) privileges, you must set the AlwaysInstallElevated value to "1" under the following registry keys:

  HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
  
  HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
  

  WARNING: This particular method can open the computer to a security risk because once an administrator with elevated privileges has set these registry keys, nonadministrator users can run installations with elevated privileges and access secure locations on the computer, such as the System folder or HKLM registry key.
  
  

• On Windows NT 4.0 or Windows 2000, an administrator can install or advertise the package on the computer for a per-machine installation (per-machine means that it will be available for all users of that computer). The Windows Installer always has elevated privileges while performing per-machine installations. The administrator uses elevated privileges to advertise the package. If a nonadministrator user then installs the application, the installation can run with elevated privileges. Nonadministrator users still cannot install unadvertised packages that require elevated system privileges. The following is an example of a command line used by an administrator doing a per-machine installation:

  msiexec -i c:\pathtofile\mypackage.msi ALLUSERS=1

  Here is an example of how the administrator would advertise the package on the computer per-machine:

  msiexec -jm c:\pathtofile\mypackage.msi

  For more information, see the Help topic "Advertisement" in the Windows Installer Platform SDK:

  http://msdn.microsoft.com/library/en-us/msi/setup/advertisement.asp

• On Windows 2000, an administrator can advertise an application on a user's computer by assigning or publishing the Windows Installer package using application deployment and Group Policy. The administrator uses elevated privileges to advertise the package per machine. If a nonadministrator user then installs the application, the installation can run with elevated privileges. Nonadministrator users still cannot install unadvertised packages that require elevated system privileges.
  
  For more information on Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper:

  http://www.microsoft.com/windows2000/docs/GPIntro.doc