11

I'm trying to set up some ports from a WIX installer. For WinXP we use httpcfg in a custom action and this works fine. For Win7, we're trying:

netsh http add urlacl url=http://127.0.0.1/8346/ user="NT AUTHORITY\Authenticated Users" sddl="D:(A;;GX;;;AU)"

The WIX installer correctly executes this statement and sets up the ports - FOR THE ADMINISTRATOR who runs the .msi. Users with lesser priviliges cannot access these ports. I need to set it up for all users on the machine, but I've tried about everything I can think of with no luck.

Something I find odd is that the Admin user can see the assigned ports using netstat -a, but they do not appear at all using netsh http show urlacl...is that an indicator of something wrong?

BadCat914
  • 111
  • 1
  • 1
  • 3
  • 1
    Why are you using both parameters user and sddl? IMHO only one of them is required/useful. – Christian May 28 '15 at 13:59
  • user="NT AUTHORITY\Authenticated Users" is to add the rigth only for this user.... if you whant to autorise for your user you must specify this user on a group of user that incluse this user. or not specifying this option, and only the sddl option. personnaly i use sddl "D:(A;;GX;;;IU)" for user interactive. https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings – Mathieu CARBONNEAUX Aug 30 '21 at 18:03
  • you can use WD (SDDL_EVERYONE, Interactively logged or not) in place of IU (SDDL_INTERACTIVE= Interactively logged-on user) for everyone. https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings – Mathieu CARBONNEAUX Aug 30 '21 at 18:15

2 Answers2

8

If 8346 is your port number you syntax is incorrect it should be.

netsh http add urlacl url=http://127.0.0.1:8346/ user="NT AUTHORITY\Authenticated Users"
opherko
  • 141
  • 3
  • 6
  • While the answer is a true statement fixing the typo, I don't see how it answers the question. You could have used a comment for this info. – Gyuri Sep 25 '13 at 17:46
  • 1
    If you want it to be a bit neater you could use the plus sign to avoid having to enter any address, it's a shortcut for any IP or name which resolves to the local machine, i.e. "http://+:8346/". – Tony Wall Jun 27 '14 at 11:01
2

You can add condition to the setup file to prompt for UAC when installation starts. this will ensure all the installer is started by admin and thus will add exception in firewall even when user does not have admin rights.

Sunil Agarwal
  • 4,097
  • 5
  • 44
  • 80
  • This doesn't seem to answer the question even it's probably correct. Also, there are no specifics in this answer. – Gyuri Sep 25 '13 at 17:46
  • You will need to use the newer versions of WIX which support bootstrapper (Setup.exe) to properly launch as administrator. Else it will only work when launched via MSIEXEC from an administrator command/process. Bootstapper is the only way to guarantee you are running as admin even when Setup.exe is double-clicked from the shell. It is also common to add a launch condition to explain to the user/admin log why it failed rather than some strange failure message, e.g. when double-clicking MSI/without setup.exe bootstrapper. You can't "prompt for UAC", only the system via another process/setup.exe. – Tony Wall Jun 27 '14 at 09:11