PDA

View Full Version : Windows 10 blocking installed app



torrid
12-07-2018, 11:09 AM
Hi,

I have my installer code signed. I just looked at a new Windows 10 computer of a client. We downloaded the .EXE installer from the internet. If you want to try it the files are located here:
http://www.torrid-tech.com/downloads/downloads.html

Windows did not flag the install with SmartScreen or anything else. It just asked if we wanted to run it. Installer seemed to go fine. We run my software which requires you to enter some personal info up front that is used in registration. The info does not get stored. The software is being blocked from writing to the hard drive and the registry. Since it is blocked it crashes.

How to fix?
We go back and run the INSTALLER again using Run As Administrator. Go through installer again.
Once finished the software app runs fine and is not blocked from writing the registry or hard drive.

This is a big customer support problem. Am I doing something wrong to make Windows flag the app? Where do I look to see whether Windows flagged it? Is there any way to avoid this issue? Because otherwise customer gets bad impression thinking app stinks and just crashes.

Any help or suggestions appreciated.

-Tim

linder
12-07-2018, 11:20 AM
Tim,

is your application UAC-aware? This problem has absolutely nothing to do with the installer. It's your own application that seems to have an (UAC) issue. Perhaps you are trying to write to protected Windows resources from your own application? For example, do you try to write to HKEY_LOCAL_MACHINE from your own asInvoker manifested application?

And why do you have to run the installer "as administrator"? The per-machine installer always runs elevated by default. Using "Run As Administrator" has absolutely no effect on "requireAdministrator" manifested apps.

BTW, here is a very brief description on how to make your app UAC-aware:

http://www.lindersoft.com/forums/showthread.php?47664-Managing-multiple-user-accounts&p=88371#post88371

Friedrich

linder
12-07-2018, 11:43 AM
Tim,

for your information: you do not have a valid code-signature. You have a SHA-1 signature only!!! But you need a SHA-2 or "dual" SHA-1/SHA-2 signature. Why do you have SHA-1 only?

In other words, you do not have a valid signature for Windows 10. And your own application files are not code-signed at all?! For example: RetirementView.exe.

Friedrich

linder
12-07-2018, 12:03 PM
Tim,

I tried it on different Windows OS VMs (including Windows 7) and there is a serious problem with your app. See attached screenshot. I can't even enter my name or birthday. I am afraid you have to go back to the drawing board. This has absolutely nothing to do with your installation. The issue is definitely at application level (note the two message boxes; the app is completely locked now). See my previous link (how to make an app UAC-aware). Sorry for the bad news.

Friedrich

linder
12-07-2018, 12:17 PM
Tim,

more information that might help you. I "killed" your app because it was completely locked. After that I restarted it (no reinstallation; just double clicked the shortcut again to relaunch) and it worked fine as expected. I think you only have a problem with your start or initialization procedure.

And you should definitely "dual" SHA-1/SHA-2 code-sign your application and installation! Or at least SHA-2 code-sign.

BTW, virtual machines are perfect to find this kind of bugs. You can restart a "clean" Windows OS within seconds and then check if it still locks the app at first run.

Hope this helps.

Friedrich

torrid
12-10-2018, 02:16 PM
Sorry I was not being notified of your replies... Guess I did not click that tick box.

First, I thought I purchased a dual certificate. Just renewed back in October.
I just looked in SB8 and it just has info to point to the PFX file. I will log into Comodo and see what I purchased but is there a way to examine the PFX file?

Second, how do you sign the application EXE file itself? Guess I missed that entirely....

I will look at the UAC-aware link.

-Tim

linder
12-10-2018, 03:35 PM
Tim,

I am sure you own a SHA-2 code-signing certificate.

You can do the following to handle SHA-1/SHA-2 "dual" signing:

http://www.lindersoft.com/forums/showthread.php?47199

To code-sign your own files (.exe, .dll, etc.) you can use the SetupBuilder "#code-sign application..." compiler directive -or- let your development environment sign your files as part of the app's compilation process.

Friedrich