We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox changes registry path with auto-update | UAC issue

  • 2 replies
  • 1 has this problem
  • 32 views
  • Last reply by ronronron

more options

On test clients we deployed the "Firefox Setup 60.7.0esr.exe" (32bit) with default settings with Microsoft SCCM and on other test clients we installed it as a normal user without admin rights and typed in the local admin password to install it manually (for comparison). So the standard install folder is "C:\Program Files (x86)\Mozilla Firefox" and the registry key is "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)". Now the update 60.7.1 released. Problem 1: The normal users didn't have the "modify" rights for "C:\Program Files (x86)\Mozilla Firefox", so the update installer asks with the UAC for admin rights. -> I changed the permissions of the folder with powershell.

Problem 2: Now the update process works and replaced the files in "C:\Program Files (x86)\Mozilla Firefox", BUT the registry keeps the path "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)" and creates a new path "Computer\HKEY_USERS\*USERID*\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.1 ESR (x86 de)". So the "Programs and Features" under Windows are showing both versions and of course the SCCM is detecting both versions.

What is the normal and clean update process without this entries in the user registry in an enterprise environment?

On test clients we deployed the "Firefox Setup 60.7.0esr.exe" (32bit) with default settings with Microsoft SCCM and on other test clients we installed it as a normal user without admin rights and typed in the local admin password to install it manually (for comparison). So the standard install folder is "C:\Program Files (x86)\Mozilla Firefox" and the registry key is "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)". Now the update 60.7.1 released. Problem 1: The normal users didn't have the "modify" rights for "C:\Program Files (x86)\Mozilla Firefox", so the update installer asks with the UAC for admin rights. -> I changed the permissions of the folder with powershell. Problem 2: Now the update process works and replaced the files in "C:\Program Files (x86)\Mozilla Firefox", BUT the registry keeps the path "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)" and creates a new path "Computer\HKEY_USERS\*USERID*\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.1 ESR (x86 de)". So the "Programs and Features" under Windows are showing both versions and of course the SCCM is detecting both versions. What is the normal and clean update process without this entries in the user registry in an enterprise environment?

Modified by ronronron

All Replies (2)

more options

I think that you would normally use the Mozilla Maintenance Service to prevent UAC issues and make it possible to update without requiring write permission.

more options

cor-el said

I think that you would normally use the Mozilla Maintenance Service to prevent UAC issues and make it possible to update without requiring write permission.

I think you mean the '"app.update.service.enabled" = true' option, right? Of course, the Mozilla Maintenance Service is installed, but on a normal client the update comes up with the UAC everytime.. The "app.update.service.errors" isn't there, should I create it by myself and set it to 0? -> Tested, but this doesn't change anything.

The Mozilla Maintenance log are some privilege errors (even if the user has full rights on the folder): Could not disable token privilege value: SeCreateTokenPrivilege. (1300) Could not disable token privilege value: SeEnableDelegationPrivilege. (1300) Could not disable token privilege value: SeMachineAccountPrivilege. (1300) Could not disable token privilege value: SeRelabelPrivilege. (1300) Could not disable token privilege value: SeRemoteShutdownPrivilege. (1300) Could not disable token privilege value: SeSyncAgentPrivilege. (1300) Could not disable token privilege value: SeTrustedCredManAccessPrivilege. (1300) Could not disable token privilege value: SeUnsolicitedInputPrivilege. (1313)

Are there other settings or registry keys which maybe could be changed by ACLs to block/unblock the UAC/Maintenance Service?

Modified by ronronron