Pesquisar no apoio

Evite burlas no apoio. Nunca iremos solicitar que telefone ou envie uma mensagem de texto para um número de telefone ou que partilhe informações pessoais. Por favor, reporte atividades suspeitas utilizando a opção "Reportar abuso".

Saber mais

Firefox changes registry path with auto-update | UAC issue

  • 2 respostas
  • 1 tem este problema
  • 1 visualização
  • Última resposta por ronronron

more options

On test clients we deployed the "Firefox Setup 60.7.0esr.exe" (32bit) with default settings with Microsoft SCCM and on other test clients we installed it as a normal user without admin rights and typed in the local admin password to install it manually (for comparison). So the standard install folder is "C:\Program Files (x86)\Mozilla Firefox" and the registry key is "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)". Now the update 60.7.1 released. Problem 1: The normal users didn't have the "modify" rights for "C:\Program Files (x86)\Mozilla Firefox", so the update installer asks with the UAC for admin rights. -> I changed the permissions of the folder with powershell.

Problem 2: Now the update process works and replaced the files in "C:\Program Files (x86)\Mozilla Firefox", BUT the registry keeps the path "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)" and creates a new path "Computer\HKEY_USERS\*USERID*\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.1 ESR (x86 de)". So the "Programs and Features" under Windows are showing both versions and of course the SCCM is detecting both versions.

What is the normal and clean update process without this entries in the user registry in an enterprise environment?

On test clients we deployed the "Firefox Setup 60.7.0esr.exe" (32bit) with default settings with Microsoft SCCM and on other test clients we installed it as a normal user without admin rights and typed in the local admin password to install it manually (for comparison). So the standard install folder is "C:\Program Files (x86)\Mozilla Firefox" and the registry key is "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)". Now the update 60.7.1 released. Problem 1: The normal users didn't have the "modify" rights for "C:\Program Files (x86)\Mozilla Firefox", so the update installer asks with the UAC for admin rights. -> I changed the permissions of the folder with powershell. Problem 2: Now the update process works and replaced the files in "C:\Program Files (x86)\Mozilla Firefox", BUT the registry keeps the path "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)" and creates a new path "Computer\HKEY_USERS\*USERID*\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.1 ESR (x86 de)". So the "Programs and Features" under Windows are showing both versions and of course the SCCM is detecting both versions. What is the normal and clean update process without this entries in the user registry in an enterprise environment?

Modificado por ronronron a

Todas as respostas (2)

more options

I think that you would normally use the Mozilla Maintenance Service to prevent UAC issues and make it possible to update without requiring write permission.

more options

cor-el said

I think that you would normally use the Mozilla Maintenance Service to prevent UAC issues and make it possible to update without requiring write permission.

I think you mean the '"app.update.service.enabled" = true' option, right? Of course, the Mozilla Maintenance Service is installed, but on a normal client the update comes up with the UAC everytime.. The "app.update.service.errors" isn't there, should I create it by myself and set it to 0? -> Tested, but this doesn't change anything.

The Mozilla Maintenance log are some privilege errors (even if the user has full rights on the folder): Could not disable token privilege value: SeCreateTokenPrivilege. (1300) Could not disable token privilege value: SeEnableDelegationPrivilege. (1300) Could not disable token privilege value: SeMachineAccountPrivilege. (1300) Could not disable token privilege value: SeRelabelPrivilege. (1300) Could not disable token privilege value: SeRemoteShutdownPrivilege. (1300) Could not disable token privilege value: SeSyncAgentPrivilege. (1300) Could not disable token privilege value: SeTrustedCredManAccessPrivilege. (1300) Could not disable token privilege value: SeUnsolicitedInputPrivilege. (1313)

Are there other settings or registry keys which maybe could be changed by ACLs to block/unblock the UAC/Maintenance Service?

Modificado por ronronron a