## Install McAfee EPO On Windows Vista Without Disabling UAC

April 13th, 2007 Posted in Technology, Windows Vista

It took some time and thinking, but I've finally discovered how to install McAfee EPO without having to disable User Account Control.  Here's the theory behind the solution:  UAC effects all standard user and administrator accounts in Vista.  The local System account has unlimited privileges and is NOT confined by UAC which makes it a perfect candidate for installing EPO.  The trick is how to actually execute a command as System.  My initial efforts included writing a VBscript to schedule the installation with at.exe which runs as System.  Unfortunately in all of my testing, while the script would run, unfortunately the task would never actually get entered into the At queue of scheduled tasks.  I then found Sysinternals psexec utility.

Psexec was designed to run programs on remote systems, but it works equally well to execute processes on the local system.  Best of all, it has a flag to run an application under the local System account.

The first step was to copy the Framepkg.exe, Sitelist.xml, and psexec.exe to a folder on the local machine.  You can download psexec and the rest of the sysinternals process tools from here.  Next, create a batch file in the same directory with the following line in it:c:\path\to\psexec.exe /accepteula -i -d -s C:\path\to\FramePkg.exe /Install=Agent /ForceInstall /SiteInfo="c:\path\to\Sitelist.xml" In the command, \path\to should be replaced with the path you will be copying the files to. Psexec takes four flags in this step, -i tells it to run the command interactively, -d tells psexec not to wait for the installation to finish before exiting, and -s tells it to run as the local System account, /accepteula bypasses the intermediary EULA screen.

Now all that remains is to package the whole thing as an executable.  I chose to use Symantec's Auto Installer Builder that comes with Ghost, but there are plenty of alternatives out there.  The executable just needs to copy the directory with the executables and the batch file in it to a local path, and then execute the batch file.  Windows will recognize the resulting executable as something which requires administrative privileges, and will automatically prompt the user to allow it to run as an administrator.  At this point, the EPO installation proceeds normally just like it used to do in XP.

There is one catch ... If you do this on a machine that already has an installation of EPO, the installation will eventually throw up an error message that says it wasn't successful.  After investigating the logs, it turns out that it errors out during the removal of the current version which is due to Vista holding onto some .dll files and not allowing them to be deleted.  They are scheduled to be deleted on the next reboot however; so if this happens to you, all you need to do is reboot after encountering this error and then run the installation again, and it will finish the installation successfully the second time.

[tags]McAfee,EPO,ePolicy Orchestrator, UAC, Vista, Windows Vista, aibuilder, autoinstaller builder, psexec, sysinternals, system account[/tags]