Avatar for Username

Mozilla 도움말 검색

고객 지원 사기를 피하세요. 저희는 여러분께 절대로 전화를 걸거나 문자를 보내거나 개인 정보를 공유하도록 요청하지 않습니다. "악용 사례 신고"옵션을 사용하여 의심스러운 활동을 신고해 주세요.

Learn More

이 쓰레드는 보존되었습니다. 만약 도움이 필요하시면 새로운 질문을 올려주세요.

Firefox changes registry path with auto-update | UAC issue

  • 2 답장
  • 1 이 문제를 만남
  • 32 보기
  • 최종 답변자: ronronron

ronronron
ronronron
more options

On test clients we deployed the "Firefox Setup 60.7.0esr.exe" (32bit) with default settings with Microsoft SCCM and on other test clients we installed it as a normal user without admin rights and typed in the local admin password to install it manually (for comparison). So the standard install folder is "C:\Program Files (x86)\Mozilla Firefox" and the registry key is "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)". Now the update 60.7.1 released. Problem 1: The normal users didn't have the "modify" rights for "C:\Program Files (x86)\Mozilla Firefox", so the update installer asks with the UAC for admin rights. -> I changed the permissions of the folder with powershell.

Problem 2: Now the update process works and replaced the files in "C:\Program Files (x86)\Mozilla Firefox", BUT the registry keeps the path "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)" and creates a new path "Computer\HKEY_USERS\*USERID*\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.1 ESR (x86 de)". So the "Programs and Features" under Windows are showing both versions and of course the SCCM is detecting both versions.

What is the normal and clean update process without this entries in the user registry in an enterprise environment?

On test clients we deployed the "Firefox Setup 60.7.0esr.exe" (32bit) with default settings with Microsoft SCCM and on other test clients we installed it as a normal user without admin rights and typed in the local admin password to install it manually (for comparison). So the standard install folder is "C:\Program Files (x86)\Mozilla Firefox" and the registry key is "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)". Now the update 60.7.1 released. Problem 1: The normal users didn't have the "modify" rights for "C:\Program Files (x86)\Mozilla Firefox", so the update installer asks with the UAC for admin rights. -> I changed the permissions of the folder with powershell. Problem 2: Now the update process works and replaced the files in "C:\Program Files (x86)\Mozilla Firefox", BUT the registry keeps the path "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)" and creates a new path "Computer\HKEY_USERS\*USERID*\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.1 ESR (x86 de)". So the "Programs and Features" under Windows are showing both versions and of course the SCCM is detecting both versions. What is the normal and clean update process without this entries in the user registry in an enterprise environment?

글쓴이 ronronron 수정일시

모든 댓글 (2)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

I think that you would normally use the Mozilla Maintenance Service to prevent UAC issues and make it possible to update without requiring write permission.

ronronron
ronronron 질문자
more options

cor-el said

I think that you would normally use the Mozilla Maintenance Service to prevent UAC issues and make it possible to update without requiring write permission.

I think you mean the '"app.update.service.enabled" = true' option, right? Of course, the Mozilla Maintenance Service is installed, but on a normal client the update comes up with the UAC everytime.. The "app.update.service.errors" isn't there, should I create it by myself and set it to 0? -> Tested, but this doesn't change anything.

The Mozilla Maintenance log are some privilege errors (even if the user has full rights on the folder): Could not disable token privilege value: SeCreateTokenPrivilege. (1300) Could not disable token privilege value: SeEnableDelegationPrivilege. (1300) Could not disable token privilege value: SeMachineAccountPrivilege. (1300) Could not disable token privilege value: SeRelabelPrivilege. (1300) Could not disable token privilege value: SeRemoteShutdownPrivilege. (1300) Could not disable token privilege value: SeSyncAgentPrivilege. (1300) Could not disable token privilege value: SeTrustedCredManAccessPrivilege. (1300) Could not disable token privilege value: SeUnsolicitedInputPrivilege. (1313)

Are there other settings or registry keys which maybe could be changed by ACLs to block/unblock the UAC/Maintenance Service?

글쓴이 ronronron 수정일시