WebUpdate mechanism for non admin users

I need some clarification here.
I am aware that there is a directive in wupdate.pas unit that allows to use "no UAC" update mechanism.
Then the resource file 'wupdateno_uac.res' is compiled into application .exe.
Should the small wusetup.exe application used to replace app files, that comes from this particular resource file should yield for privilege elevations.
I have performed simple test, I have created simple local user on my test Win10 machine, and when wusetup is executed the dialog pops up asking if I'd like to allow perform some updates on this device (I don't know exact English version - this is loose translation from Polish)
It seems that wupdate has not changed for ages, since I have tried res file from latest version, december 2019 and very old from TMS Component pack from february 2012.
I have modified the wupdate.pas to remove any references to UAC version, but it has not changed anything.
What could be solution here? Am I doing something in wrong way?
I have a customer with Active Directory and very strict rules implemented and I would like to have my app updated without bothering admins to approve changes.

Thanks in advance

Using the latest version:

WUPDATENO_UAC.RES will start the updater without elevation
WUPDATE.RES will start the updater with elevation

If privileges of the folder where the app EXE should be replaced will require admin privileges, admin elevation will be needed. There clearly is no way around this as otherwise it would mean there is a serious security hole in Windows.

Hi Bruno
Thank you very much for prompt answer.
However, beside o explicitly setting full privileges to the folder where application is located, wusetup still wants to elevate privileges. :frowning:
I have located this file in the folder C:\Users_Name_of_user_\AppData\Local\Temp.
Opening this folder in Explorer, shows a little shield mark on the icon of wusetup.


When I attempt to run this, it's immiediately shows the dialog for 'Admin' approval.
What else I can check?


Elevation is regardless of folder.
WUPDATENO_UAC.RES will start the updater without elevation
WUPDATE.RES will start the updater with elevation

Elevation depends on manifest in the EXE. We provide both, with & without, so you can choose.


In my environment - still D10.3.3 and VCL UI Pack from December 2019 - I have only WUPDATENO_UAC.res file and modified wupdate.pas where I have left explicit pointing to:


wupdate.pas unit is always compiled when I build an application (wupdate.dcu is in 'dcu' app's folder)
I have deleted wupdate.res from folder where VCL UI Pack sources are located. wupdateno_uac.res file is taken from latest version. So from my point of view there should be no elevation request but there is.

Elevation depends on manifest in the EXE

Did I miss something? Is there a magic switch that I can use to turn off elevation request? Should I read updated WUPDATE manual? We are in the process of migrating to 10.4.1 so having such feature would be great.


I have retested the normal workflow of TWebUpdate when $DEFINE USEUAC is NOT used and it is not causing elevation.
What exactly are you doing different from the normal workflow and why?

Yesterday I completely unistalled Delphi 10.3 and prepared brand new environment with Delphi 10.4.1 and latest version of UI Pack.
I have removed wupdate.res from UI Pack folder, removed wupdate.dcu from UI Pack folder, added UI Pack folder to library to have it compiled each time I build my application.
Then I modified wupdate.pas:


I put addtional dot characted to "turn off" compiler directive.
Then I built the application and upload new version to the server.
On "problematic" workstation I cleaned Temp folder from old version of wupdate.exe and run my application. After downloading the new version when wupdate.exe got executed Windows asked for priviledge elevation.
Zip file with wupdate.exe attached.

wusetup.zip (73.6 KB)

What have I done inproperly?


Have you tried renaming the application so that its name does not include the string 'update' or anything else that might make Windows automatically request elevation?


My app is called Spedytor2, a little exe that replaces main files is called wupdate.exe


------ Wiadomość oryginalna ------
Od: "Tim Frost via TMS Support Center" <supportcenter@tmssoftware.com>
Do: marcin.bury@studio-delfi.pl
Temat: [TMS Support Center] [VCL/TMS VCL UI Pack] WebUpdate mechanism for non admin users

It is the latter that you should try renaming, because its name may trigger the UAC prompt on some Windows OS. And also, if Windows decides that access to a specific folder requires an elevated process, it does not matter what your manifest says: the manifest, like some exe names, simply advises Windows that a process requires elevation because of the accesses it is going to need.


My fault, this latter appplication is called wusetup.exe and is provided by TMS - embedded in *.res file. So this is out of my control

Could you check if attached in previous message zip contains proper wusetup.exe.


TWebUpdate extracts this resource to another filename (for this specific reason). wusetup.exe is never used from the file system by TWebUpdate.