为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Firefox changes registry path with auto-update | UAC issue

  • 2 个回答
  • 1 人有此问题
  • 1 次查看
  • 最后回复者为 ronronron

more options

On test clients we deployed the "Firefox Setup 60.7.0esr.exe" (32bit) with default settings with Microsoft SCCM and on other test clients we installed it as a normal user without admin rights and typed in the local admin password to install it manually (for comparison). So the standard install folder is "C:\Program Files (x86)\Mozilla Firefox" and the registry key is "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)". Now the update 60.7.1 released. Problem 1: The normal users didn't have the "modify" rights for "C:\Program Files (x86)\Mozilla Firefox", so the update installer asks with the UAC for admin rights. -> I changed the permissions of the folder with powershell.

Problem 2: Now the update process works and replaced the files in "C:\Program Files (x86)\Mozilla Firefox", BUT the registry keeps the path "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)" and creates a new path "Computer\HKEY_USERS\*USERID*\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.1 ESR (x86 de)". So the "Programs and Features" under Windows are showing both versions and of course the SCCM is detecting both versions.

What is the normal and clean update process without this entries in the user registry in an enterprise environment?

On test clients we deployed the "Firefox Setup 60.7.0esr.exe" (32bit) with default settings with Microsoft SCCM and on other test clients we installed it as a normal user without admin rights and typed in the local admin password to install it manually (for comparison). So the standard install folder is "C:\Program Files (x86)\Mozilla Firefox" and the registry key is "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)". Now the update 60.7.1 released. Problem 1: The normal users didn't have the "modify" rights for "C:\Program Files (x86)\Mozilla Firefox", so the update installer asks with the UAC for admin rights. -> I changed the permissions of the folder with powershell. Problem 2: Now the update process works and replaced the files in "C:\Program Files (x86)\Mozilla Firefox", BUT the registry keeps the path "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.0 ESR (x86 de)" and creates a new path "Computer\HKEY_USERS\*USERID*\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 60.7.1 ESR (x86 de)". So the "Programs and Features" under Windows are showing both versions and of course the SCCM is detecting both versions. What is the normal and clean update process without this entries in the user registry in an enterprise environment?

由ronronron于修改

所有回复 (2)

more options

I think that you would normally use the Mozilla Maintenance Service to prevent UAC issues and make it possible to update without requiring write permission.

more options

cor-el said

I think that you would normally use the Mozilla Maintenance Service to prevent UAC issues and make it possible to update without requiring write permission.

I think you mean the '"app.update.service.enabled" = true' option, right? Of course, the Mozilla Maintenance Service is installed, but on a normal client the update comes up with the UAC everytime.. The "app.update.service.errors" isn't there, should I create it by myself and set it to 0? -> Tested, but this doesn't change anything.

The Mozilla Maintenance log are some privilege errors (even if the user has full rights on the folder): Could not disable token privilege value: SeCreateTokenPrivilege. (1300) Could not disable token privilege value: SeEnableDelegationPrivilege. (1300) Could not disable token privilege value: SeMachineAccountPrivilege. (1300) Could not disable token privilege value: SeRelabelPrivilege. (1300) Could not disable token privilege value: SeRemoteShutdownPrivilege. (1300) Could not disable token privilege value: SeSyncAgentPrivilege. (1300) Could not disable token privilege value: SeTrustedCredManAccessPrivilege. (1300) Could not disable token privilege value: SeUnsolicitedInputPrivilege. (1313)

Are there other settings or registry keys which maybe could be changed by ACLs to block/unblock the UAC/Maintenance Service?

由ronronron于修改