Plugin: Install Launcher

Audience: IT admins and deployment engineers. This page describes InstallLauncher, a helper component that works with the RedirectEvaluator plugin to allow standard users to run .msi installers interactively without triggering nested UAC prompts.

What the InstallLauncher Plugin Does

When a user with Least Privilege applied tries to open an .msi file, the system would normally prompt for administrator credentials through Windows UAC — which standard users cannot satisfy. InstallLauncher solves this by intercepting the elevation request through the redirect capability and running msiexec.exe from within an already-elevated process, bypassing the nested UAC prompt entirely.

The result: the user gets the standard Windows Installer interface for the package they selected, and elevation is handled transparently by EPM without requiring admin credentials at the point of install.

How It Works

InstallLauncher operates as the redirect target in the LaunchPrivilegeElevation flow:

1. The user double-clicks or right-clicks an .msi file and selects Install.

2. EPM intercepts the privilege elevation request.

3. The elevation policy allows the request. The check-redirect task in the LaunchPrivilegeElevation job runs and evaluates the active redirect rules.

4. The built-in MSI rule matches: sourceExePattern matches msiexec.exe and commandLinePattern matches any .msi file path.

5. EPM denies the original msiexec.exe launch and instead starts InstallLauncher elevated via launch-elevated.

6. InstallLauncher calls msiexec.exe using UseShellExecute, passing the MSI path and any command-line arguments from the original request.

7. The user sees the native Windows Installer UI for the package.

Because msiexec.exe is started from within a process that is already elevated, there is no secondary UAC prompt for the installer or any helper processes it spawns.

For background on the redirect capability and how redirect rules are evaluated, see Reference: Redirect Capability.

Deployment

InstallLauncher is built and deployed alongside other EPM components:

• Build output location: publishoutput/Jobs/bin/InstallLauncher/

• Runtime location: Deploy to the same Jobs/bin/ directory as other EPM job tools.

The RedirectEvaluator plugin resolves InstallLauncher by short name from Jobs/bin/. No additional path configuration is required as long as it is deployed in the standard location.

Built-in MSI Redirect Rule

The default RedirectEvaluator plugin definition (KeeperPrivilegeManager/Plugins/RedirectEvaluator.json) ships with a redirect rule for .msi files already configured under metadata.redirect.rules:

This rule matches any privilege elevation request where msiexec.exe is invoked with an .msi path on the command line, and redirects it to InstallLauncher with the file path and original command line as arguments.

To modify or extend this rule — for example to restrict it to specific directories, add nonAdminOnly, or add rules for other installer types — edit Plugins/RedirectEvaluator.json directly on the endpoint, or push an updated configuration using a SettingsUpdate policy. See Plugin: RedirectEvaluator for details on deploying rule changes centrally.

Placeholder Tokens

The targetArguments field in a redirect rule supports the following tokens, which RedirectEvaluator expands before passing them to InstallLauncher:

The default rule uses "{FilePath}" {CommandLine}, which passes the full path quoted (to handle spaces) followed by any additional arguments the user or calling application supplied.

Elevation File Extensions

EPM's companion apps (Keeper Agent and Keeper Client) use a file called elevation-allowed-extensions.json, deployed alongside the application executable, to determine which file extensions are eligible to trigger a privilege elevation request. The .msi extension is included in this list by default.

To customize the allowed extensions for your deployment, create a JSON file with the following structure and point to it using the KEEPER_ELEVATION_EXTENSIONS_CONFIG environment variable:

If you omit a platform key, the built-in default for that platform is preserved. Set the environment variable KEEPER_ELEVATION_EXTENSIONS_CONFIG to the full path of your custom file to override the default at runtime.

User Interface

InstallLauncher launches msiexec.exe using UseShellExecute, which means the Windows Installer UI is fully native. Whatever interface the .msi package and its arguments specify is what the user sees:

• No custom arguments → standard interactive installation wizard.

• /quiet or /qn in the command line → silent or reduced-UI install, as defined by the package.

There is no additional EPM-provided UI. InstallLauncher is transparent to the user.

Silent Mode / Automation

By default, InstallLauncher does not write anything to stderr during a normal interactive elevation — there is nothing extra for the user to see or dismiss.

When running in automated or scripted contexts where a console is attached and you want failure details surfaced, enable silent mode using any of the following:

In silent mode, if msiexec.exe exits with a non-zero code, InstallLauncher writes a short failure summary to stderr. The process exit code is always the Windows Installer exit code regardless of this setting.

CLI Reference

InstallLauncher can also be invoked directly from a command prompt or script, independently of the redirect flow. This is useful for testing, automation, and scripted deployments.

Basic install:

Silent install:

Full msiexec control (repair, uninstall, product code):

Use -- as a separator when you need to pass arguments that begin with / or - directly to msiexec.exe without InstallLauncher interpreting them as its own flags. Everything after -- is forwarded verbatim.

Summary