# Plugin: Install Launcher

**Audience:** IT admins and deployment engineers. This page describes **`InstallLauncher`**, a helper component that works with the `RedirectEvaluator` plugin to allow standard users to run `.msi` installers interactively without triggering nested UAC prompts.

## What the `InstallLauncher` Plugin Does

When a user with Least Privilege applied tries to open an `.msi` file, the system would normally prompt for administrator credentials through Windows UAC — which standard users cannot satisfy. **`InstallLauncher`** solves this by intercepting the elevation request through the redirect capability and running `msiexec.exe` from within an already-elevated process, bypassing the nested UAC prompt entirely.

The result: the user gets the standard Windows Installer interface for the package they selected, and elevation is handled transparently by EPM without requiring admin credentials at the point of install.

## How It Works

`InstallLauncher` operates as the redirect target in the LaunchPrivilegeElevation flow:

1. The user double-clicks or right-clicks an `.msi` file and selects **Install**.
2. EPM intercepts the privilege elevation request.
3. The elevation policy allows the request. The **check-redirect** task in the LaunchPrivilegeElevation job runs and evaluates the active redirect rules.
4. The built-in MSI rule matches: `sourceExePattern` matches `msiexec.exe` and `commandLinePattern` matches any `.msi` file path.
5. EPM denies the original `msiexec.exe` launch and instead starts **InstallLauncher** elevated via `launch-elevated`.
6. `InstallLauncher` calls `msiexec.exe` using `UseShellExecute`, passing the MSI path and any command-line arguments from the original request.
7. The user sees the native Windows Installer UI for the package.

Because `msiexec.exe` is started from within a process that is already elevated, there is no secondary UAC prompt for the installer or any helper processes it spawns.

For background on the redirect capability and how redirect rules are evaluated, see [Reference: Redirect Capability](/keeperpam/endpoint-privilege-manager/reference/redirect-capability.md).

## Deployment

`InstallLauncher` is built and deployed alongside other EPM components:

* **Build output location:** `publishoutput/Jobs/bin/InstallLauncher/`
* **Runtime location:** Deploy to the same `Jobs/bin/` directory as other EPM job tools.

The `RedirectEvaluator` plugin resolves `InstallLauncher` by short name from `Jobs/bin/`. No additional path configuration is required as long as it is deployed in the standard location.

## Built-in MSI Redirect Rule

The default `RedirectEvaluator` plugin definition (`KeeperPrivilegeManager/Plugins/RedirectEvaluator.json`) ships with a redirect rule for `.msi` files already configured under `metadata.redirect.rules`:

```json
{
  "sourceExePattern": "msiexec\\.exe",
  "commandLinePattern": "\\.msi",
  "elevationOnly": true,
  "targetExe": "InstallLauncher",
  "targetArguments": "\"{FilePath}\" {CommandLine}"
}
```

This rule matches any privilege elevation request where `msiexec.exe` is invoked with an `.msi` path on the command line, and redirects it to `InstallLauncher` with the file path and original command line as arguments.

To modify or extend this rule — for example to restrict it to specific directories, add `nonAdminOnly`, or add rules for other installer types — edit `Plugins/RedirectEvaluator.json` directly on the endpoint, or push an updated configuration using a `SettingsUpdate` policy. See [Plugin: RedirectEvaluator](/keeperpam/endpoint-privilege-manager/integrations/examples/redirectevaluator-plugin-configuration.md) for details on deploying rule changes centrally.

## Placeholder Tokens

The `targetArguments` field in a redirect rule supports the following tokens, which `RedirectEvaluator` expands before passing them to `InstallLauncher`:

<table><thead><tr><th width="192">Token</th><th>Value</th></tr></thead><tbody><tr><td><code>{FilePath}</code></td><td>Full path of the <code>.msi</code> file from the elevation request</td></tr><tr><td><code>{FileName}</code></td><td>Base file name only (e.g. <code>installer.msi</code>)</td></tr><tr><td><code>{Directory}</code></td><td>Directory containing the file</td></tr><tr><td><code>{CommandLine}</code></td><td>Command line from the original elevation request (may be empty)</td></tr></tbody></table>

The default rule uses `"{FilePath}" {CommandLine}`, which passes the full path quoted (to handle spaces) followed by any additional arguments the user or calling application supplied.

## Elevation File Extensions

EPM's companion apps (Keeper Agent and Keeper Client) use a file called `elevation-allowed-extensions.json`, deployed alongside the application executable, to determine which file extensions are eligible to trigger a privilege elevation request. The `.msi` extension is included in this list by default.

**To customize the allowed extensions for your deployment**, create a JSON file with the following structure and point to it using the `KEEPER_ELEVATION_EXTENSIONS_CONFIG` environment variable:

```json
{
  "windows": [".msi", ".exe"],
  "linux": [".sh", ".run"],
  "macos": [".pkg", ".dmg"]
}
```

If you omit a platform key, the built-in default for that platform is preserved. Set the environment variable `KEEPER_ELEVATION_EXTENSIONS_CONFIG` to the full path of your custom file to override the default at runtime.

## User Interface

`InstallLauncher` launches `msiexec.exe` using `UseShellExecute`, which means the Windows Installer UI is fully native. Whatever interface the `.msi` package and its arguments specify is what the user sees:

* No custom arguments → standard interactive installation wizard.
* `/quiet` or `/qn` in the command line → silent or reduced-UI install, as defined by the package.

There is no additional EPM-provided UI. `InstallLauncher` is transparent to the user.

## Silent Mode / Automation

By default, `InstallLauncher` does not write anything to stderr during a normal interactive elevation — there is nothing extra for the user to see or dismiss.

When running in automated or scripted contexts where a console is attached and you want failure details surfaced, enable silent mode using any of the following:

<table><thead><tr><th width="302">Method</th><th>Value</th></tr></thead><tbody><tr><td>Command-line flag</td><td><code>--silent</code> or <code>--quiet-ui</code> or <code>/silent</code></td></tr><tr><td>Environment variable</td><td><code>KEEPER_INSTALL_LAUNCHER_SILENT=1</code> or <code>KEEPER_INSTALL_LAUNCHER_SILENT=true</code></td></tr></tbody></table>

In silent mode, if `msiexec.exe` exits with a non-zero code, `InstallLauncher` writes a short failure summary to `stderr`. The process exit code is always the Windows Installer exit code regardless of this setting.

## CLI Reference

`InstallLauncher` can also be invoked directly from a command prompt or script, independently of the redirect flow. This is useful for testing, automation, and scripted deployments.

**Basic install:**

```
InstallLauncher C:\path\to\package.msi
```

**Silent install:**

```
InstallLauncher --silent C:\path\to\package.msi /qn
```

**Full msiexec control (repair, uninstall, product code):**

```
InstallLauncher -- /x {PRODUCT-CODE} /qn
```

Use `--` as a separator when you need to pass arguments that begin with `/` or `-` directly to `msiexec.exe` without `InstallLauncher` interpreting them as its own flags. Everything after `--` is forwarded verbatim.

<table><thead><tr><th width="287.333251953125">Argument</th><th>Description</th></tr></thead><tbody><tr><td><code>&#x3C;path>.msi [args]</code></td><td>Path to the <code>.msi</code> file, optionally followed by msiexec arguments</td></tr><tr><td><code>-- &#x3C;msiexec args></code></td><td>Pass arguments directly to <code>msiexec.exe</code> (use for repair, uninstall, product codes)</td></tr><tr><td><code>--silent</code> / <code>--quiet-ui</code> / <code>/silent</code></td><td>Print failure details to stderr when msiexec exits non-zero</td></tr></tbody></table>

## Summary

<table><thead><tr><th width="176.666748046875">Topic</th><th>Detail</th></tr></thead><tbody><tr><td><strong>What it does</strong></td><td>Runs <code>msiexec.exe</code> from an already-elevated process so <code>.msi</code> files install without a UAC prompt</td></tr><tr><td><strong>How it's triggered</strong></td><td>Via the <code>RedirectEvaluator</code> built-in MSI redirect rule in the LaunchPrivilegeElevation flow</td></tr><tr><td><strong>Where to deploy</strong></td><td><code>Jobs/bin/InstallLauncher/</code> alongside other EPM job tools</td></tr><tr><td><strong>Default rule</strong></td><td>Ships in <code>Plugins/RedirectEvaluator.json</code>; matches <code>msiexec.exe</code> + <code>.msi</code> on the command line</td></tr><tr><td><strong>UI</strong></td><td>Native Windows Installer UI; no EPM interface added</td></tr><tr><td><strong>Silent mode</strong></td><td><code>--silent</code> or <code>KEEPER_INSTALL_LAUNCHER_SILENT=1</code> — stderr failure summary only; exit code is always the msiexec result</td></tr><tr><td><strong>Allowed extensions</strong></td><td>Configured via <code>elevation-allowed-extensions.json</code>; override path with <code>KEEPER_ELEVATION_EXTENSIONS_CONFIG</code></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/integrations/examples/plugin-install-launcher.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.