

How to update a desktop app - latitude
http://bvckup2.com/wip/#14022013

======
latitude
Took me a couple of days to figure this out, so I thought I'd share.

I also looked at the option of launching the program in a way that doesn't
lock the .exe. For one, it's complicated. It requires creating a process in a
Suspended state using a different executable, then basically gutting the
memory of that process and replacing it with your own process copy, which
needs to be fully preped with all imports and relocations taken care of, etc.
In other words, it's pretty complicated.

But what's more important, the only type of software that employs this sort of
process launching is the malware. In fact, the above method is derived
straight from one of the viruses that made rounds a couple of years ago [1],
and it was used by the virus to masquerade as a legit Windows process. So, in
other words, you employ this sort of hackery in your program - you will
quickly end up talking to anti-virus vendors about taking your software off
their blacklists. It's a cool stuff, too bad it's off limits.

[1] <http://blogs.avg.com/news-threats/puppet-process>

------
Osiris
I have an application that has an update process, but it's complicated by the
fact that the application is really just a COM DLL that's loaded by
explorer.exe to run as a toolbar next to the clock. I'd have to shutdown and
restart explorer.exe, which closes the user's desktop and start menu. Dropbox
seems to have found a way around this but I have no idea how they did it.

~~~
latitude
They probably use a proxy/stub process that uses the .exe that doesn't change
often.

------
nicholassmith
I did this a while back, and everything I tried was a series of horrible hacks
to get it sorted. With Windows whilst it maintains a lock on the process so
you can't do anything nice like replace it, but you can actually just rename
it to 'someapplication.old' then deal with it on relaunch. Made me miss
Sparkle very much.

------
TheAnimus
Does your re-starter program which listens on the named event have any sig
checking or similar?

First thing I thought when reading it was _Hmmm ability to run something as
another user_.

~~~
latitude
There's no point in checking it. If another user is running an executable that
you have full control over, then you can make him run anything you want
anyways.

~~~
TheAnimus
But its not control over the binary executable file, its the control over the
event?

Or am I really missing something here, and you set up the object with the
security token used on the binary file?

My question (sorry if it's super dumb and I'm missing something) is what
permissions are needed to communicate via the event?

------
fredsted
Awesome post. There's some real talent behind those UI designs.

