Understanding the force_install input in the InstallFromFile method

Overview

force_install | Type: boolean | Platform: Windows only | Optional: True

The force_install option tells the SDK to preprocess and install the product even if the installer does not comply with certain Windows security mechanisms.

• When force_install = false (default): The SDK validates the installer against Windows security mechanisms. If any issues are detected, the installation fails with an error, and no action is applied.
• When force_install = true: The SDK attempts to bypass two Windows security mechanisms by preprocessing the installer: Mark of the Web (MOTW) and low integrity level. Use this option only if you fully trust the installer and accept that the SDK may modify it during preprocessing.

Windows Security Mechanisms Involved

Mark of the Web (MOTW)

• MOTW is a hidden security tag added to files downloaded from the internet.

• It indicates an untrusted origin, causing Windows to:

  • Show warnings (e.g., Protected View in Microsoft Office)
  • Trigger SmartScreen prompts for executables

• This helps prevent automatic execution of potentially malicious files.

• In some cases, attackers may attempt to bypass MOTW by using specific file types (e.g., compressed archives).

References

• https://support.microsoft.com/en-us/windows/download-files-from-the-web-abb92c09-af3a-bd99-d279-a89848b54b0b
• https://windowsforum.com/threads/windows-11-preview-pane-now-blocks-internet-marked-files-motw.386415/

How to simulate a MOTW file

Download the installer directly from the internet (browser) or use PowerShell:

Set-Content -Path '.\filename.ext' -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'

Integrity Level (Windows Mandatory Integrity Control)

• Every process and many objects (files, registry keys, etc.) in Windows have an integrity level, such as:

  • Low
  • Medium (default for standard users)
  • High (typical for administrators)
  • System

• A lower‑integrity process cannot modify higher‑integrity objects.

• This prevents untrusted or low‑privileged processes from changing critical files or system resources.

• You can view or modify integrity levels using tools like:

  • Process Explorer (procexp)
  • The icacls command

Both MOTW and low integrity level are designed to mitigate risks from untrusted files and protect the system from potentially malicious installers.

References

• https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
• https://learn.microsoft.com/en-us/windows/security/book/application-security-application-isolation

How to simulate low integrity level

Using icacls:

icacls "path\to\your\file" /setintegritylevel L

Use Cases and Error Scenarios

When force_install = false

In this mode, the SDK strictly enforces Windows security mechanisms. If the installer violates certain conditions, the SDK fails with one of the following errors, and no preprocessing or installation is performed:

When force_install = true

When force_install is enabled, the SDK attempts to preprocess the installer to make it acceptable for installation, even if Windows security mechanisms would normally block it.

During preprocessing, the SDK tries to:

• Remove the Mark of the Web (MOTW) from the installer.
• Increase the integrity level of the installer if it is too low.

If the SDK fails to complete these preprocessing steps, it returns the following error, and the installation does not proceed: