From 72308a170607c060ada19f5d91f6d335d49adf75 Mon Sep 17 00:00:00 2001
From: Jonathan White <support@dmapps.us>
Date: Sat, 22 Nov 2025 13:03:56 -0500
Subject: [PATCH] Prevent launch on installer finish when run as SYSTEM

* This condition will only happen when KeePassXC is installed by MECM or similar deployment tool. This prevents accidental launch on exit if the packager forgot to set LAUNCHAPPONEXIT=0 in the msiexec call. Allowing launch on exit in these conditions would potentially allow a non-privileged user to assume the role of SYSTEM through the KeePassXC application.

* Fixes weakness reported by HackAndPwn, thank you!
---
 share/windows/wix-template.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/share/windows/wix-template.xml b/share/windows/wix-template.xml
index dac645f75..2d8c92fa1 100644
--- a/share/windows/wix-template.xml
+++ b/share/windows/wix-template.xml
@@ -121,6 +121,8 @@
         <SetProperty Id="AUTOSTARTPROGRAM" After="AppSearch" Value="" Sequence="first">AUTOSTARTPROGRAM="0" OR (WIX_UPGRADE_DETECTED AND NOT AUTOSTARTPROGRAM_REGISTRY)</SetProperty>
         <SetProperty Id="ADDTOPATH" After="AppSearch" Value="" Sequence="first">ADDTOPATH="0" OR (WIX_UPGRADE_DETECTED AND NOT ADDTOPATH_REGISTRY)</SetProperty>
         <SetProperty Id="LicenseAccepted" After="AppSearch" Value="1">WIX_UPGRADE_DETECTED</SetProperty>
+        <!-- Prevent launch on installer exit if run as SYSTEM user -->
+        <SetProperty Id="LAUNCHAPPONEXIT" After="AppSearch" Value="">UserSID = "S-1-5-18"</SetProperty>
 
         <FeatureRef Id="ProductFeature">
             <ComponentRef Id="ApplicationShortcuts" />