A system detects an application attempting to invoke an administrative utility on a target application for installation of software. In response, the system identifies the administrative utility as an installer launcher. The system then detects the installer launcher invoking execution of the target application, and in response, identifies the target application as an installation application. The system allows classification of applications as installer launchers and installation applications and in response to detecting operation of such programs, enforces installation security profiles during their operations that apply varying levels of access to certain system resources that differ from a level of access normally applied during non-installation activities.