Most Windows users don't pay much attention to how desktop programs are installed on their system. For years we've been trained to seek out a website, download an EXE or MSI file, and then click, click, click our way through the installation.

It's an easy method, but it's also time consuming because of the manual interaction.

A burgeoning project called Chocolatey wants to make it easy to install desktop apps without having to click through an interminable number of installation windows.

What is Chocolatey?

Chocolatey is a command line application installer for Windows based on a developer-centric package manager called NuGet. Unlike manual installations, Chocolatey adds, updates, and uninstalls programs in the background requiring very little user interaction.

Chocolatey has its own package feed that is created and maintained by the project's community members.

Behind the scenes, most Chocolatey packages simply download a program's official executable and install it without any further interaction from the user.

You lost me at "command line"

No, wait, here me out!

Getting new programs the old fashioned way is very easy, but manual installs are also inefficient. Wouldn't you rather spend your time checking out the latest cat videos on YouTube while your PC goes about installing programs by itself?

That's the promise of Chocolatey. If the program has any dependencies, such as the .NET framework, Chocolatey will install those too.

Chocolatey can also take care of multiple program installations.

Imagine cracking open a new PC, downloading Chocolatey and then typing a one-line command to install all the programs you'd like to have on your new machine. That's what Chocolatey does.

Installing Chocolatey

Getting Chocolatey onto your system is very simple since the commands can be copied and pasted into your command prompt from Chocolatey.org. To start, you need to open an elevated command prompt.

To do this in Windows 8.1, click on the Start button and go to the all apps screen. Under the Windows System heading find Command Prompt, right click-it and select Run as administrator.  When the User Account Control window opens, authorize it by clicking Yes.

A command prompt window should open with something like C:\WINDOWS\system32.

Next, visit Chocolatey.org and copy the first box. At this writing, the commands were:

@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin

Paste it into the prompt, press Enter and your PC will take care of the rest.

Usually doing a copy and paste of commands is not advisable, but in this case it's just fine.

So you can rest easier, let's break the instructions down a little bit: These commands are telling your PC to launch PowerShell and don't load any custom profiles a power user might have. Next, it tells Windows to set the execution policy to unrestricted to allow any PowerShell script to be run and then download and run the Chocolatey install script.

Chocolatey basics

Installing programs Chocolatey style

Once you've got Chocolatey up and running, it's time to start installing programs. Open an administrative command prompt again and type cinst [program name].If you wanted to install VLC you'd type: 

cinst vlc

Pretty easy, right? The trick is that you need to know the exact name Chocolatey uses for each program. You can't just type Chrome or Google-Chrome and expect Chocolatey to figure it out.

To find the names of programs, you can try playing around on the command line with the trial and error method (which works more often than you'd think). If you don't have that kind of time, search Chocolatey.org's online package catalog for programs. You can also search for packages right on the command line:

choco search [keyword]

Multiple installs

There are two ways to install multiple programs in one sitting with Chocolatey. The first is to type multiple arguments into the command line. If you wanted to install VLC, GIMP, and Firefox you'd type:

cinst vlc gimp Firefox

For much larger batches of programs, however, you're better off creating an XML document with a .config file extension and formatting it like so:

<?xml version="1.0" encoding="utf-8"?><packages> <package id="UTorrent" /> <package id="notepadplusplus" /> <package id="IrfanView" /></packages>

That basic document structure can include as many programs as you like, and can even include alternative sources other than Chocolatey's community feed. For a more thorough tutorial on creating a multiple install file, check out developerFusion.

Uninstalling and updating

Updating installed programs via Chocolatey is simple too. Type cup [program name] into an administrative command. To update DosBox, for example, type:

cup dosbox

You can also update all your programs by typing cup all. If your package is using an alternative source other than the main Chocolatey package feed, you can type:

cup [package name] --source [source URL]

Uninstalling a package is a little different. Going back to our example, you'd type the following to uninstall DosBox:

choco uninstall dosbox

On the next page, we'll cover standardized commands and security concerns.

A word about standardization

Anyone who's used to a package manager on Linux will immediately notice that Chocolatey uses three different commands (cinst, cup, and choco) to carry out operations. That's a very non-standard way of doing things compared to the Linux-based apt-get or pacman, both of which start every command with apt-get and pacman, respectively.

To better standardize usage, you can use the command format choco [command] to invoke Chocolatey. So instead of typing cinst dosbox, you can use the install command:

choco install dosbox

To update, you can use the update command:

choco update dosbox

Even though the standardized approach is favored, Chocolatey's creator Rob Reynolds says the shorthand commands will remain a part of the project. So feel free to use whichever group of commands you find easier.

But what about security?

Chocolatey is convenient, but there's no way around the fact it's not an ideal choice if you're concerned about security for your PC right now. Installing programs with Chocolatey requires that you trust the package creator.

You could monitor Chocolatey as it installs your programs to see which sites the downloads are coming from, but that defeats the convenience of using Chocolatey as an automated process.

The implicit trust model probably means that pulling from the Chocolatey community feed is wouldn't be the best choice for large enterprises or even smaller companies. That said, Chocolatey can be tuned to rely on a private feed controlled by the company where all packages are vetted by the IT department.

While security is not ideal right now, Reynolds says there are some big changes in the works for future versions of Chocolatey. Over the next year, trusted community members will begin moderating the stable feed and all packages will be reviewed before being added. Approved packages will include cryptographic signing by the moderator who approved it.  

Future versions of Chocolatey will include a scanning algorithm to detect packages with malicious intent. Users will also be able to control who they trust by accepting or denying packages based on public key signatures, just like package managers in Linux. 

Alternatives to Chocolatey

In April, the company introduced OneGet, a package manager interface for PowerShell 5.0. OneGet is essentially a manager for package managers that allows you to access downloads from multiple package managers--like Chocolatey and NuGet--in one spot. The first version of OneGet relies solely on the Chocolatey package feed.

Microsoft's project is still a work in progress and appears to be mostly a tool for system administrators. Chocolatey, by comparison, is aimed at any Windows user willing to give it a try.

You can't live on Chocolatey alone

Although Chocolatey sounds pretty tasty, it isn't for every program out there. You can't use Chocolatey for a program stuck behind a paywall, for instance. However, any programs that are free to download and ask for a purchase or license key are fair game.

Unless you want to start seeking out new sources or creating your own packages, you are restricted to what's in the community feed.

The current feed is pretty large, with more than 2,000 unique packages and more than 8,000 total at time of writing. It includes a variety of programs including all the major third-party web browsers, uTorrent, Vuze, Notepad++, Sublime Text (versions 2 and 3), VLC, Office 365 Home Premium, CCleaner, GIMP, IrfanView, Skype, and many others.  

Chocolatey may not be for every Windows user, but anyone who wants to get their hands a little dirty on the command line will find a very useful tool with this package manager for Windows.