2

I want to specify property as restricted property in Wix installer, in wix .wxs file.

  <Property Id="PROP1">
     <RegistrySearch Id="Prop1"
                     Root="HKLM"
                     Key="SYSTEM\CurrentControlSet\Services\mysvc"
                     Name="installers"
                     Type="raw" />
  </Property>
  <Property Id="PROP2">
     <RegistrySearch Id="Prop2"
                     Root="HKLM"
                     Key="SYSTEM\CurrentControlSet\Services\mysvc"
                     Name="DisplayName"
                     Type="raw" />
  </Property>

Any idea?

Wanted to make PROP1, PROP2 private / secured.

Tried with making them as lowercase but RegistrySearch doesn't accept it:

error CNDL0012 : The Property/@Id attribute's value, 'Prop1', cannot contain lowercase characters.

Since this is a search property, it must also be a public property. This means the Property/@Id value must be completely uppercase.

Stein Åsmul
  • 39,960
  • 25
  • 91
  • 164
user3664223
  • 305
  • 3
  • 19
  • What behavior are you trying to ensure? It sounds like you want to prevent a user from overriding this property's value, but SecureCustomProperties doesn't have that effect. (If anything, it's closer to the opposite.) – Michael Urman Apr 11 '18 at 19:41

1 Answers1

1

I believe you need to set the attibute Secure="yes" for the Property element in order for the property in question to be added to the SecureCustomProperties list in your compiled MSI file.

Sample:

<Property Id="MYPROPERTY1" Secure="yes" Value="SomeValue" /> 
<Property Id="MYPROPERTY2" Secure="yes" Value="SomeOtherValue" />

The resultant SecureCustomProperties value in the compiled MSI (with two auto-generated properties as well): MYPROPERTY1;MYPROPERTY2;WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED

Your Case:

So in your case something like the below (I set the property value to 0 in case the registry search finds nothing - then I have a default value):

<Property Id="PROP1" Secure="yes" Value="0" >
   <RegistrySearch Id="Prop1"
                   Root="HKLM"
                   Key="SYSTEM\CurrentControlSet\Services\mysvc"
                   Name="installers"
                   Type="raw" />
</Property>

The SecureCustomProperties list all the properties that can be sent to deferred mode - which runs elevated - when the installing user is not an administrator, but a standard users who is installing with elevated rights. For a good technical overview of the issue, maybe check out: Restricted Public Properties.

Digression:

And now, the mandatory digression: there was a case a while back when I needed to be able to override the value of SecureCustomProperties myself for some reason - rather than having it auto-generated based on all the properties with the Secure="yes" flag set.

For my life I cannot remember the particulars of the reasoning behind the need right now. Maybe Chris or Phil will remember / know of similar cases. I think it related to properties being added auto-magically to my MSI by WiX, but they were not set secured and I needed to make them secure in order to reliably access their values in deferred mode. I don't remember what WiX feature it related to.

Stein Åsmul
  • 39,960
  • 25
  • 91
  • 164
  • Thanks for answer, can I ensure that the variable is not public, using cmdline on MSI. – user3664223 Apr 13 '18 at 06:52
  • There is the [MsiHiddenProperties Property](https://msdn.microsoft.com/en-us/library/windows/desktop/aa370308(v=vs.85).aspx) - please read the linked documentation thoroughly. You can add a [WiX property](http://wixtoolset.org/documentation/manual/v3/xsd/wix/property.html) to this list of hidden properties by setting the attribute `Hidden="yes"`. [This Symantec article seems to be a good summary of prevening sensitive information getting into the log file](https://www.symantec.com/connect/blogs/preventing-confidential-information-being-written-log-file). – Stein Åsmul Apr 14 '18 at 02:31
  • And another link for safekeeping: https://www.advancedinstaller.com/forums/viewtopic.php?t=30546. – Stein Åsmul Apr 14 '18 at 02:49