[wix-users] Deferred CustomAction in System context get access denied

Ilir Bekteshi ilir.sb at gmail.com
Tue Dec 20 02:32:31 PST 2016 

Just found this article
http://microsoft.public.platformsdk.msi.narkive.com/KUhURDax/msi-custom-action-privileges
and
according to them Windows Installer is not able to get more privileges than
it is assigned to. What gives?

On Fri, Dec 16, 2016 at 3:14 PM Phill Hogland <phill.hogland at rimage.com>
wrote:

> Here are the change details adding the SeDebugPrivilege prior to making
> the call.
>
>
> https://github.com/wixtoolset/wix3/pull/189/commits/f743a7ebfad7cace9f1d3fb587e07811f201ee6f
>
>
> ________________________________
> From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of
> Phill Hogland <phill.hogland at rimage.com>
> Sent: Friday, December 16, 2016 8:01:50 AM
> To: wix-users at lists.wixtoolset.org
> Subject: Re: [wix-users] Deferred CustomAction in System context get
> access denied
>
> I use:
>
>  <util:RestartResource ServiceName="My_Service_Short_Name"/>
>
>
> I worked on wix bug 4592 which was incorporated into 3.10 almost a year
> ago, to address this very issue where the user context of the target
> process is different than the user context which is trying to terminate the
> process.  The implementation makes a 'best effort' and particularly in a
> 'per user' scenario there may be some edge scenarios where it still will
> not be able to terminate the process.  But in 'per-machine' setups the
> existing implementation should meet your needs (or you can look at the wix
> source and implement similar API calls to add the necessary privileged to
> the calling thread, in your CA).
>
>
>
> ________________________________
> From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of
> Ilir Bekteshi <ilir.sb at gmail.com>
> Sent: Friday, December 16, 2016 3:44:55 AM
> To: wix-users at lists.wixtoolset.org
> Subject: [wix-users] Deferred CustomAction in System context get access
> denied
>
> I'm having some problems with privileges when running a CustomAction in
> deferred mode.
>
> I want to kill some Service processes which could be running using
> different user accounts from Local System to regular users, but the CA
> succeeds only when the processes and the CA are executed as the same user.
> Here are some cases and results:
>
> "process1.exe" is a process running as the same user running the
> installation. If the kill CA is run in System context using
> Impersonate="no" the access is denied.
> "process1.exe" is a process running as the same user running the
> installation. If the kill CA is run in User context using Impersonate="yes"
> the process is killed.
>
> "process1.exe" is a process running as another user. If the kill CA is run
> in User context using Impersonate="yes" the access is denied.
> "process1.exe" is a process running as another user. If the kill CA is run
> in System context using Impersonate="no" the access is denied
>
> "process1.exe" is a process running as Local System. If the kill CA is run
> in User context using Impersonate="yes" the access is denied.
> "process1.exe" is a process running as Local System. If the kill CA is run
> in System context using Impersonate="no" the process is killed.
>
> <SetProperty Id="KillUserProcess"
> Value='"[WindowsFolder]\System32\taskkill.exe" /F /IM process1.exe'
> After="CostFinalize" />
> <CustomAction Id="KillUserProcess" BinaryKey="WixCA" DllEntry="CAQuietExec"
> Execute="deferred" Impersonate="no" Return="check" />
>
> <SetProperty Id="KillSysProcess"
> Value='"[WindowsFolder]\System32\taskkill.exe" /F /IM process2.exe'
> After="CostFinalize" />
> <CustomAction Id="KillSysProcess" BinaryKey="WixCA" DllEntry="CAQuietExec"
> Execute="deferred" Impersonate="no" Return="check" />
>
> <InstallExecuteSequence>
> <Custom Action="KillUserProcess" After="InstallInitialize"></Custom>
> <Custom Action="KillSysProcess" After="KillUserProcess"></Custom>
> </InstallExecuteSequence>
>
>
> Action=KillUserProcess,ActionType=3137,Source=BinaryData,Target=CAQuietExec,CustomActionData="C:\Windows\System32\taskkill.exe"
> /F /IM process1.exe)
> CAQuietExec:  "C:\Windows\System32\taskkill.exe" /F /IM process1.exe
> CAQuietExec:  ERROR: The process "process1.exe" with PID 3164 could not be
> terminated.
> CAQuietExec:  Reason: Access is denied.
> CAQuietExec:
> CAQuietExec:  Error 0x80070001: Command line returned an error.
> CAQuietExec:  Error 0x80070001: QuietExec Failed
> CAQuietExec:  Error 0x80070001: Failed in ExecCommon method
>
>
> Action=KillSysProcess,ActionType=3137,Source=BinaryData,Target=CAQuietExec,CustomActionData="C:\Windows\System32\taskkill.exe"
> /F /IM process2.exe)
> CAQuietExec:  "C:\Windows\System32\taskkill.exe" /F /IM process2.exe
> CAQuietExec:  SUCCESS: The process "process2.exe" with PID 4596 has been
> terminated.
>
>
> If LocalSystem doesn't have the rights to kill the processes, who does?
> Running these commands from Command Prompt work without problem when
> elevated.
> Even using psexec from SysInternal to run the command as System work
> without a problem. Only when running through MSI are these issues faced.
>
> Is it possible to make a Custom Action running as a System kill processes
> not owned only by System?
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>

More information about the wix-users mailing list