[wix-users] when creating registry value, can I not log it to the MSI log file? [P]

John Cooper JoCooper at jackhenry.com
Fri Jul 8 07:08:17 PDT 2016 

Unless it's encrypted in the registry, you're trading one security problem for another.  Actually, persistence in the bootstrapper application handles this better because "Hidden" variables are not just hidden from logging (a la MSI) but encrypted in storage.  Either that, or encrypt a section in a config file using one of several available APIs.

Bottom line, storage in the registry is going to be plain text whether the property is "Hidden" or not in the MSI.  That buys you a problem.

--
John Merryweather Cooper
Senior Software Engineer | Integration Development Group | Enterprise Notification Service
Jack Henry & Associates, Inc.® | Lenexa, KS  66214 | Ext:  431050 |JoCooper at jackhenry.com




-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Joel Budreau
Sent: Friday, July 8, 2016 9:04 AM
To: Steven.Ogilvie at titus.com
Cc: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] when creating registry value, can I not log it to the MSI log file? [P]

The e-mail below is from an external source.  Please do not open attachments or click links from an unknown or suspicious origin.

You could write the registry value through a custom action instead of the Registry table. That way you can use the <Property> element's 'Hidden'
attribute to hide the custom action's CustomActionData from the log file.

On Fri, Jul 8, 2016 at 5:45 AM, Steven Ogilvie <Steven.Ogilvie at titus.com>
wrote:

> Classification: Public
> I don't have time to create a custom BA
>
> Storing the info via registry value seemed like a good idea...
>
> 1. is there a way to *not* log the registry value to the MSI log file 
> 2. is there a better approach to get info from installer X to 
> installer Y (I am using a bootstrapper to kick off the installation)
>
> Thanks,
>
> Steve
>
>
>
>
> This message has been marked as Public by Steven Ogilvie on July 8, 
> 2016
> 8:45:01 AM.
> The above classification labels were added to the message by TITUS 
> Message Classification.For More information visit www.titus.com.
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On 
> Behalf Of Hoover, Jacob
> Sent: July 7, 2016 3:38 PM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Subject: Re: [wix-users] when creating registry value, can I not log 
> it to the MSI log file? [P]
>
> Can't is a strong word.  A custom BA allows you to do anything a MSI 
> can do and more.
>
> Storing a password in the registry in plain text would be a security 
> concern, even if it's intermittent.  Having it in the logs is just one 
> more place it could be found.
>
> If it's acceptable for X to ask for it, then why can't Y ask for it as 
> well?  Then, if you have time to move the logic to a custom BA, you 
> could suppress the dialogs in both and property drive it from the command line.
>
> If Y isn't able to prompt for it, then how do you intend on handling Y 
> being ran a second time without X being ran first?
>
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On 
> Behalf Of Steven Ogilvie
> Sent: Thursday, July 07, 2016 2:09 PM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Subject: Re: [wix-users] when creating registry value, can I not log 
> it to the MSI log file? [P]
>
> Classification: Public
> Can't do that...
>
> MSI installer X has a dialog that asks for information in order to 
> create a DB If Windows authentication there isn't a password If mixed 
> authentication (or just SQL) there will be a password
>
> MSI installer X has another dialog that asks information about the Web 
> site it will create It asks for the Web App Pool user + password 
> (however if the web app pool user is a system user, i.e. LocalSystem, 
> there isn't a password
>
> So some of that information is gathered in MSI installer X which MSI 
> installer Y will use and remove the registry entries by the end of the 
> install
>
> Thanks,
>
> Steve
>
>
>
>
> This message has been marked as Public by Steven Ogilvie on July 7, 
> 2016
> 3:09:19 PM.
> The above classification labels were added to the message by TITUS 
> Message Classification.For More information visit www.titus.com.
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On 
> Behalf Of Hoover, Jacob
> Sent: July 7, 2016 1:29 PM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Subject: Re: [wix-users] when creating registry value, can I not log 
> it to the MSI log file?
>
> Create a bundle, gather the info in the bundle and pass it as a 
> MsiProperty to X and Y?
>
>
> > On Jul 7, 2016, at 12:20 PM, Steve Ogilvie <sogilvie at msn.com> wrote:
> >
> > Hi folks,
> >
> >
> >
> > I have several MSI's in my installer.
> >
> >
> >
> > Let's call two of them X and Y...
> >
> >
> >
> > Y requires some information from X
> >
> >
> >
> > So what I do is create some registry entries in X, which Y reads and 
> > later deletes the registry entries...
> >
> >
> >
> > 2 of those registry entries are passwords...
> >
> >
> >
> > Is there any way to *NOT* log the registry value into the MSI log 
> > file?
> >
> >
> >
> > i.e. when I use:
> >
> > <RegistryKey Id="ProductId" ForceCreateOnInstall="yes"
> > ForceDeleteOnUninstall="yes" Root="HKLM"
> > Key="SOFTWARE\MYCO\MyProduct">
> >
> > <!-- The password will be deleted by the next installer -->
> >
> > <RegistryValue Type="string" Name="Password" Value="[A_PASSWORD]"/>
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Steve
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant 
> > http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant 
> http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant 
> http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant 
> http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant 
> http://www.firegiant.com/
>

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

More information about the wix-users mailing list