[wix-users] when creating registry value, can I not log it to the MSI log file? [P]
Phill Hogland
phill.hogland at rimage.com
Fri Jul 8 08:04:45 PDT 2016
If using a Burn bootstrapper then you have access to the Engine secure string variables and WcaUtil Secure functions for CAs. I have not worked with WixStdBA recently and not sure how to implement a secure password dialog when using WixStdBA, as I use a mba, but once you get the SecureString then it could be passed in a hidden MsiProperty to a CA in a table driven CA, which calls CryptProtectData prior to adding it as a temporary row in the Registry table. It took a long time for me to work out all of these details and figure out the correct flags/encoding to work with the MSI Registry table. (You can search the old wix-users nabble forum for much discussion on this at the time.) I can't just give you my employer's business specific code, but the key snippet is:
Entropy.pbData = entropy;
Entropy.cbData = sizeof(entropy);
dbEntropy = &Entropy;
DataIn.pbData = reinterpret_cast<BYTE*>(pwzPassword);
// Number of bytes in the string, including the null terminator (CryptProtectData has same results when space for NULL terminator is removed).
hr = ::StringCbLengthW(pwzRdpPassword, STRSAFE_MAX_CCH * sizeof(WCHAR), reinterpret_cast<size_t*>(&DataIn.cbData));
ExitOnFailure(hr, "Failed to calculate length of the password.");
DWORD dwProtectFlags = 0;
dwProtectFlags = dwProtectFlags | CRYPTPROTECT_LOCAL_MACHINE | CRYPTPROTECT_UI_FORBIDDEN;
DWORD dwBinaryToStringFlags = 0;
dwBinaryToStringFlags = dwBinaryToStringFlags | CRYPT_STRING_HEXRAW | CRYPT_STRING_NOCRLF;
if (FALSE != CryptProtectData(&DataIn, NULL, dbEntropy, NULL, NULL, dwProtectFlags, &DataOut))
{
DWORD size = 0;
if (FALSE != CryptBinaryToStringW(DataOut.pbData, DataOut.cbData, dwBinaryToStringFlags, NULL, &size))
{
hr = StrAllocSecure(&pwzBlob, size);
ExitOnFailure(hr, "Failed to allocate string buffer for the blob.");
if (FALSE != CryptBinaryToStringW(DataOut.pbData, DataOut.cbData, dwBinaryToStringFlags, pwzBlob, &size))
{
hr = StrAllocConcatSecure(&pwzRegValue, pwzBlob, STR_CC_AUTO);
ExitOnFailure(hr, "Failed to append the blob to the registry value.");
MSIDBERROR dbError = MSIDBERROR_NOERROR;
hr = WcaAddTempRecord(&hTempView, &hColumns,
L"Registry", // the table
&dbError, // try to get detailed error codes
1, // the column number of the key we want "uniquified" (uniqued?)
6, // the number of columns we're adding
L"MyBlob", // primary key (uniquified)
msidbRegistryRootLocalMachine,
L"Some\Registy\Path",
L"someKeyName",
pwzRegValue,
pwzComponentId);
ExitOnFailure(hr, "failed to add temporary registry row for MyBlob. dbError is: %d", dbError);
// NOTE: While above succeeds, when writing a 'REG_BINARY' any non-ASCII numeric value (like space) will cause msiexec to error when writing the registry key and report lack of permissions.
}
}
}
#pragma endregion
For more info on a semi-CA see:
https://www.joyofsetup.com/2007/07/01/semi-custom-actions/
Since this blog is dated and last I checked the prototypes had changed there are a number of semi-CA implementations in the wix src that are helpful examples. Once the blob is in the registry, any (C++, C#, etc.) application (or another MSI CA) can read the blob and decrypt it with the correct information.
Some examples:
http://www.overclock.net/t/1293731/windows-data-protection-api-c-and-c
https://msdn.microsoft.com/en-us/library/windows/desktop/aa382377(v=vs.85).aspx
I agree with those that have advised moving the UI to a Burn BA and using persisted hidden Burn variables. But also needed a secure persistence in the registry so that an install application could make use of the credentials. I don't know if any quick simple solution to these concerns. I hope this helps.
________________________________
From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of John Cooper <JoCooper at jackhenry.com>
Sent: Friday, July 8, 2016 9:08:17 AM
To: WiX Toolset Users Mailing List
Subject: Re: [wix-users] when creating registry value, can I not log it to the MSI log file? [P]
Unless it's encrypted in the registry, you're trading one security problem for another. Actually, persistence in the bootstrapper application handles this better because "Hidden" variables are not just hidden from logging (a la MSI) but encrypted in storage. Either that, or encrypt a section in a config file using one of several available APIs.
Bottom line, storage in the registry is going to be plain text whether the property is "Hidden" or not in the MSI. That buys you a problem.
--
John Merryweather Cooper
Senior Software Engineer | Integration Development Group | Enterprise Notification Service
Jack Henry & Associates, Inc.® | Lenexa, KS 66214 | Ext: 431050 |JoCooper at jackhenry.com
-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Joel Budreau
Sent: Friday, July 8, 2016 9:04 AM
To: Steven.Ogilvie at titus.com
Cc: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] when creating registry value, can I not log it to the MSI log file? [P]
The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin.
You could write the registry value through a custom action instead of the Registry table. That way you can use the <Property> element's 'Hidden'
attribute to hide the custom action's CustomActionData from the log file.
On Fri, Jul 8, 2016 at 5:45 AM, Steven Ogilvie <Steven.Ogilvie at titus.com>
wrote:
> Classification: Public
> I don't have time to create a custom BA
>
> Storing the info via registry value seemed like a good idea...
>
> 1. is there a way to *not* log the registry value to the MSI log file
> 2. is there a better approach to get info from installer X to
> installer Y (I am using a bootstrapper to kick off the installation)
>
> Thanks,
>
> Steve
>
>
>
>
> This message has been marked as Public by Steven Ogilvie on July 8,
> 2016
> 8:45:01 AM.
> The above classification labels were added to the message by TITUS
> Message Classification.For More information visit www.titus.com<http://www.titus.com>.
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On
> Behalf Of Hoover, Jacob
> Sent: July 7, 2016 3:38 PM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Subject: Re: [wix-users] when creating registry value, can I not log
> it to the MSI log file? [P]
>
> Can't is a strong word. A custom BA allows you to do anything a MSI
> can do and more.
>
> Storing a password in the registry in plain text would be a security
> concern, even if it's intermittent. Having it in the logs is just one
> more place it could be found.
>
> If it's acceptable for X to ask for it, then why can't Y ask for it as
> well? Then, if you have time to move the logic to a custom BA, you
> could suppress the dialogs in both and property drive it from the command line.
>
> If Y isn't able to prompt for it, then how do you intend on handling Y
> being ran a second time without X being ran first?
>
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On
> Behalf Of Steven Ogilvie
> Sent: Thursday, July 07, 2016 2:09 PM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Subject: Re: [wix-users] when creating registry value, can I not log
> it to the MSI log file? [P]
>
> Classification: Public
> Can't do that...
>
> MSI installer X has a dialog that asks for information in order to
> create a DB If Windows authentication there isn't a password If mixed
> authentication (or just SQL) there will be a password
>
> MSI installer X has another dialog that asks information about the Web
> site it will create It asks for the Web App Pool user + password
> (however if the web app pool user is a system user, i.e. LocalSystem,
> there isn't a password
>
> So some of that information is gathered in MSI installer X which MSI
> installer Y will use and remove the registry entries by the end of the
> install
>
> Thanks,
>
> Steve
>
>
>
>
> This message has been marked as Public by Steven Ogilvie on July 7,
> 2016
> 3:09:19 PM.
> The above classification labels were added to the message by TITUS
> Message Classification.For More information visit www.titus.com<http://www.titus.com>.
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On
> Behalf Of Hoover, Jacob
> Sent: July 7, 2016 1:29 PM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Subject: Re: [wix-users] when creating registry value, can I not log
> it to the MSI log file?
>
> Create a bundle, gather the info in the bundle and pass it as a
> MsiProperty to X and Y?
>
>
> > On Jul 7, 2016, at 12:20 PM, Steve Ogilvie <sogilvie at msn.com> wrote:
> >
> > Hi folks,
> >
> >
> >
> > I have several MSI's in my installer.
> >
> >
> >
> > Let's call two of them X and Y...
> >
> >
> >
> > Y requires some information from X
> >
> >
> >
> > So what I do is create some registry entries in X, which Y reads and
> > later deletes the registry entries...
> >
> >
> >
> > 2 of those registry entries are passwords...
> >
> >
> >
> > Is there any way to *NOT* log the registry value into the MSI log
> > file?
> >
> >
> >
> > i.e. when I use:
> >
> > <RegistryKey Id="ProductId" ForceCreateOnInstall="yes"
> > ForceDeleteOnUninstall="yes" Root="HKLM"
> > Key="SOFTWARE\MYCO\MyProduct">
> >
> > <!-- The password will be deleted by the next installer -->
> >
> > <RegistryValue Type="string" Name="Password" Value="[A_PASSWORD]"/>
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Steve
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant
> > http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>
____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/
NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.
____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/
More information about the wix-users
mailing list