[wix-users] System registry key started showing up in our MSI

Fri Dec 3 12:26:47 PST 2021

Or COM?

On Fri, Dec 3, 2021, 12:11 Mike Henseler <m.henseler at simfront.com> wrote:

> Are you harvesting a .reg file? specifically
>
>
>
> *From:* Edwin Castro <egcastr at gmail.com>
> *Sent:* December 3, 2021 3:06 PM
> *To:* Dennis Costello <dennis.costello at prudential.com>
> *Cc:* WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>;
> Mike Henseler <m.henseler at simfront.com>
> *Subject:* Re: [wix-users] System registry key started showing up in our
> MSI
>
>
>
> Are you harvesting anything?
>
>
>
> --
>
> Edwin G. Castro
>
>
>
> On Fri, Dec 3, 2021 at 11:23 AM Dennis Costello <
> dennis.costello at prudential.com> wrote:
>
> Its showing up in our uninstall logs and I see the registry key in the
> registry table in the MSI so it certainly seems like its our install.  I
> just don’t know how it’s getting into the MSI.
>
>
>
> MSI (s) (34:34) [13:58:07:251]: Executing op:
> RegOpenKey(Root=-2147483646,Key=System\CurrentControlSet\Services\WinSock2\Parameters,,BinaryType=0,,)
>
> MSI (s) (34:34) [13:58:07:251]: Executing op:
> RegRemoveValue(Name=WinSock_Registry_Version,Value=2.0,)
>
>
>
> *From:* Edwin Castro <egcastr at gmail.com>
> *Sent:* Friday, December 3, 2021 2:17 PM
> *To:* WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> *Cc:* Dennis Costello <dennis.costello at prudential.com>; Mike Henseler <
> m.henseler at simfront.com>
> *Subject:* Re: [wix-users] System registry key started showing up in our
> MSI
>
>
>
> Use ProcMon to determine which process is deleting the key and work back
> up to the process chain to see if this is even happening as a result of
> msiexec at all.
>
>
>
> --
>
> Edwin G. Castro
>
>
>
>
>
> On Fri, Dec 3, 2021 at 10:52 AM Mike Henseler via wix-users <
> wix-users at lists.wixtoolset.org> wrote:
>
> Try running these cmds manually and see if any are deleting the key.
> But of course this wont explain why it is intermittent.
>
>
>
> -----Original Message-----
> From: Dennis Costello <dennis.costello at prudential.com>
> Sent: December 3, 2021 1:47 PM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Cc: Mike Henseler <m.henseler at simfront.com>
> Subject: RE: System registry key started showing up in our MSI
>
> Ok, we do have custom actions to run cmd and add 3 ports on install and
> uninstall the 3 ports.
>
>     <CustomAction Id="AddPort1" Directory="INSTALLFOLDER" Execute="commit"
> Impersonate="no" ExeCommand="cmd.exe /c "netsh http add urlacl
> url=http://+:40266/ user=Everyone"" Return="ignore" />
>     <CustomAction Id="AddPort2" Directory="INSTALLFOLDER" Execute="commit"
> Impersonate="no" ExeCommand="cmd.exe /c "netsh http add urlacl
> url=http://+:50266/ user=Everyone"" Return="ignore" />
>     <CustomAction Id="AddPort3" Directory="INSTALLFOLDER" Execute="commit"
> Impersonate="no" ExeCommand="cmd.exe /c "netsh http add urlacl
> url=http://+:60266/ user=Everyone"" Return="ignore" />
>     <CustomAction Id="DeletePort1" Directory="INSTALLFOLDER"
> Execute="commit" Impersonate="no" ExeCommand="cmd.exe /c "netsh http
> delete urlacl url=http://+:40266/"" Return="ignore" />
>     <CustomAction Id="DeletePort2" Directory="INSTALLFOLDER"
> Execute="commit" Impersonate="no" ExeCommand="cmd.exe /c "netsh http
> delete urlacl url=http://+:50266/"" Return="ignore" />
>     <CustomAction Id="DeletePort3" Directory="INSTALLFOLDER"
> Execute="commit" Impersonate="no" ExeCommand="cmd.exe /c "netsh http
> delete urlacl url=http://+:60266/"" Return="ignore" />
>
> And then the InstallExecuteSequence:
>         <Custom Action="DeletePort1" After="BackupDatabases">REMOVE =
> "ALL"</Custom>
>         <Custom Action="DeletePort2" After="DeletePort1">REMOVE =
> "ALL"</Custom>
>         <Custom Action="DeletePort3" After="DeletePort2">REMOVE =
> "ALL"</Custom>
>
> This has been part of the code for years and again, that key doesn't show
> up in every build.  Any idea why it would affect the registry?
>
> -----Original Message-----
> From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of
> Mike Henseler via wix-users
> Sent: Friday, December 3, 2021 1:40 PM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Cc: Mike Henseler <m.henseler at simfront.com>
> Subject: Re: [wix-users] System registry key started showing up in our MSI
>
> Also watch for any activity like this cmd " netsh winsock reset" or any
> other action that may affect that registry without explicitly referring to
> it
>
> -----Original Message-----
> From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of Rob
> Mensching via wix-users
> Sent: December 3, 2021 1:33 PM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Cc: Rob Mensching <rob at firegiant.com>
> Subject: Re: [wix-users] System registry key started showing up in our MSI
>
> A verbose log file will show you what the MSI did and hopefully any Custom
> Actions in the MSI log their work as well.
>
> -----Original Message-----
> From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of
> Hoover, Jacob via wix-users
> Sent: Friday, December 3, 2021 10:31 AM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Cc: Hoover, Jacob <Jacob.Hoover at greenheck.com>
> Subject: Re: [wix-users] System registry key started showing up in our MSI
>
> Any custom actions?  Have you inspected a known bad MSI with orca?
>
> Windows Installer isn't going to nuke a key if it isn't referenced in the
> authoring, which is why I suspect a CA or you are invoking an exe/script on
> uninstall that may be causing this behavior.
>
>
> From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of
> Dennis Costello via wix-users
> Sent: Friday, December 3, 2021 12:23 PM
> To: wix-users at lists.wixtoolset.org
> Cc: Dennis Costello <dennis.costello at prudential.com>
> Subject: [wix-users] System registry key started showing up in our MSI
>
> We have been using a wix project to build our deployment for several years
> now and very recently we started experiencing a problem with machines not
> being able to boot after our system was uninstalled. After several days of
> investigating it was found that our uninstall was removing the
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\WinSock_Registry_Version
> registry key, thus disabling Windows completely. We do not have any
> references to this key, nor have we had this problem prior to about 2 weeks
> ago. We haven't made any code changes to our wix project since early August
> and that was a very minor change. We build and test our system daily so we
> know that this just started happening very recently, but here's the kicker
> for us, it doesn't happen every build! The same compile machine is used for
> every build, but using Orca I do not see the Registry entry in every msi!
>
> We are at a complete loss as to where to even begin to figure out what is
> going on. I could say some how the registry key is being picked up from the
> compile machine, but it doesn't happen every build. Any help would be
> greatly appreciated.
>
> Thank you!
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cdennis.costello%40prudential.com%7C1bbcb91b110c43c4e24f08d9b68c485b%7Cd8fde2f5939242608a030ad01f4746e9%7C0%7C0%7C637741535889682135%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vxZrDRvXejKRnqAtBNZKCNSISFffnBUCjjitJpCPxXU%3D&reserved=0
> <https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cdennis.costello%40prudential.com%7C4494e8da68af452250c608d9b6919177%7Cd8fde2f5939242608a030ad01f4746e9%7C0%7C0%7C637741558594923335%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=cZKoNDHA3bgY8DrleJCQgX1y%2FJq16Jo0dGGdXjb9p%2Bs%3D&reserved=0>
> <
> https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cdennis.costello%40prudential.com%7C1bbcb91b110c43c4e24f08d9b68c485b%7Cd8fde2f5939242608a030ad01f4746e9%7C0%7C0%7C637741535889682135%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vxZrDRvXejKRnqAtBNZKCNSISFffnBUCjjitJpCPxXU%3D&reserved=0
> <https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cdennis.costello%40prudential.com%7C4494e8da68af452250c608d9b6919177%7Cd8fde2f5939242608a030ad01f4746e9%7C0%7C0%7C637741558594923335%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=cZKoNDHA3bgY8DrleJCQgX1y%2FJq16Jo0dGGdXjb9p%2Bs%3D&reserved=0>
> >
> NOTE: This email was received from an external source. Please use caution
> when opening links or attachments in the message.
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cdennis.costello%40prudential.com%7C1bbcb91b110c43c4e24f08d9b68c485b%7Cd8fde2f5939242608a030ad01f4746e9%7C0%7C0%7C637741535889682135%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vxZrDRvXejKRnqAtBNZKCNSISFffnBUCjjitJpCPxXU%3D&reserved=0
> <https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cdennis.costello%40prudential.com%7C4494e8da68af452250c608d9b6919177%7Cd8fde2f5939242608a030ad01f4746e9%7C0%7C0%7C637741558594933332%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=rNWdnzKV34JKx5Js5pRrXhvCRRAIAPokIMuL3yURrrc%3D&reserved=0>
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cdennis.costello%40prudential.com%7C1bbcb91b110c43c4e24f08d9b68c485b%7Cd8fde2f5939242608a030ad01f4746e9%7C0%7C0%7C637741535889682135%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vxZrDRvXejKRnqAtBNZKCNSISFffnBUCjjitJpCPxXU%3D&reserved=0
> <https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cdennis.costello%40prudential.com%7C4494e8da68af452250c608d9b6919177%7Cd8fde2f5939242608a030ad01f4746e9%7C0%7C0%7C637741558594933332%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=rNWdnzKV34JKx5Js5pRrXhvCRRAIAPokIMuL3yURrrc%3D&reserved=0>
>
>
> ***** This email was sent outside of your organization *****
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cdennis.costello%40prudential.com%7C1bbcb91b110c43c4e24f08d9b68c485b%7Cd8fde2f5939242608a030ad01f4746e9%7C0%7C0%7C637741535889682135%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vxZrDRvXejKRnqAtBNZKCNSISFffnBUCjjitJpCPxXU%3D&reserved=0
> <https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cdennis.costello%40prudential.com%7C4494e8da68af452250c608d9b6919177%7Cd8fde2f5939242608a030ad01f4746e9%7C0%7C0%7C637741558594943325%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=WZ%2BRYGJk%2BuaxhAKWfjjJf%2FNgwwwD9az8ugbPuKo5UgE%3D&reserved=0>
>
>
> ***** This email was sent outside of your organization *****
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
> <https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7Cdennis.costello%40prudential.com%7C4494e8da68af452250c608d9b6919177%7Cd8fde2f5939242608a030ad01f4746e9%7C0%7C0%7C637741558594943325%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=WZ%2BRYGJk%2BuaxhAKWfjjJf%2FNgwwwD9az8ugbPuKo5UgE%3D&reserved=0>
>
>
>
> ***** This email was sent outside of your organization *****
>