[wix-users] Why MSI installer quarries registry for all installed certificates?

Christopher Painter chrpai at iswix.com
Wed Oct 19 06:07:11 PDT 2022 

How do you know this is the reason that Kaspersky blocked it because of this?  In my experience security companies aren't forthcoming in explaining how their tech works.

If all MSIs do this, wouldn't more MSIs be blocked?

MSI internally uses code signing to protect the MSI and embedded patches.  I'm sure it's using the CAPI functions to validate these signatures and to do that the public keys (which are, well, public)  have to be accessed to validate the signing.

Whatever your problem is, I'm betting it's something else.  The only practical answer that I can give you is to get an EV code signing certificate.  This is the only official way to build up credibility faster.   I don't know if sanctions against Russia will block you from doing this or not.


________________________________
From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of Vladimir A Terentyev via wix-users <wix-users at lists.wixtoolset.org>
Sent: Monday, September 26, 2022 5:50 AM
To: wix-users at lists.wixtoolset.org <wix-users at lists.wixtoolset.org>
Cc: Vladimir A Terentyev <Vladimir.Terentyev at b1.ru>
Subject: [wix-users] Why MSI installer quarries registry for all installed certificates?

I had a problem with my msi installer on a client. Kaspersky has blocked it, because MSI was accessing protected registry paths in

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\
These Registry paths are considered to be protected from being accessed, so that Kaspersky blocks any app, that accesses them by default. I rechecked installation process in Process Monitor and msiexec really quarries these values for every certificate in system (in HKLM and HKCU):

Screenshot of my Process Monitor<https://snipboard.io/j12EMA.jpg>


So, I have several questions:
Why does msi accesses these registry paths? And are there any docs, which contain information about msi certificate quarry?



MSI was created with Wix Toolset 3.6

MSI is digitally signed with certificate, which was signed by Global sign.

I did not add any logic of registry quarry in my MSI. so that I don`t understand, why this happens.

Msiexec log does not contain any information about registry quarries for certificates.



P.S.

I also checked on msi of Epic Games Store: it turns out, it also quarries these registry paths, so I guess it is really standart msi behavior, but I still need some docs that confirm that.



____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-users mailing list