Different Ways of Giving Permissions in Your Windows Installer

Windows XP/Windows 7 works under a locked down environment in most organisations. The MSI authors generally have to provide permissions to the installation directory, so that the users without admin rights are able to access and write data into the installation directory.
When you set permissions, you are specifying what level of access the user has to the folder and its files and what users can do within that folder such as save, delete, or read files.
If you would like to know how to set permissions through Powershell Script, then I would recommend you to read my new blog entry here:
http://msiworld.blogspot.com/2012/01/my-first-powershell-script.html

There are six standard permission types which apply to files and folders in Windows XP/Windows 7:

Full Control

Modify

Read & Execute

List Folder Contents

Read

Write

Each level represents a different set of actions users can perform. See the table below for more information.

For folders you can also set your own unique permissions or create a variation of any of the standard permission levels. Within each of the permission levels are many possible variations.

The following table represents the available standard permission types with their descriptions:

Full Control - Permits the user(s) to:

view file name and subfolders

navigate to subfolders

view data in the folder's files

add files and subfolders to the folder

change the folder's files

delete the folder and its files

change permissions

take ownership of the folder and its files

Modify - Permits the user(s) to:

view the file names and subfolders

navigate to subfolders

view data in the folder's files

add files and subfolders to the folder

change the folder's files

delete the folder and its files

Read & Execute - Permits the user(s) to:

view file names and subfolder names

navigate to subfolders

view data in the folder's files

add files and subfolders to the folder

List Folder Contents - Permits the user(s) to:

view folders

navigate to subfolders

view folders

does not permit access to the folder's files

Read - Permits the user(s) to:

view the file names and subfolder names

navigate to subfolders

run applications

open files

copy and view data in the folder's files

Write - The Read permissions, plus permits the user(s) to:

create folders

add new files

open and change files

delete files

You can set permission to folders in following ways:

Secedit

XCACLS/ICACLS

LockPermission table.

Full Control - Permits the user(s) to:

view file name and subfolders

navigate to subfolders

view data in the folder's files

add files and subfolders to the folder

change the folder's files

delete the folder and its files

change permissions

take ownership of the folder and its files

Modify - Permits the user(s) to:

view the file names and subfolders

navigate to subfolders

view data in the folder's files

add files and subfolders to the folder

change the folder's files

delete the folder and its files

Read & Execute - Permits the user(s) to:

view file names and subfolder names

navigate to subfolders

view data in the folder's files

add files and subfolders to the folder

List Folder Contents - Permits the user(s) to:

view folders

navigate to subfolders

view folders

does not permit access to the folder's files

Read - Permits the user(s) to:

view the file names and subfolder names

navigate to subfolders

run applications

open files

copy and view data in the folder's files

Write - The Read permissions, plus permits the user(s) to:

create folders

add new files

open and change files

delete files

You can set permission to folders in following ways:

Secedit

XCACLS/ICACLS

LockPermission table.

SECEDIT:

SECEDIT command-line tool can be used to impose group policy object settings upon a target workstation immediately.
To use Secedit to give permission in your package, perform the following steps:
Go to Run and type MMC.
A Console will open up as shown in the below picture.
Go to File -> and click on Add / Remove Snap in.



The Add / Remove Snap in window opens up as shown in the below picture.



After this Click on Add...
Add standalone Snap in console opens up as shown in the below picture.



Choose Security Template from the list of Snap in, and click on Add.
The Security template will be added to the console.
You can see the File System, with all the listed directories on the right. This is shown in below picture.



Now, delete all files on right.
Right click and click on Add File, browse and select the required directory to give permission to.
Similarly you can give permission to registry too.



Now, delete all files on right.
Right click and click on Add File, browse and select the required directory to give permission to.
Similarly you can give permission to registry too.



Click on OK and save this template as .inf (such as {PackageName}.inf) file.
Now we have to include this file in the package.
Add this file to %Windir%\security\templates folder.
Use the following Custom Action in your package to implement Secedit.

Use Execute Program from Destination Custom Action.

Give Custom Action name as per your standards

Working Directory to be set is Templates folder (where we have placed the .inf file.

In exe and Command line give the following command:

secedit /configure /db "[security]Database\{PackageName}.sdb" /cfg "[security]templates\{PackageName}.inf" /log "[security]logs\{PackageName}.log" /quiet

Here [security] refers to the security folder is C:\Windows or %Windir%\Security. It is always good to use directory instead of hardcoded paths.

{PackageName} refers to the name you would like to give to your .inf file, to your log file you create and to the .sdb file you create.

Note that this will create .sdb file in %windir%\security\Database folder and .log file in %windir%\security\logs folder. So while un-installation of package you need to remember to delete these files from the folder. You can do that by using remove file table.

The location of the Custom action should be just before install finalize.

The Condition for launch of Custom Action should be "NOT REMOVE"

The Custom action can be run in deferred mode in system context.

XCACLS/ICACLS:

XCACLS or Extended Change Access Control List tool, is an advanced version of CACLS, the difference being that we do not have to answer Yes/No prompts in XCACLS. CACLS and XCACLS are tools which are used to modify the ACLs (Access Control Lists), by which in turn we are modifying the folder permissions for users in windows. ICACLS is another tool like XCACLS.

CACLS is installed in all users machine in System32 folder.

XCACLS ships with the Windows NT Resource Kit or can be easily downloaded from net. XCACLS allows you to set permissions to the same granular level of control that you have with the GUI.

CACLS Syntax

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]

filename	Displays ACLs.
/T	Changes ACLs of specified files in the current directory and all subdirectories.
/E	Edit ACL instead of replacing it.
/C	Continue on access denied errors.
/G user:perm	Grant specified user access rights. Perm can be: R Read C Change (write) F Full control
/R user	Revoke specified user's access rights (only valid with /E).
/P user:perm	Replace specified user's access rights. Perm can be: N None R Read C Change (write) F Full control
/D user	Deny specified user access.

Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.

XCACLS Syntax

XCACLS filename [/T] [/E] [/C] [/G user:perm;spec] [/R user [...]][/P user:perm;spec [...]] [/D user [...]] [/Y]

filename	Displays ACLs.
/T	Changes ACLs of specified files in the current directory and all subdirectories.
/E	Edit ACL instead of replacing it.
/C	Continue on access denied errors.
/G user:perm;spec	Grant specified user access rights. Perm can be: R Read C Change (write) F Full control P Change Permissions (Special access) O Take Ownership (Special access) X EXecute (Special access) E REad (Special access) W Write (Special access) D Delete (Special access) Spec can be the same as perm and will only be applied to a directory. In this case, Perm will be used for file inheritence in this directory. If not omitted: Spec=Perm. Special values for Spec only: T NoT Specified (for file inherit, only for dirs valid) At least one access right has to follow! Entries between ';' and T will be ignored!
/R user	Revoke specified user's access rights.
/P user:perm;spec	Replace specified user's access rights. for access right specification see /G option
/D user	Deny specified user access.
/Y	Replace user's rights without verify

Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.
You can combine access rights.

Example of XCACLS can be:

xcacls "[INSTALLDIR]FOLDER" /e /g users:ewxd;ewx

Usage for ICACLS

ICACLS "[INSTALLDIR]FOLDER" /T /grant USERS:M

LockPermission table:

LockPermission table can be also used to give permission to files, folders and registries.
With the help of Lockpermission table you can give permission to only those users who already exist on the computer or domain.
For giving permission through LockPermission table follow the below procedure:
On the File section in Installation expert (You can do the same with Registry too) , Either go to file or the directory (depending on to which you want to give permission) and click on Details. There will be a permission tab there. For giving permission to file you will get the below screen where there will be a permissions tab among other tabs as shown in the picture. If you have chosen directory then there will only be a permissions tab. Click on Add. In the domain, you can mention the domain of the user for which permissions are to be set. You can either give a standalone machine or a domain name. I have used an environment variable here [%USERDOMAIN] which will pick the domain at run time for the user for which the package is being installed. The user which you can set can be Administrator, Everyone or Logged on User. I have selected every one here.



After that you can select the permissions from below what all permissions you want to give to the user. Click ok and the permissions work is over.

Now when you go to the LockPermissions table in Tables section, you can see the following columns there:

Lock Object, Table, Domain, User and permission.

Lock Object and Table column together specify the file, directory or registry key to be given permission to. Lock Object contains the name of the file, directory or the registry name. Table column can be filled with File, Create Folder or Registry. Lock Object is the foreign key to the primary key of Table mentioned by Table column.

Domain as I have mentioned earlier is the domain of the user.
User too as I have mentioned earlier is the User to whom we want to give the permission.
Permission is the Generic number to the permissions we have specified.

Every file, registry key, or directory that is listed in the LockPermissions Table receives an explicit security descriptor, whether it replaces an existing object or not. The Windows Installer attempts to preserve the security on objects that already exist on the system. If an object is not listed in the LockPermissions Table, and replaces an existing object, the replacement gets the security settings of the object that it replaces.

If an object is not listed in the LockPermissions Table, and does not replace an existing object, it receives no explicit security descriptor. The access to the new object is based on the attributes of its parent or container object. If an object is not listed in the table, and replaces an object with no explicit security descriptor, the access to the new object is based on the attributes of its parent or container object.

Hope this article helps you to builds up your knowledge on how to give permissions to your files, folders and registries.

Required Properties in MSI

There are five properties which are required by every Microsoft installer to identify itself from other MSI.

These properties are required to be present in every MSI.

These are the five properties:

1) Product Name: It is the name of the application you mention in your MSI.
2) Product version: This is the version of the product which you give.. like 1.0.0 etc..
3) Product code: It is the unique GUID for your MSI.
4) Product language: This is the numeric value of product and should be one of those entries mentioned in Template summary property in Summary information stream.
5) Manufacturer: This is the name of the manufacturer of the product.
For future upgrades, it is recommended to add Upgrade code property in the package.

Difference Between Self Heal and Repair

Self Heal and Repair are two different concepts in Windows Installer which people many times consider to be the same thing, however there is difference in these two.

Self Heal is triggered by advertised shortcuts, or other advertising information in the package which eventually Repairs the application.

When the application is launched by advertised shortcut, it checks for all the key paths of the Current Feature, if any of the key paths is missing it will launch Repair.

Note that if there are multiple features then it will not check the missing key paths of the other features, but only the feature of which the advertised shortcut is launched.

Repair of an MSI can be triggered by

Repair button in Add/Remove programs
Giving the command line msiexec /f{other option} {MSI name}
Self Heal by advertised shortcut or other advertising information.
Active setup
Once the repair of the package is triggered, even with Self Heal, then the whole of the MSI is reinstalled. Then it does not see that only the feature which triggered the self heal should be repaired, but the whole MSI, by which I mean, all its features are reinstalled.

Hope this clarifies the difference between two.

How REINSTALLMODE=amus Works

In any of these installation transactions, viz. initial installation, repair, reinstallation, on-demand installation or patching an MSI, The REINSTALLMODE has an affect on it.

Here is what "amus" means:

* a - Force all files to be reinstalled, regardless of version
* m - Rewrite all registry keys that go to HKEY_LOCAL_MACHINE or HKEY_CLASSES_ROOT
* u - Rewrite all registry keys that go to HKEY_CURRENT_USER or HKEY_USERS
* s - Reinstall shortcuts and icons

The mentioning of "a" in amus forces the reinstallation of files on your machine irrespective of the file version rules. Every file updated by REINSTALL property will be updated in this case.

The sequence of events which happen actually depend on the authoring of your patch.

If your patch contains the full file, the installer will not access the source to reinstall that file, but if your file is the delta of the file, like an update to say ini file, then the patch will access first the machine file and update it, and if machine file is not accessible to the patch, then in that case, the installer will go and grab the file from the original source location and will work from there.

REINSTALLMODE=amus is not the recommended solution, but sometimes situations become inevitable and we need to use them.

Using SOURCEDIR Property in Package

SOURCEDIR property in MSI package refers to the location from where the MSI is installed in the machine. How do we use this property in our package.

If you want to use a file which is kept in the source folder (next to where your MSI is placed), through Custom Action then you need to follow this procedure.

The SOURCEDIR cannot be directly used in the package. If you read the logs then SOURCEDIR property is created and correctly pointed to the directory. But later the log shows that: Deleting SOURCEDIR... So the value of this property is deleted and the MSI does not get access to it. If you display message with [SOURCEDIR] property then it will be empty.

The work around for this is that we can put an Action in the sequence called: "ResolveSource" after CostFinalize action. Then if you place your Custom Action after this action which refers to SOURCEDIR property then you will get the correct value of SOURCEDIR.

Acknowledgement: I would like to thank my friend, Anurag, here who helped me to figure this out.... :)

Isolation of a File: Two Ways in One MSI

Generally you would have read that after isolation is done, we should not modify the MSI. So how to do .local and .manifest in the same MSI. Actually you would be thinking: "What is the need to do both types in the same MSI?" This is because, recently, I came across a situation in which we needed to do isolation of a file for installation of application in Windows 2000 through .local method and for installation in Windows XP and Vista through .manifest method. This was needed to be done through same MSI.

This is the solution. Create a .msi file with .local isolation method for windows 2000. Then create another .msi file with .manifest isolation. Note the visual difference of .manifest isolation file and the base MSI. Make all the differences seen in this to the .msi which was created with .local isolation. Then compile it. This will not get corrupted. Only the ones with .manifest isolation if recompiled again get corrupted. So take care of this and you can then conditionalize the components to be installed for 2000, XP or Vista...

How to Create Packages with a Size Greater Than 2 GB

Packages which need to include or which capture files with a total size exceeding 2 GB, it's necessary to use some tricks. Usually the MSI with cabs compressed outside the MSI allows the maximum size of cab files to be 2 GB. If the cab size file tries to exceed 2 GB, then the WISE package compilation throws an error.

For this you need to create separate features. In these separate features, distribute the files in the package so that the feature has a total file size of less than 2 GB.

After this you need to go to Media option in Installation expert and choose option one cab file per feature.

This will give you the MSI along with cab files which have size less than 2 GB.

Since the total package size will be very big, the downloading of cab files while deploying and then uncompressing them, will take lots of time. So the other solution is to choose the option of Uncompressed Files outside MSI in the media option. This will save time during installation.

Everything You Want to Know About Properties

Ever wondered how many properties are set or can be set during an installation?

Here is a great page which you can refer to for all the properties you ever wish to hear about Windows installer.

http://helpnet.acresso.com/robo/projects/helplibdevstudio9/IHelpPropReference.htm

Installation of MSP File in Silent Mode

The best way to install an MSP file in silent installation is with the following command line:

msiexec /p patchfile.msp REINSTALL=ALL REINSTALLMODE=omus

But if you do not give the command line options of REINSTALL and REINSTALLMODE then it will not patch the existing installation package. What it will do is update the locally cached copy of the MSI database.

You can also use following command line to install patches like for Adobe etc.:

msiexec /update patchfile.msp /qb!

If you run the MSP in UI mode then it will patch the installation and will also update the locally cached copy of the installation, because when the dialogs are run they in turn set REINSTALL and REINSTALLMODE.

For installation of MSU, which is used as update in Windows Vista and above, please follow this new post on my blog:

http://msiworld.blogspot.com.au/2012/04/silent-install-and-uninstall-of-msu.html

Using VBScript to Set Properties in MSI

We can easily use Set Property Custom Action to set Windows Installer Property, but sometimes we wish to set the property directly in VbScript, specially if we are taking an input from a user through VBScript. Hope this tip helps.

To set property through VBScript we can use "Session" object like:

Session.Property("ALLUSERS")="1"

or we can directly use Property keyword like:

Property("REBOOT")="ReallySuppress"

The only catch here is that we cannot set INSTALLDIR property through the above method as the package uses Directory table to store the value of INSTALLDIR. We need to write the below VBScript to set INSTALLDIR:

dim instpath

instpath = "C:\newpath\newfolder"

Session.TargetPath("INSTALLDIR")=instpath

Remember to place this Custom Action after CostFinalize if you are changing the value of INSTALLDIR property in UI Sequence.

Easy way of Copying Condition in Custom Action

I have learnt an easy way of copying condition directly in one Custom Action from other. This is totally on my experience, and I have not found any material for it on net too. So here it goes...

Suppose you are making a CustomAction2 and have added it in the sequence as shown :

And now you have to mention the condition same as that of CustomAction1, which in this case is "NOT Installed AND NOT PATCH", you have to click on CustomAction1 in the sequence and it will be like this:

You can see the Condition in the greyed area. You cannot copy it directly, but what you have to do is: go to any of the other tab from this situation, be it Properties or Details tab.

All you have to do next is to come back to your Location tab. And here you see the result.The Condition is automatically copied to the CustomAction2.

Go ahead and try this out. It is really fun and easy. It will save you some time too.

Exclusion List

Exclusion List

• Manual Checks: Exclude (delete) any unwanted files and folders. Some common file extensions that should usually be excluded are listed below. If the resource you are deleting is a keypath (indicated by the key symbol) you must ensure the related component has been assigned a new keypath. If the component is now empty it can be deleted.

Common Items:

HKEY_USER_SELECTABLE\Software\Shortcuts
Event log registries.
All VCache Entries
Shutdown Entries
Uninstall Entries
Your Username if Captured
*.log-app specific
services / hosts – These must be handled appropriately
Folders/ Files referring to Wise
Folders/ Files referring to InstallShield
Any cookies
Any file from the dependency applications that has got captured must be excluded.
Cache
Temp
Tmp
Bag
Log – Examine in notepad to see if they are relevant or not.

• Files

*.REG files
_isreg32.dll
setup.exe
install.log
install.exe
install.ini
unwise.exe
Uninstall.xml
Upgrade.exe
Update.exe
uninstall.cif
uninstall.cfg / uninstall.cgf
uninstall.dat
uninstall.dll
uninstall.ini
uninst.exe
uninstall.exe
deinstall.exe
Remove.exe / remove*.exe / *remove.exe
Regsvr16.exe
Regsvr32.exe
services.msc
*.ora files
*.oem files
Hosts File
C:\Temp
Pagefile.sys
C:\Winnt\Recent
Ntuser.ini
Ntuser.dat
Ntuser.dat.log
\Favourites\Desktop.ini
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.log
\Application Data\Desktop.ini
\Application Data\Microsoft\Internet Explorer\brndlog.txt
\Application Data\Microsoft\Internet Explorer\brndlog.txt.log
\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
\Cookies\index.dat
\NetworkService\LocalSetting\Desktop.ini
Boot.ini
Hiberfil.sys
Ntldr
SchedLgU.txt
C:\RECYCLER
C:\System Volume Information

Local Settings\History\History.IE5
C:\Program Files\Common Files\InstallShield\Engine
C:\Program Files\Common Files\InstallShield\ISCRIPT
C:\Program Files\Common Files\Wise Installation Wizard
C:\Program Files\WindowsUpdate
C:\Program Files\InstallShield Installation Information
C:\Program Files\Sophos SWEEP for NT
C:\Program Files\Uninstall Information
C:\WINDOWS\Debug
C:\WINDOWS\Tasks
C:\WINDOWS\Prefetch
C:\WINDOWS\repair
C:\WINDOWS\CSC
C:\WINDOWS\System32\appmgmt
C:\WINDOWS\System32\CatRoot
C:\WINDOWS\System32\Config
C:\WINDOWS\System32\dllcache
C:\WINDOWS\System32\wbem
Lmscript.pif
Ttfcache
Ffastlog?.*
SMSCFG.ini
Any Cookies
TNSNAMES.ORA If Oracle package, then should be handled carefully. Should be deleted but entries to be appended through CA. Same for SQL.ORA and services file

• Registry:

HKEY_CLASSES_ROOT\Interface - all keys under ‘Interface’ can be deleted as they will be recreated automatically

HKEY_LOCAL_MACHINE\CLONE
HKEY_LOCAL_MACHINE\SAM
HKEY_LOCAL_MACHINE\Security
HKEY_LOCAL_MACHINE\Enum
HKEY_LOCAL_MACHINE\Hardware\

HKEY_LOCAL_MACHINE\Software\Novell
HKEY_LOCAL_MACHINE\Software\Program Groups\
HKEY_LOCAL_MACHINE\Software\Classes\
HKEY_LOCAL_MACHINE\Software\Description\Microsoft\Rpc\UuidPersistentData\
HKEY_LOCAL_MACHINE\Software\Description\Microsoft\Rpc\UuidTemporaryData\
HKEY_LOCAL_MACHINE\Software\Description\Microsoft\Rpc\UuidSequenceNumber\
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing
HKEY_LOCAL_MACHINE\Software\Microsoft\DRM
HKEY_LOCAL_MACHINE\Software\Microsoft\EVENTSYSTEM
HKEY_LOCAL_MACHINE\Software\Microsoft\SMS
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Mounted Devices
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Reliability
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run = Synchronization Manager
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Syncmgr
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Syncmgr\Autosync
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Windowsupdate
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\GroupPolicy\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\PchSvc
HKEY_LOCAL_MACHINE\Software\Microsoft\Dfrg\BootOptimizeFunction

HKEY_LOCAL_MACHINE\System\Clone
HKEY_LOCAL_MACHINE\System\Mounteddevices
HKEY_LOCAL_MACHINE\System\Select
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\System\ControlSet000\
HKEY_LOCAL_MACHINE\System\ControlSet001\
HKEY_LOCAL_MACHINE\System\ControlSet002\
HKEY_LOCAL_MACHINE\System\ControlSet003\
HKEY_LOCAL_MACHINE\System\ControlSet004\
HKEY_LOCAL_MACHINE\System\ControlSet005\
HKEY_LOCAL_MACHINE\System\ControlSet006\

HKEY_LOCAL_MACHINE\System\CurrentControlSet\SessionManager\Environment\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\hardwareProfiles\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCP
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ E100b1\Parameters\Tcpip
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\System
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDISW2KM\Enum
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kmixer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NMSCFG\Security
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NWCWorkstation
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TRKWKS
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8AAE3FAA-E935-4AB3-B74C-55E12729E3DA}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\DHCP
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VCACHE

HKEY_CURRENT_USER\SessionInformation
HKEY_CURRENT_USER\Volatile Environment
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GRPCONV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SessionInfo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\StreamMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\MountPoints
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\StartPage
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Prefetcher
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\IME\China\IMEPY\TIPMIG
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Syncmgr\Handlers
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Shellbrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Keyboard\InitialKeyboardIndicators

HKEY_USERS\Software\Microsoft\SystemCertificates

Troubleshooting Unnecessary Repairs

Sometimes you may encounter the problem of unnecessary repairs of MSI while launching the shortcut in the same logged in user. Here is the way to troubleshoot this problem.
You can go to eventviewr (by typing eventvwr in Run command) then to applications and check the latest error message after repair. It will tell you which component is missing and because of which MSI went for self heal.
You can now check out this component in your package and see what the problem is. Maybe your keypath is a moving target for that component.

There are other methods too which can be used in case the above does not work. These are Logs/Gap capture.

More on this later.

Why Custom Action Type 51 is Required

If you have always wondered why we need to anSet Property Custom action when there is already a Property table to handle it, then this is for you.
Suppose we have to create a property based on the value of another property - in that case we cannot use the Property table to handle this. There will be a circular reference in which one property would be based on the other.
In this scenario we use Set Property Custom Action. To affect a property used in a condition on a component or feature, the custom action must come before the CostFinalize action in the action sequence.

Order of Precedence for Properties

The installer sets properties using the following order of precedence. A property value in this list can override a value that comes after it and be overridden by a value coming before it in the list.
1) Properties specified by the operating environment.
2)Public properties set on the command line.
3)Public properties listed by the AdminProperties property set during an administrative installation.
4)Public or private properties set during the application of a transform.
5)Public or private property that set by authoring the Property table of the .MSI file.