Thursday, December 13, 2012

Permissions to registry using setacl

Recently I was trying giving permission to one of the registry hives with Subinacl, but it was not working despite all efforts and checking all the syntax and a lot of troubeshooting.

Then I came across another permission granting utility known as SetACL. It worked like a charm. So you can try using this utility is Subinacl fails.

You can download SetACL from http://helgeklein.com/download/

Here is an example to run SetACL to give registry permissions.

"SetACL.exe" -on "hkcr\Interface" -ot reg -actn setowner -ownr "n:Administrators"
"SetACL.exe" -on "hkcr\Interface" -ot reg -actn ace -ace "n:Users;p:full"


  • Object name (-on): This is the path to the object SetACL should operate on (file/directory/registry key/network share/service/printer).
  • Object type (-ot): What kind of object does the object name refer to: file or directory (file), registry key (reg), service (srv), printer (prn), network share (shr)?
  • Action (-actn): What should SetACL do with the object specified?

A lot more details and description can be found at this awesome site: http://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/


Tuesday, October 23, 2012

Install MSP file with MSI

While handling with MSP of applications, sometimes a question comes in mind that can an MSP be installed along with MSI?
The answer is yes, but with a few conditions involved.
The conditions are explained later in the post with some description.

First I will give you the command line to install MSP along with MSI:

msiexec /i {Path to MSI}\Installer.MSI PATCH={Path to MSP}\Patch.MSP /qb

If there is a transform as well to add you can include it in the command line as well.

msiexec /i {Path to MSI}\Installer.MSI TRANSFORMS={Path to Transform}\Transform.MST PATCH={Path to MSP}\Patch.MSP /qb

The only thing which you have to take care in the command line is that you will have to give a complete path to MSP.
Relative paths do not work in this case.

This will apply the patch as in the updated files will be installed from the patch rather than from the MSI.

This process is greatly useful when there are a lot of patches to be applied to an MSI.

There might be cases that the MSI is already deployed on your client machines and you need to patch it with this new patch which has come now. You can deploy the MSP over the MSI and then it is suggested to change the initial MSI package to include the MSP.

If you have multiple MSP for an MSI then the way you implement it actually depends on the way the MSP are created for the MSI. There are two kinds of MSP:
1) Incremental
2) Add-on

The above ones are my terms and not Microsoft's and I am using them just for explaination purpose.

In Incremental MSP, say version 1.2 contains all the content for version 1.1 and so can be installed directly on top of MSI which is version 1.0. Similarly version 1.3 will install directly on top of MSI version 1.0. So you can skip the previous MSP version and directly install the latest version on top of your MSI.

In Add-on MSP, the MSP has only additional data from the previous version of MSI or MSP. For example, say version 1.2 has a few files added but it does not contain the files/registries which were added or modified in version 1.1 of MSP. So in this case you will have to install both MSPs, version 1.1 and 1.2 one after the other on top of MSI version 1.0
You can use command line like this:
msiexec /i {Path to MSI}\Package_1.0.MSI PATCH={Path to MSP}\Patch_1.1.MSP; {Path to MSP}\Patch_1.2.MSP /qb

The order of MSP mentioned here is important as it will install in that particular order only.

I hope this article is helpful to you in organizing and maintaining your Operational work with Application Packaging.

Wednesday, September 26, 2012

Error installing MSI from USB/DVD


I faced an issue installing Flash player from USB drive though it was installing fine when installed from local or network drive. I found out the issue and resolution and want to document here for all of you.

While installing the package, I got this error in the log files:

 

MSI (s) (44:C4) [14:06:35:318]: Source is incorrect. Volume label should be  but is SMSBOOT.

MSI (s) (44:C4) [14:06:46:956]: Source is incorrect. Volume label should be  but is SMSBOOT.

 

While analysing this, I realized that the disk label for my USB is SMSBOOT and this could be anything else for you on your USB or DVD.

I had added a file in my MSI through MST and it had created an entry in the Media table. This entry looked like this and this is the default entry which you get with the tool.

 
 

Behind the scene it was looking for a Blank labelled disk where this media is located but could not find it and it gave an error “Insert Disk”.

I removed the label from my USB drive and kept it Blank. It worked fine.

Just to get this you can do the following in your packages so that this issue does not come.

Just add DISK1 in the VolumeLabel Column for your added media as well. This will make it work for any labelled USB or DVD drive.
 
 

I hope this will help you to resolve your issues.

Tuesday, August 07, 2012

Subinacl to give permissions to registry/Files

Subinacl is a useful utility to give permissions to registries.

Here is a simple example how to give permissions to registry.

subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Optika /grant=administrators=f /grant=system=f /grant=users=f /setowner=administrators >> %temp%\subinacl_output.txt
/keyreg HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Optika /grant=administrators=f /grant=system=f /grant=users=f /setowner=administrators >> %temp%\subinacl_output.txt

Subinacl can be downloaded from net.

More detailed Usage as per your requirements. This contains lots of features.
You can write your comments on what you used and if it worked. Help others by posting your real time examples.

Usage :
     SubInAcl [/option...] /object_type object_name [[/action[=parameter]...]



/options    :
    /outputlog=FileName                 /errorlog=FileName
    /noverbose                          /verbose (default)
    /notestmode (default)               /testmode
    /alternatesamserver=SamServer       /offlinesam=FileName
    /stringreplaceonoutput=string1=string2
    /expandenvironmentsymbols (default) /noexpandenvironmentsymbols
    /statistic (default)                /nostatistic
    /dumpcachedsids=FileName            /separator=character
    /applyonly=[dacl,sacl,owner,group]
    /nocrossreparsepoint (default)      /crossreparsepoint

/object_type :
    /service            /keyreg             /subkeyreg
    /file               /subdirectories[=directoriesonly|filesonly]
    /clustershare       /kernelobject       /metabase
    /printer            /onlyfile           /process
    /share              /samobject

/action      :
    /display[=dacl|sacl|owner|primarygroup|sdsize|sddl] (default)
    /setowner=owner
    /replace=[DomainName\]OldAccount=[DomainName\]New_Account
    /accountmigration=[DomainName\]OldAccount=[DomainName\]New_Account
    /changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]
    /migratetodomain=SourceDomain=DestDomain=[MappingFile[=Both]]
    /findsid=[DomainName\]Account[=stop|continue]
    /suppresssid=[DomainName\]Account
    /confirm
    /ifchangecontinue
    /cleandeletedsidsfrom=DomainName[=dacl|sacl|owner|primarygroup|all]
    /testmode
    /accesscheck=[DomainName\]Username
    /setprimarygroup=[DomainName\]Group
    /grant=[DomainName\]Username[=Access]
    /deny=[DomainName\]Username[=Access]
    /sgrant=[DomainName\]Username[=Access]
    /sdeny=[DomainName\]Username[=Access]
    /sallowdeny==[DomainName\]Username[=Access]
    /revoke=[DomainName\]Username
    /perm
    /audit
    /compactsecuritydescriptor
    /pathexclude=pattern
    /objectexclude=pattern
    /sddl=sddl_string
    /objectcopysecurity=object_path
    /pathcopysecurity=path_container

Usage  : SubInAcl   [/option...] /playfile file_name

Usage  : SubInAcl   /help [keyword]
         SubInAcl   /help /full
    keyword can be :
    features  usage syntax sids  view_mode test_mode object_type
    domain_migration server_migration substitution_features editing_features
- or -
    any [/option] [/action] [/object_type]


SYNTAX
------

describe SubInAcl syntax

The SubInAcl syntax is analog to the UNIX find tool.
For each object, SubInAcl :
    1. retrieves the security descriptor of the object
    2. applies the /action(s). The /actions are executed in the order of
       the command line
    3. If :
       - the security descriptor has been modified and
       - the /testmode switch has not been specified
       the changes are applied to the object
    For instance :
       - SubInAcl /outputlog=result.txt /subdirectories \\Server\c$\temp\*.*
                  /grant=Dom\John=F /noverbose /display
         For each file below \\Server\c$\temp, SubInAcl will
         - open the file
  - grant full control for dom\john
         - display the security setting in noverbose mode
         - save the security descriptor.
         All outputs will be saved in result.txt

You can specify as many /actions as you wish. You must specify at least 3
characters for each action.
The command line is not case-sensitive

Ex: SubInAcl /file c:\temp\*.txt /replace=John=Smith /display
    for each *.txt file will - replace John with Smith
                             - display the whole security descriptor
                             - apply the changes if any

SubInAcl error messages are sent to the Standard error.
You can use the /output switch to save both outputs
and errors in the same file.


FEATURES
--------

describes SubInAcl main features
SubInAcl was designed to help administrators to manage security on
various objects.
It provides :
   - a unified way to manipulate security for different kinds of objects
     (files, registry keys, services, printer,...)
   - a console tool that allows to write scripts to automate
     security tasks
   - some features that help administrators to modify security if some
     changes occur in their organization:
         - user, group deletions (/suppresssid, /cleandeletedsidsfrom )
         - user, group migrations (/replace , /accountmigration)
         - domain, server  migration (/changedomain, /migratetodomain)
         ...
   - security descriptor editing features :
         - owner ( /setowner )
         - primary group ( /setprimarygroup )
         - permissions ( /grant , /deny , /revoke )
         - audit ( /sgrant, /sdeny, /sallowdeny)
   - access to remote objects
   - save and restore permissions (/playfile , /outputlog , /display )

You need SeBackupPrivilege SeRestorePrivilege
SeSecurityPrivilege SeTakeOwnershipPrivilege
SeChangeNotifyPrivilege privileges (locally or remotely) to run this tool

Type SubInAcl /help to get extended help




SIDS
----

sids : explain how SubInAcl retrieves and translates SIDs

The security descriptor references users and groupswith a SID (Security
Identifier). A SID can be expressed in one of the following form:
         + DomainName\Account (ex: DOM\Administrators )
         + StandaloneServer\Group
         + Account ( see LookupAccount API )
         + s-1-x-x-x-x . x is expressed in decimal
           (ex: S-1-5-21-56248481-1302087933-1644394174-1001)
           Warning : In that case, no check is done to verify the existence
           of this SID.

SubInAcl maintains a local cache of SIDs to minimize SID to "Human Name"
translation network cost.

SubInAcl queries the server where the ressource object is located to
translate or retrieve SIDs. If needed, you can specify another SAM
server to translate SIDs (see /alternatesamserver).
If you try to replace SIDs and the originated domain or server is not online,
you can provide a file containing the needed SIDs (see /offlinesam).
You can dump the local cache of SIDs in a file (see /dumpcachedsids).


VIEW_MODE
---------

/noverbose /verbose

SubInAcl can be used in a quiet mode (/noverbose) or a in verbose mode
(/verbose , /Noverbose )
You can specify these switches either :
  - for the entire comand line :
       SubInAcl /noverbose /file *.dat /display
  - after a specific action    :
        SubInacl /file *.dat /display /noverbose /display



TEST_MODE
---------

/testmode /notestmode (default)

If /testmode is specified, the changes will not be reflected to the object
security descriptor. This option is useful to test the validity of a comand.
Ex : SubInacl /subdirec \\server\share\*.* /changedomain=DOMA=DOMB
              /ifchangecontinue /noverbose /display /testmode
     For each file modified this comand displays the modified security
     descriptor. But these changes will not physically apply to the files



OBJECT_TYPE
-----------

/file /subdirectories /onlyfile /keyreg /subkeyreg /service /share /clustershare /printer
/kernelobject /metabase /process /samobject

SubInAcl can work with various objects:
- Files         :
      /file
      /subdirectories
      /onlyfile
- Registry keys :
      /keyreg
      /subkeyreg
- Services      :
      /service
- Shares        :
      /share
      /clustershare
- Printer       :
      /printer
- Kernel named objects :
      /kernelobject
- IIS adminidstration rights :
      /metabase
// - Process       :
      /process
- Sam       :
      /SamObject

The actions are valid for all objects
Most of them support the enumeration with the * character


DOMAIN_MIGRATION
----------------

explain how to migrate security between domain SIDs

The main purpose of SubInAcl is to help administrators to migrate user(s)
if the domain architecture has changed.
For instance, the user John has moved and is now member of the DOMB domain.
You can reflect this change with :
SubInAcl /subdirec \\server\share\*.* /replace=OldDomain\John=DOMB\John
N.B: A trust relationship must be enabled between the domain of server and
OldDomain and NEWDOMAIN
N.B: If a trust relationship cannot be enabled, you can use the
/alternatesamserver=Server. Server should be the name of Domain Controller
Server

Sample :
  You have worked with a unique domain.
  You want to migrate a BDC named MIGRCONTROL with all the files and the
  users utilized on a new domain
  1. Reinstall the BDC as PDC to the NEWDOMAIN (without erasing the files)
  2. Create the users on NEWDOMAIN
  3. Create a "trusted relationship" with OLDDOMAIN
  4. Run SubInAcl /noverbose /subdirectories x:\*.*
                             /changedomain=OLDDOMAIN=NEWDOMAIN
  5. Verify the changes with SubInAcl /noverbose /subdirectories x:\*.*

Sample :
  You have worked with a standalone server named SERVER in a workgroup
  environment. You want to move this server (including users) to a domain DOM.
  1. Move SERVER to the domain DOM
  2. Create the users in the DOM domain
  3. SubInAcl /noverbose /subdirectories \\server\share
              /changedomain=SERVER=DOM

See /changedomain /migratedomain /replace actions


SERVER_MIGRATION
----------------

explain how to migrate SIDs when objects are moved from one server to another one

Migrating file system from one local server to another local server is not
a trivial task. SubInAcl Version 2.2 has been enhanced to help this migration
process.
To migrate file system files from one local server and to preserve security,
you can perform the following steps:
1. use scopy to copy files and ACLs on destination server
2. create local groups on the destination server
3. Use /changedomain or /changedomain with the /alternatesamserver option :
    By default SubInAcl queries the server where the objects are located to
    retrieve SIDS. This server is not aware of the SIDs valid on another
    standalone server
    To address this issue, you can use the /alternatesamserver option to ask
    SubInAcl to to use the alternamesamserver server if a SID resolution is
    not successfull on the initial server.
Sample :
    SubInAcl /alternatesamserver=SourceServer /subdirect
    \\DestServer\Share\*.*
             /migratedomain=SourceServer=DestServer

See /alternatesamserver /migratedomain /offlinesam


EDITING_FEATURES
----------------

how to edit parts of the security descriptor

SubInAcl allows to modify each part of a a security descriptor :
- owner
       see /owner=SID or /setowner=SID
- primary group
       see /setprimarygroup=GroupSID
- system ACL (SubInAcl name = Audit ACL) with Access Control Entries
   (SubInAcl name= AAce = Audit ACE)
see /audit /sgrant /sdeny /sallowdeny
- discretionnary ACL (SubInAcl name = Perm ACL ) with Access Control Entries
   (SubInAcl name= PAce = Perm ACE)
  see /perm   /pace=xxx  /revoke=SID /grant=SID=Access /deny=SID=access
       /sgrant=SID=Access /sdeny=SID=access
/sallowdeny=SID=access- or the full security descriptor
  see /sddl=sddl_string



/SERVICE
--------

/service service_name

manipulate service
- \\ServerName\Messenger
- \\ServerName\M*
- Messenger
N.B: /driver can be used also.
      /driver  * will display all driversm
      /service * will display all services


/KEYREG
-------

/keyreg registry_key

manipulate registry keys
- HKEY_CURRENT_USER\Software
- HKEY_CURRENT_USER\Software\*Version
- \\Srv\HKEY_LOCAL_MACHINE\KeyPath


/SUBKEYREG
----------

/subkeyreg registry_key

manipulate registry keys and subkeys
- HKEY_CURRENT_USER\Software
- HKEY_CURRENT_USER\Software\*Version
- \\Srv\HKEY_LOCAL_MACHINE\KeyPath


/FILE
-----

/file filename

manipulate files
N.B: SubInAcl is not supported on DFS volumes
- *.obj
- c:\temp\*.obj
- \\servername\share\*.exe
- c:\
/file=directoriesonly will apply parameters on directories only
/file=filesonly will apply parameters on files only


/SUBDIRECTORIES
---------------

/subdirectories file_path

manipulate files in specified directory and all subdirectories
- c:\temp\*.obj     : work with all obj files
- c:\temp\test      : work with all test files below the c:\temp directory
- c:\temp\test\*.* : work with all files below temp\test
- c:\temp\test\    : work with all files below temp\test
/subdirectories=directoriesonly will apply parameters on directories only
/subdirectories=filesonly will apply parameters on files only


/ONLYFILE
---------

/onlyfile file_name

open a file without using the FindFilexxx mechanism.
Can be used to access named pipes or mailslot
- \\.\pipe\pipename


/SAMOBJECT
----------

/samobject samobject

allow to access ACL associated to SAM objects(users,localgroup,globalgroup).
Can be used to allow a localgroup(alias) created by a power users on a member
to be updated by another power users member
- \\samserver\localgroup
- \\samserver\*users*
- *group*
- Subinacl /samobject \\sams\testgroup /grant=poweruser1=f


/SHARE
------

/share file_share_name

access a network file share.
- \\server\share
- \\server\test*


/CLUSTERSHARE
-------------

/clustershare \\clustername\fileshareresource

access a cluster file share resource.
- \\clustername\FileShare_Resource_Name
- \\clustername\s*


/KERNELOBJECT
-------------

/kernelobject kernel_object_name

access a named kernel object.
Can be used to view mutex, sections, events objects


/PROCESS
--------

/process pid_or_executable_pattern

access a process object.
- notepad.* or pid_in_decimal


/METABASE
----------

/metabase metabase_path

access to IIS metabase AdminACL metabase property
Note that this property can only be used with these Metabase paths
/LM/MSFTPSVC , /LM/MSFTPSVC/n , /LM/W3SVC , /LM/W3SVC/
This object doesn't support enumeration.
- SubInAcl /metabase \\ServerName\LM\W3SVC /grant=administrator=F



/PRINTER
---------

/printer printername

access to printer
- \\server\printer1
- \\server\*



/DISPLAY
--------

/display[=dacl|sacl|owner|primarygroup|sdsize|sddl]

display the security descriptor
You can also view part of the security descriptor. /display=dacl will
display the discretionary acl. /display=sddl will display the security
using the Win32 SDDL security descriptor string format (see Platform SDK)
The /noverbose display can be used to reapply the security descriptor
(see /playfile)


/PLAYFILE
---------

/playfile playfile

The /playfile feature allows SubInacl to run in a batch mode.
The format of the playfile command file is :
   + object_type object_name
   /action[=parameter]...
   /action[=parameter]...
   +object_type object_name
   /action[=parameter]...

SubInacl /playfile=playfile.txt with
With playfile :
+subdirec *.txt
/grant=everyone=R
+service RkillSrv
/display
will give the same result than
SubInAcl /subdirectories *.txt  /grant=everyone=R
SubInAcl /service RkillSrv /display

One typical usage of the playfile feature is to allow to reapply security settings
saved previously because the output format of the noverbose /display is a playfile
compatible format:
1.a) SubInAcl  /noverbose /outputlog=d:\SubInaclSave.txt /subdirectories c:\*.* /display
This command saves all security settings for the files on C: drive.
Sids will be saved in the Domain\user string format
The /display option in a noverbose mode uses an output playfile compatible format
or
1.b)  SubInAcl /error=d:\Err.txt /outputlog=d:\SubInaclSave.txt /subdirectories c:\*.* /display=sddl
This command saves all security settings using the Win32 SDDL format.
Sids will be saved in the S-1-x-x form. This will not require SubInacl to translate Sids
This may minimize the elapsed time and resource usage
2) SubInAcl /playfile d:\SubInaclSave.txt
This command will reapply the previously saved settings.

One other advantage of using a playfile is to improve performance and save network
bandwidth because SubInacl maintains a local cache of SIDs.
For instance if you issue :
SubInacl /subdirectories c:\*.* /migrate=domain1=domain2
And
SubInacl /subdirectories d:\*.* /migrate=domain1=domain2

Batching  these commands will reduce the network usage bandwidth and improve
performance because SID TO HUMAN NAME resolution process will be reduced.


/OUTPUTLOG
----------

/outputlog=filename

all outputs will be send in filename. You need to use /errlog switch to
redirect all errors in a different file


/ERRORLOG
---------

/errorlog=filename.txt

all errors will be send in the filename.txt


/ALTERNATESAMSERVER
-------------------

/alternatesamserver=Server

SubInAcl queries the Server where the object is located to lookup Sids.
Under some circumstances , you may need ( see server_migration or
domain_migration) to retrieve Sids from another server. If a Sid resolution is
unsuccessful, this option allows SubInAcl to query the alternamesamserver.


/OFFLINESAM
-----------

/offlinesam=FileName

By default, SubInAcl queries the Server where the object is located to lookup
Sids.Under some circumstances (migration where the source server is offline
or if a domain is no longer available, want to avoid network round trip
for SIDs retrievals), you may allow SubInAcl.exe to retrieve SIDs from
the FileName file.
File format is :
__cachefileonly__=s-1-9-cacheonly
domain\simon=S-1-5-21-1190502449-1716722630-1654032285-1105
nat\julien=S-1-5-21-1060284298-436374069-1708537768-1005

where domain\simon and nat\julien can be a domain account or server account.
With the __cachefileonly__ line in the file, SubInAcl.exe will not query
SAM Server(s) anymore. All needed SIDs should be found in the SAM
cache file


/DUMPCACHEDSIDS
---------------

/dumpcachedsids=FileName

At the end of the subinacl execution,
you can dump the contents of the local cache Sids in a file.
This file can later be used for future SubInacl execution (see .
/offlinesam) to speed up the Sids resolution process)


/SETOWNER
---------

/setowner=SID

will change the owner of the object
/owner=SID or /setowner=SID
owner = DomainName\Administrators will retrieve the Administrators Sid on
the server where the object is (see Win32 SDK LookupAccountName function).


/REPLACE
--------

/replace=DomainName\OldAccount=DomainName\New_Account

    replace all ACEs (Audit and Permissions) in the object
    Ex: /replace=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan will replace
        all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID
        retrieves from NEWDOM domain
    Warning: if DomainName\New_Account has already an ACE, ACE replacement is
    skipped


/ACCOUNTMIGRATION
-----------------

/accountmigration=DomainName\OldAccount=DomainName\New_Account

    (see /replace)
    will :
    - replace owner or primary group if one of them is DomainName\OldAccount.
    - duplicate ACE(s) with reference to DomainName\OldAccount for New_Account
    Ex: /accountmigration=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan will
    duplicate all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID
    retrieves from NEWDOM domain
    Warning : if DomainName\New_Account has already an ACE, ACE replacement is
    skipped


/CLEANDELETEDSIDSFROM
---------------------

/cleandeletedsidsfrom=domain[=dacl|sacl|owner|primarygroup|all]

    delete all ACEs containing deleted (no valid) Sids from DomainName
    You can specify which part of the security descriptor will be scanned
    (default=all)
    If the owner is deleted, new owner will be the Administrators group.
    If the primary group is deleted, new primary group will be the Users group.


/CHANGEDOMAIN
-------------

/changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]

     replace all ACEs with a Sid from OldDomainName
     with the equivalent Sid found in NewSamServer
     Ex: /changedomain=DOM_MARKETING=NEWDOMAIN
     replace all ACEs containing DOM_MARKETING\ChairMan SID
     with the ChairMan's SID retrieved on NEWDOMAIN computer
     The NEWDOMAIN must have a trusted relationship with the server
     containing the object

     If you want to explicitly specify the users affected , you can specify a
     mapping file. The MappingFile file will allow you to specify the list of
     users affected and the name of the replacing user in the NewDomain

     Below a sample of a MappingFile

     simon=julien
     administrator=administrator

     OldDomainName\Simon will be replaced by NewDomainName\Julien and
     OldDomainName\Administrator will be replaced with
     NewDomainName\Administrator

     If you use /changedomain=OldDomainName=NewDomainName=MappingFile notation
     ,only users defined in this file will be migrated.
     If you use /changedomain=OldDomainName=NewDomainName=MappingFile=Both,
     the mapping file will be examined first to determine if a mapping user
     exist. If not, SubInacl will try to find the equivalent user in the
     NewDomainName


/MIGRATETODOMAIN
----------------

/migratetodomain=FromDomainName=ToDomainName[=MappingFile[=Both]]

     same behavior than /changedomain except that news ACEs will added instead
     of replacing
     Ex: /migratetodomain=DOM1=DOM2
     each ace with DOM1\User will be duplicated with DOM2\User
     (If DOM2\User exists)
     If during the migration there was a serious oversight
     you can instruct the user to log back onto DOM1.
     N.B: Owner and Primary Group are migrated to DOM2


/FINDSID
--------

/findsid=DomainName\Account[=stop|continue]

     display the object name containing a reference to DomainName\Account
     in the security descriptor
     stop     - if Account is found, next parameters will be skipped
                and changes will not be applied
              - if Account is not found, next parameter will be executed
     continue - if Account found, next parameters will be executed
              - if Account not found, next parameters will be skipped
                and changes will not be applied


/SUPPRESSSID
------------

/suppresssid=DomainName\Account

     suppress all ACES containing the DomainName\Account SID.
     If the object's owner is DomainName\Account, the owner is set to
     Everyone's SID.


/PERM
-----

/perm

     suppress all existing permissions aces (PACEs)


/AUDIT
------

/audit

     suppress all existing auditing aces (AACEs)


/IFCHANGECONTINUE
-----------------

/ifchangecontinue

     continue to process the next actions only if some changes have been
     made in the previous actions


/TESTMODE
---------

/testmode

     changes will not be applied to the object. This allows to test the
     modifications


/ACCESSCHECK
------------

/accesscheck=Domain\Username

     display the access granted to the Domain\Username. The password will
     be asked. This option requires the SeTcbName privilege (Act as Part
     of the Operating System). This option cannot be used with remote object.
     Note : the access is checked with the NETWORK security identified
     granted to the Domain\UserName


/SETPRIMARYGROUP
----------------

/setprimarygroup=[DomainName\]Group

     change the primary group


/DENY
-----

/deny=[DomainName\]User[=Access]

     add a  denied Permission Ace for the specified User (or group)
  If Access is not specified, all accesses will be denied.

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

     Process:
       F : Full Control
       R : Read
       W : Write
       X : eXecute

     SamObject:
       F : Full Control
       W : Write
       R : Read
       X : Execute


/REVOKE
-------

/revoke=[DomainName\]User

     suppress all Permission Ace(s) for the specified User (or group)


/GRANT
------

/grant=[DomainName\]User[=Access]

     will add a Permission Ace for the user.
     if Access is not specified, the Full Control access will be granted.

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

     Process:
       F : Full Control
       R : Read
       W : Write
       X : eXecute

     SamObject:
       F : Full Control
       W : Write
       R : Read
       X : Execute


/SALLOWDENY
-----------

/sallowdeny=[DomainName\]User[=Access]

     will add an Allow/Failed Audit Ace for the user and remove all existing
     Audit Ace for this user(or group).
     if Access is not specified, the Full Control access mask will be used.
     Ex: SubInacl /file c:\windows\explorer.exe /sallowdeny=everyone=R
         will set the audit for everyone's successful and failed access


/SGRANT
-------

/sgrant=[DomainName\]User[=Access]

     will add a Successfull (Allow) Audit Ace for the user and remove all existing
     Audit Ace for this user(or group).
     if Access is not specified, the Full Control access mask will be used.
     Ex: SubInacl /file c:\windows\explorer.exe /sgrant=everyone=R
         will set the audit for everyone's successful access

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

     Process:
       F : Full Control
       R : Read
       W : Write
       X : eXecute

     SamObject:
       F : Full Control
       W : Write
       R : Read
       X : Execute


/SDENY
------

/sdeny=[DomainName\]User[=Access]

     will add a Failed Audit Ace for the user and remove all existing
     Audit Ace for this user(or group).
     if Access is not specified, the Full Control access mask will be used.

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

     Process:
       F : Full Control
       R : Read
       W : Write
       X : eXecute

     SamObject:
       F : Full Control
       W : Write
       R : Read
       X : Execute


/OBJECTEXCLUDE
--------------

/objectexclude=pattern

      all objects matching the pattern string will be skipped (eXcluded).
   The only wildcard valid is *. It can be used everywhere in the string.
      Pattern may be a name ( *Name.exe ) or a path ( *dir\subdir\*ToExclude* ).


/PATHEXCLUDE
------------

/pathexclude=pattern

      all containers matching the pattern string will not be enumerated.
      See /objectexclude
      N.B: the Actions specified will not be applied to the container too.


/STATISTIC
----------

/statistic

      will display statistics when processing is finished.


/CROSSREPARSEPOINT
------------------

/crossreparsepoint

      When processing a file system path, SubInacl will enumerate
      file and directories below a reparsepoint except if /nocrossreparsepoint.
      is specified.


/STRINGREPLACEONOUTPUT
----------------------

/stringreplaceonoutput=string1=string2

      All occurrences of string1 will be replaced by string2 in subinacl output.


/SDDL
-----

/sddl=sddl_string

      specify the Security descriptor for the object using the Win32 security
      descriptor definition language (SDDL)


/APPLYONLY
----------

/applyonly=dacl,sacl,owner,group

      Some subinacl options may change parts (owner,group,dacl,sacl) of the security descriptor.
      You may restrict the change to some parts of the security descriptor only .
      For instance /applyonly=dacl,sacl,owner will not modify the primary group field


/PATHCOPYSECURITY
-----------------

/pathcopysecurity=path_container

      SubInacl will reset the security descriptor for the object with the same named object
      in the container path.
      Ex: - SubInacl /file c:\temp\*.txt /pathcopysecurity=d:\test
          will replace the security (acls,owner,primarygroup) for c:\temp\1.txt with the security
          retrieved from d:\test\1.txt (if this file exists)
          -SubInacl /service Messenger /pathcopysecurity=\\Server
          will update the security on the service Messenger with the security existing on the remote
          messenger service


/OBJECTCOPYSECURITY
-------------------

/objectcopysecurity=object_path

      SubInacl will reset the security descriptor with the object object_path
      in the container path.
      Ex: - SubInacl /file c:\temp\*.txt /objectcopysecurity=d:\test\mask.txt
          will replace the security (acls,owner,primarygroup) for all txt files
          in c: emp with the security retrieved on d:\test\amsk.txt
          will update the security on the service Messenger with the security existing on the remote
          messenger service

With help from this awesome post: http://www.vanstechelman.eu/windows/how_to_use_subinacl

Tuesday, July 17, 2012

VBScript to Find and Replace

I have been using this script for some time now. I took inputs from some sites to create this VBScript. I have modified it to my needs. I want to share this and keep it gfor my reference for future use as well.
I am searching for a text and replacing it with the User input of mail id.

'-----------------------------------------------------
'Use the below function if you want it to run from commandline and take input from users.
'If WScript.Arguments.Count <> 2 then
'  WScript.Echo "usage: Find_And_replace.vbs filename word_to_find replace_with "
'  WScript.Quit
'end If
MailID=InputBox("Please enter your E-Mail ID")
sFind="abcxyz.com"
Set oshell=CreateObject("Wscript.shell")
prog=oshell.ExpandEnvironmentStrings("%ProgramFiles(x86)%")
TargetFile= prog & "\App\config.ini"
TempFile= prog & "\App\config1.ini"
FindAndReplace TargetFile, sFind, MailID
WScript.Echo "Operation Complete"

function FindAndReplace(strFile, strFind, strReplace)
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objInputFile = objFSO.OpenTextFile(strFile,1)
    'strTempDir = objFSO.GetSpecialFolder(2)
    Set objTempFile = objFSO.OpenTextFile(TempFile,2,true)
    do until objInputFile.AtEndOfStream
        objTempFile.WriteLine(Replace(objInputFile.ReadLine, strFind, strReplace))
    loop
    objInputFile.Close
    Set objInputFile = Nothing
    objTempFile.Close
    Set objTempFile = Nothing
    objFSO.DeleteFile strFile, true
    objFSO.MoveFile TempFile, strFile
    Set objFSO = Nothing
end function 
'-----------------------------------------------------

You can modify this script based on your needs and use it.

Tuesday, July 10, 2012

Internal Consistency Evaluators

This is some material on ICE which I got some time back from AngelD and wanted to post here for my and everyone's reference.

ICE02
CASE 1: File: 'Red_File' cannot be the key file for Component: 'Blue'. The file belongs to Component: 'Red'
Fix:
Search for the component name in all the other tables in the following order:
• If the component name is found in the Files Table, then set the keypath for the Component to be the name of the first column in the file table.
• If the component name is found in the Registry Table then set the keypath for the Component to be the name of the first column in the Registry table, and add 4 to the Attributes column.
• If the component name is not found in either table, leave the keypath blank
CASE 2: ' Red_Key' cannot be the key registry key for Component: 'Blue'. The RegKey belongs to Component: 'Red'
Fix:
Search for the component name in all the other tables in the following order:
• If the component name is found in the Registry Table then set the keypath for the Component to be the name of the first column in the Registry table
• If the component name is found in the Files Table, then set the keypath for the Component to be the name of the first column in the file table, and subtract 4 from the Attributes column.
• If the component name is not found in either table, leave the keypath blank

ICE03
CASE 1: String overflow (greater than length permitted in column):
This validation error will not cause the installation to behave adversely. The help file says “that the installer does not internally limit the column width to the specified value.”
This error can be removed by using ShortFile Names. This should be removed when it can be.

CASE 2: Value not a member of the set:
Example
ICE03 ERROR Value not a member of the set; Table: Feature, Column: Attributes, Key(s): MirrorTask







The validation is complaining that the value 40 not a member of the set allowed in the Attributes column of the Feature Table.
The values that are allowed in this column are defined in the _Validation Table, shown below.








This says that only the numbers 0,1,2,4,5,6,8,9,10,16,17,18,20,21,22,24,25,26,32,33,34,36,37,38,48,49,50,52,53 and 54 are allowed in the Attributes field.
Looking at the help page for the Feature Table the value of 40 is unacceptable, since it represents 8+32, which are not allowed in combination.
The help page says “Do not use msidbFeatureAttributesNoUnsupportedAdvertise (32) with msidbFeatureAttributesDisallowAdvertise (8).”
Solution:
Change the Attribute column of the Feature table to 16/48

CASE 3: Not a valid foreign key; Table: ProgId, Column: Class_, Key(s): Notes.NotesUIWorkspace

Solution:
Go to the ProgID table find the row that refers to Notes.NotesUIWorkspace and take note of the CLSID value. Once this has been noted, check the CLSID column in the Class_ table. This value was found to be missing, so copy the value and place it into the CLSID column of the Class_ table and fill in the rest of the information. To find out if its Context is LocalServer or LocalServer32 etc. you can look up the Registry in the Installation Expert. For this particular case Notes.NotesUIWorkspace had both LocalServer and LocalServer32 so the row had to be repeated but with this two different values in the Context column.

ICE07
'MTEXTRA.TTF' is a Font and must be installed to the FontsFolder. Current Install Directory: 'OfficeEquationFolder'
Explanation:
Fonts should be only ever installed into c:\windows\fonts.
This error is caused by fonts being installed elsewhere.
Step1:
Locate the file in the file table and note the name of the component that it is in.




Here the Component is called Global_Office_EquationEditor
Step2:
Locate that component in the Component Table





Step3:
Make a new component in step 2, but based on the component changing the Directory_ to FontsFolder (making sure that FontsFolder is defined in the Directory Table)











Component: ICE07Fix1
ComponentId: {GUID} --this needs to be generated. Create a project in Developer, when you add a new component it generates a code that you can use here
Directory_: FontFolder
Attributes: 8
Condition: --copy this from the component that you are fixing
Keypath: --This is the name of the font filename
Step4:
Move the file into this new component



Change the Component_ column to point to ICE07Fix1
Step5:
Associate the new component with the existing component’s feature
Find the component that caused the error in the FeatureComponents table and add the new component to the same feature




ICE09
This error is acceptable
Explanation of error:
“ICE09 validates that the permanent bit is set for every component marked for installation into the SystemFolder. ICE09 posts a warning because you should avoid installing non-permanent system components to the SystemFolder.”
ICE18
Example
ICE18 ERROR KeyPath for Component: 'MirrorTask' is Directory: 'INSTALLDIR'.
The Directory/Component pair must be listed in the CreateFolders table
This error message only occurs when you have a component that does not contain files, registry keys or ODBC DSNs.
It is easily solved as the ICE message tells you what to do.
Solution:
Add a row in the CreateFolders Table to create the directory

This also occurs when you have a registry keypath and you have set the directory to INSTALLDIR. The best way to solve this error is simply go to Component table and change the directory to TARGETDIR. This will solve the ICE Error. No need to make any extra Create Folder.

ICE19
Shortcut: 'Blah' advertises component: 'ComponentBlah'. This component cannot be advertised because the KeyPath type disallows it.
This error indicates that the shortcut is in the wrong component. The shortcut should be in the same component as the file it refers to.
Solution
Step1: Find the file that the shortcut is pointing to




The Target column indicates the File key that the shortcut refers to. Here it is a Formatted text string
Step 2: Find the Component that the file is in



Here the File DTPhones.exe is in a component of the same name
Step3: Move the shortcut into the correct component
Correct the Component_ column of the Shortcut



ICE30
ERROR: The target file 'LONGFI~1.EXElongfilename1.exe' is installed in 'TARGETDIR\PRODUCT' by two different components on an SFN system: 'Component1' and 'Component2'. This breaks component reference counting.
Look at the two files in orca. Sometimes the install compiler makes errors when generating short file names. E.g.
LONGFI~1.EXElongfilename1.exe
LONGFI~1.EXElongfilename2.exe
In this situation it has generated the same short file name for two different files.
To remove the validation error, simply give one of the files a new short file name
ICE33
WARNING Reg key …… is used in an unsupported way. ProgId should be registered via the ProgId table. This entry may overwrite a value created through that table
ICE33 processes entries in the Registry table and may issue a warning for each table entry that registers Classes, Filename Extensions, ProgIDs, Shell Verbs, Remote Server AppIDs, MIME types, or Typelibs.
Though every site you go to will tell you that ICE33 can be ignored, but for the best results, we should remove them if possible. It is not that hard to remove them. Just check the component for which ICE Error is coming. Do rescan advertising for that component and it will put the values in the correct table. Still if you are getting some errors then you can check if the registry still contains the information which is already added to advertising, then you can remove those registries. This will eliminate ICE errors. And even after this if you are getting ICE33 then you can leave them as is in the package.

ICE36
Icon Bloat. Icon BlahIcon is not used in the Class, Shortcut, or ProgID table. This adversely affects performance.
This ICE checks that all icons that are in the icon table have been used in other tables.
If you have this ICE then you should do a manual search of all the tables to see if there are any references to the icon (e.g. ARPPRODUCTICON often references it). If nothing references the icon then it is safe to delete.

ICE38
Example
ICE38 ERROR Component Network_Associates installs to user profile.
It must use a registry key under HKCU as its KeyPath, not a file or directory
Solution:
Create an arbitrary registry key in HKEY_CURRENT_USER and set it as the keypath.
• Add 4 to the Attributes column
• Set the KeyPath to the name of your registry key

ICE41

Extension rc1 references feature complete and component r1win.exe, but the that component is not associated with that feature in the FeatureComponents table.

Solution:
Change the entry in the Feature_ column of the Extension table entry to reference a feature that installs the component listed in the Component_ column or change the feature and component associated in the FeatureComponents table

ICE43
Example
ERROR Component mcstvbi.exe has non-advertised shortcuts.
It should use a registry key under HKCU as its KeyPath, not a file
Solution:
Make the shortcut advertised. This will have the added advantage of putting self-repair functionality into it.
ICE48
Objective:
Checks for directories that are hard-coded to local paths in the Property Table.
Do not hard-code directory paths to local drives because computers differ in the setup of the local drive. This practice may be acceptable if deploying an application to a large number of computers on which the relevant portions of the drives are all the same.
Result:
ICE48 posts an error message if there is a directory that is hard-coded to a local path in the Property table.
Example:
ICE48 would report the following warning for the example shown.
Directory 'Dir1' appears to be hardcoded in the property table to a local drive.
Directory Table (partial)



Property Table (partial)



Resolution:
If an application has a directory named group in its file structure, then this will clash with the entry GROUP in the property table

A permanent solution to prevent this from happing again is to change the GROUP property to a non dictionary word, and therefore avoid this potential clash in the future.

ICE57
ERROR Component 'HKCU' has both per-user and per-machine data with a per-machine KeyPath.
1. Create a new component for this (and any other) key that needs to be separated
2. Move the registry key into this new component
3. Associate the new component with the existing component’s feature
ICE60
The file File1 is Versioned. It cannot be hashed
This error is acceptable as the hash table will not be read for the file in question.
You could remove the row from the hash table to remove the error.
The file File1 is a font, its language should be null.
To correct this you should delete anything that is in the language column for the file
ICE64
Example
ERROR: The directory INTERNET_EXPLORER is in the user profile but is not listed in the RemoveFile table.

Solution:
Put the directory INTERNET_EXPLORER in the RemoveFile table.

ICE69
Example
ICE69 Mismatched component reference. Entry 'DTPhones.exe' of the Shortcut table belongs to component 'ProgramMenuFolder'. However, the formatted string in column 'Target' references file 'DTPhones.exe' which belongs to component 'DTPhones.exe'. Components are in the same feature.
This means that the Target file is not in the component in the Component_ column
Solution:
Change the Target field to equal the name of the feature that the component is in. You will have to look at the FeatureComponents table to find this out.



ICE82
This action SetOEM_NOCOST has duplicate sequence number 11 in the table InstallExecuteSequence
In a third party MSI, this error should not be a problem because we can assume that the MSI has been tested and the order that the actions fire is good enough
ICE84
Action 'FileCost' found in InstallExecuteSequence table is a required action with a condition.
In Microsoft MSIs it is quite common for the package to reboot and they condition their actions so that only some get rerun after the reboot
In this situation, the error is acceptable
ICE86
WARNING Property `AdminUser` found in …... `Privileged` property is often more appropriate.
The AdminUser property is true if the logged in user is the Administrator, Privileged is true for powerusers too.
It is easy to remove the error message. Simply replace the word AdminUser with Privileged.
ICE88
In the IniFile table entry (IniFile=) PPTCast04 the DirProperty= is not found in Directory/Property/AppSearch/CA-Type51 tables and it is not one of the installer properties
This ice checks that the DirProperty column of the Inifile table is valid. This is intended to check that the ini file changes are made in a valid folder.
Unfortunately this check is not always valid because the help file says “If this field is left blank, the .ini file is created in the folder having the full path specified by the WindowsFolder property.”
If the field is blank and you are happy that the ini file changes should be made in the WindowsFolder, then this error is acceptable

Thursday, July 05, 2012

Creating a Device driver based package in Installshield

It is very easy and simle to create a device driver based application from Installshield.
I am using Installshield 2012.

You need to make sure that the driver is a signed driver. If the driver is not signed, then you need to sign the driver first. It is good to have your driver signed, but you can install and unsigned driver as well. Check an option later.



Go to Installshield Wizard in Installation Designer and click on Project button on top an then Device Driver wizard.


Click Next ->

Select the path to your .inf file on your machine. Choose the system architecture. I am choosing x64 as I am packaging for 64 bit machines.


Click Next-> Next->

Select the options as per your requirement. I have chosen the above ones.

Click Next->

Click Next->

You will get the summary and then click on Finish.

It will add the settings in your component of INF file.

Hope this helps you create device driver easily with Installshield.

Wednesday, June 13, 2012

Top Contributor in ITNinja

Today I have reached the top contributor spot in ITNinja which was earlier famous as AppDeploy.
I was too happy and just wanted to share this on my blog :D

Re-Packaging Apple Quicktime 7.72.80.56 and later versions

Quicktime comes as an EXE file which can be extracted easily with 7Zip. The three MSI I received were AppleApplicationSupport, AppleSoftwareUpdate and Quicktime. The Apple Update MSI can be discarded if you do not want to AutoUpdate your Quicktime.

Apple Application Support MSI can be directly installed with /qb! switch.

iTunes can be packaged separately and I have created a separate post for its customization:
http://msiworld.blogspot.com.au/2012/06/re-packaging-apple-itunes-10617-and.html

Quicktime should be modified through Transform as follows:

1) Change the following properties in your MST:

 SCHEDULE_ASUW =0
  REGSRCH_DESKTOP_SHORTCUTS =0
 REBOOT=ReallySuppress

2) Install Quicktime on a test machine and do all the customizations you want with preferences. Once all customizations are complete, copy the quicktime.qtp file from "%userprofile%\AppData\LocalLow\Apple Computer\QuickTime\QuickTime.qtp"

Add this file to Transform in C:\ProgramData\Apple Computer\QuickTime\QuickTime.qtp.

Now add these two scripts in your package in Custom Action to run just before Install Finalize and with Condition as NOT REMOVE~="ALL"

a) This script will copy the .qtp file to all the users profile.
----------------------------------------------------------------------
'Created by Piyush Nasa
'Used to copy the config file to the current user\appdata\local directory.
on error resume next
Set oShell = CreateObject( "WScript.Shell" )
userprofile=oShell.ExpandEnvironmentStrings("%USERPROFILE%")
systemdrive=oShell.ExpandEnvironmentStrings("%SYSTEMDRIVE%")
Set fso = CreateObject("Scripting.FileSystemObject")
Set afile = fso.GetFile(systemdrive & "\ProgramData\Apple Computer\QuickTime\QuickTime.qtp")
strDestination1 =userprofile & "\AppData\LocalLow\Apple Computer\QuickTime\QuickTime.qtp"

fso.CreateFolder(userprofile & "\Application Data\LocalLow\Apple Computer")
fso.CreateFolder(userprofile & "\Application Data\LocalLow\Apple Computer\QuickTime")
afile.Copy(strDestination1)
------------------------------------------------------------------------
b) This script will create the registry key for every user.
------------------------------------------------------------------------
'Created by Piyush Nasa
'Used to create HKCU registry to point to qtp file.
Option Explicit
Dim Temp
'HKEY_CURRENT_USER = HKCU
'HKEY_LOCAL_MACHINE = HKLM
'HKEY_CLASSES_ROOT = HKCR
'HKEY_USERS = HKEY_USERS
'HKEY_CURRENT_CONFIG = HKEY_CURRENT_CONFIG
Temp = WriteReg("HKCU\Software\Apple Computer, Inc.\QuickTime\LocalUserPreferences\FolderPath","%userprofile%\AppData\LocalLow\Apple Computer\QuickTime\","REG_SZ")

Function WriteReg(RegPath, Value, RegType)
       'Regtype should be "REG_SZ" for string, "REG_DWORD" for a integer,…
       '"REG_BINARY" for a binary or boolean, and "REG_EXPAND_SZ" for an expandable string
       Dim objRegistry, Key
       Set objRegistry = CreateObject("Wscript.shell")
      Key = objRegistry.RegWrite(RegPath, Value, RegType)
       WriteReg = Key
End Function
---------------------------------------------------------------------------

3) Add any HKCU registry key in a new component placed at the highest parent Feature. Set this as a keypath. This will ensure that the application is self healed when launched by the user.

4) You will have to remove a Launch condition to check if the existing version is installed already, because I faced a problem and it was not uninstalling properly too with that condition being there. Though this step is optional.

Please note that this package works fine when deployed/installed through any deployment tool in System context as it will trigger the self heal. If you have to manually install this application then you need to add the file the LOCALAPPDATAFOLDER manually in your transform.

Hope this will expidite your packaging of Quicktime application.

Re-Packaging Apple iTunes 10.6.1.7 and later

iTunes comes as an EXE file which can be extracted easily with 7Zip. The five MSI I received were AppleApplicationSupport, AppleMobileDeviceSupport64, AppleSoftwareUpdate, Bonjour64 and iTunes64. The Apple Software Update MSI and Bonjour MSI can be discarded if you do not want to AutoUpdate your iTunes. Bonjour can be kept if you want to allow file sharing on your desktop fleet. We did not want this so we removed this MSI. If you want to install Bonjour then it can be installed silently with /qb! switch.

From this Version QuickTime is not part of iTunes. QuickTime can be packaged separately. more details for packaging this is in this post:
http://msiworld.blogspot.com.au/2012/06/re-packaging-apple-quicktime-7728056.html

Apple Application Support and Apple Mobile Device Support MSI can be installed silently with /qb! switch.

You will have to customize iTunes by creating an MST file.

1) Change the following Public Properties in the MST:
DESKTOP_SHORTCUTS = 0
DISABLEADVTSHORTCUTS = 0
SCHEDULE_ASUW = 0
AMDS_IS_INSTALLED = 1
BONJOUR_IS_INSTALLED = 1
REBOOT = ReallySuppress
NO_ASUW = 0
NO_BONJOUR = 0
IAcceptLicense = Yes
REGSRCH_DESKTOP_SHORTCUTS = 0

2) Install iTunes on a test machine and make all the customizations you want. All the customizations will be stored in following files:

a) "%userprofile%\AppData\Local\Apple Computer\iTunes\cache.db
b) "%userprofile%\AppData\Local\Apple Computer\iTunes\iTunesPrefs.xml"
c) "%userprofile%\AppData\Roaming\Apple Computer\iTunes\iTunesPrefs.xml"
d) "%userprofile%\AppData\Roaming\Apple Computer\iTunes\Preferences\com.apple.iTunes.plist"
e) "%userprofile%\AppData\Roaming\Apple Computer\iTunes\Preferences\keychain.plist"

Copy these files in C:\ProgramData\Apple Computer\iTunes\ folder in your MST file and then use the below script to run in Custom Action just before InstallFinalize. Condition to be kept as NOT REMOVE~="ALL"


'Created by Piyush Nasa
'Used to copy the config file to the current user\appdata\local directory.
on error resume next
Set oShell = CreateObject( "WScript.Shell" )
userprofile=oShell.ExpandEnvironmentStrings("%USERPROFILE%")
systemdrive=oShell.ExpandEnvironmentStrings("%SYSTEMDRIVE%")
Set fso = CreateObject("Scripting.FileSystemObject")
Set afile = fso.GetFile(systemdrive & "\ProgramData\Apple iTunes\local\cache.db")
strDestination1 =userprofile & "\AppData\Local\Apple Computer\iTunes\cache.db"
Set bfile = fso.GetFile(systemdrive & "\ProgramData\Apple iTunes\local\iTunesPrefs.xml")
strDestination2 =userprofile & "\AppData\Local\Apple Computer\iTunes\iTunesPrefs.xml"
Set cfile = fso.GetFile(systemdrive & "\ProgramData\Apple iTunes\Roaming\iTunesPrefs.xml")
strDestination3 =userprofile & "\AppData\Roaming\Apple Computer\iTunes\iTunesPrefs.xml"
Set dfile = fso.GetFile(systemdrive & "\ProgramData\Apple iTunes\Roaming\Preferences\com.apple.iTunes.plist")
strDestination4 =userprofile & "\AppData\Roaming\Apple Computer\iTunes\Preferences\com.apple.iTunes.plist"
Set efile = fso.GetFile(systemdrive & "\ProgramData\Apple iTunes\Roaming\Preferences\keychain.plist")
strDestination5 =userprofile & "\AppData\Roaming\Apple Computer\iTunes\Preferences\keychain.plist"

fso.CreateFolder(userprofile & "\AppData\Local\Apple Computer")
fso.CreateFolder(userprofile & "\AppData\Local\Apple Computer\iTunes")
fso.CreateFolder(userprofile & "\AppData\Roaming\Apple Computer")
fso.CreateFolder(userprofile & "\AppData\Roaming\Apple Computer\iTunes")
fso.CreateFolder(userprofile & "\AppData\Roaming\Apple Computer\iTunes\Preferences")
afile.Copy(strDestination1)
bfile.Copy(strDestination2)
cfile.Copy(strDestination3)
dfile.Copy(strDestination4)
efile.Copy(strDestination5)

3) Add any HKCU registry key in a new component placed at the highest parent Feature. Set this as a keypath. This will ensure that the application is self healed when launched by the user.

Please note that this package works fine when deployed/installed through any deployment tool in System context as it will trigger the self heal. If you have to manually install this application then you need to add the file the LOCALAPPDATAFOLDER manually in your transform.

Hope this will expidite your packaging of iTunes application.