MAKEMSI quickly and reliably creates MSI files in a non-programmatic way
Have your say! Join the MAKEMSI discussion list or view archive! Suggest improvements. No question too simple or too complex.
[Bottom][Contents][Prev]: ScriptoMatic[Next]: cacls.exe
Have your say! Join the MAKEMSI discussion list or view archive! Suggest improvements. No question too simple or too complex.
\->Tips and Tricks->Tools->Security Related Tools

Security Related Tools

The Access command may do what you want for files, directories or registry entries however other tools can handle other types of objects such as printers and services.

Some of the tools are:

You can also script it with WMI and the Microsoft tool "XCACLS.VBS" demonstrates this.

There are other tools listed on my http://dennisbareis.com/bookmark_computer_developer_information_windows_security.htm links page and the "SC.EXE" tool can also set service security information.

The following example shows "cacls.exe" modifying file ACLs (similar code will work for any of the above tools):

;--- Handy commands you may wish to use -------------------------------------
#define  CACLS   <$RunCmd  {$?} ALIAS="CACLS" Command="CACLS.EXE" @="N">    ;;"CACLS.EXE" installed with WIN2000 & WINXP (at least on PRO)
#define  /CACLS  <$/RunCmd {$?} ALIAS="/CACLS">

;--- Update ACL on "fred.ini" -----------------------------------------------
<$CACLS CONDITION=^<$CONDITION_INSTALL_ONLY>^>
    ;--- Name of file we wish to modify ACL on ------------------------------
    "%WinDir%\system32\fred.ini"

    ;--- Edit ACL instead of replacing it -----------------------------------
    /E

    ;--- Deny administrators access -----------------------------------------
    /D administrators
<$/CACLS>

You could use the "ExeCa" command to execute the program without a script (which you may wish to do) however these are some of the disadvantages:

  1. You will have reduced (almost no) logging.
  2. Better error messages presented to user, giving you a much better chance of quickly resolving any problems.
  3. More limitations on return code handling.

Obviously you may need to use the "file" command to install the tool if it is not a standard Windows tool for the versions you are targeting. The licencing of Microsoft tools tends to be too restrictive for these tools to be generally useful.

The following is another similar but more complex example which installs the SetACL.EXE tool and doesn't "hardcode" the filename:

#define? SETACL_SETACL.EXE_BUILD_TIME_NAME       .\SetAcl.EXE    ;;By default it is found in the current directory
#define? SETACL_DEFAULT_INSTALLATION_DIR_ROWKEY  INSTALLDIR      ;;May as well allow you to configure it...
#(
    #define  SETACL

    ;--- First time through add the "SETACL" tool (rename in case installation dir in path) ---
    #ifndef  @@SetAclInit
        ;--- This macro requires "INSTALLDIR" to exist (by default)... ------
        <$File RowKey="?@@SetAclKey" Source="<$SETACL_SETACL.EXE_BUILD_TIME_NAME>" Destination="[{$INSTALLDIR=^<$SETACL_DEFAULT_INSTALLATION_DIR_ROWKEY>^}]\SetAcl_MM.EXE" Comment=^ACL modifying tool used by the "SetACL" macro.^>
        #define @@SetAclInit
    #endif

    ;--- Handle #data -------------------------------------------------------
    #RexxVar '@@Data' = '{$Data=^^}'
    #if [@@Data = '']
        ;--- No data passed, just use the EXE info --------------------------
        #RexxVar '@@Data' = '@@SetAclDefault'
    #elseif
        ;--- User passed #data, need to update this list (once) -------------
        #evaluate ^^ ^<$@@Rexx4SetAclData>^
    #endif

    ;--- Set up the command -------------------------------------------------
    <$RunCmd  {$?} ALIAS="SETACL" Command=^"(*SETACL.EXE*)"^ @="N" DATA=^<??@@Data>^>  ;;Command quotes as name can contain spaces...
#)
#data '@@SetAclDefault' 2
    ;--- Install time name and location of SETACL tool ----------------------
    "SETACL.EXE" "[#<??@@SetAclKey>]"
#data
#DefineRexx '@@Rexx4SetAclData'
    ;--- Add our one entry to it (note: Undocumented mechanism/hack) --------
    @@DataDot = @@Data || '.'
    @@RowCnt  = DataInfo(@@DataDot || '?');
    @@WantN   = DataInfo("@@SetAclDefault.1.1");
    @@WantV   = DataInfo("@@SetAclDefault.1.2");
    if  DataInfo(@@DataDot || @@RowCnt || '.1') <> @@WantN then
    do
        ;--- We haven't already added it... ---------------------------------
        @@RowCnt  = DataInfo(@@DataDot || '?') + 1
        call value @@DataDot || @@RowCnt || '.1', @@WantN;
        call value @@DataDot || @@RowCnt || '.2', @@WantV;
        call value @@DataDot || '0', @@RowCnt;
    end;
#DefineRexx
#define  /SETACL  <$/RunCmd {$?} ALIAS="/SETACL">
;--- Add TEST file ---------------------------------------------------------
<$File RowKey="?@@FileKey" Source="C:\tmp\TestAclChangeOnThis.txt" Destination="[INSTALLDIR]\">

;--- Update ACL on the test file we added above (test macros we created) ---
#data 'CaSetAcl' 2
    "TheFile"    "[#<??@@FileKey>]"     ;;Full install time name of resource we are modifying
#data
<$SETACL CONDITION='<$CONDITION_EXCEPT_UNINSTALL>' DATA='CaSetAcl'>
    ;--- Indicate we are modifying a file -----------------------------------
    -ot file

    ;--- Specify the filename we wish to change ACL on ----------------------
    -on "(*TheFile*)"

    ;--- The action is "change ACL" -----------------------------------------
    -actn ace

    ;--- Try Deny "write" but allow everything else (may not make sence, just a test) ---
    -ace "n:SomeUser;p:full" -ace "n:SomeUser;m:deny;p:write"

    ;--- Make sure admins have full access ----------------------------------
    -ace "n:Administrators;p:full"
<$/SETACL>

More Information - Newsgroup Postings

Useful debugging info:

You can get more info about access denied errors by enabling security
auditing in the local security policy.  Start / Run... / gpedit.msc
and then browse to Computer Configuration / Windows Settings /
Security Settings / Local Policies / Audit Policy.  Enable auditing
for failures and you should get more information about the failure in
the system <$EventLog>.


Microsoft awarded me an MVP (Most Valuable Professional award) in 2004, 2005, 2006, 2007, 2008 & 2009 for the Windows SDK (Windows Installer) area.Please email me any feedback, additional information or corrections.
See this page online (look for updates)

[Top][Contents][Prev]: ScriptoMatic[Next]: cacls.exe


MAKEMSI© is (C)opyright Dennis Bareis 2003-2008 (All rights reserved).
Sunday February 28 2016 at 3:45pm
Visit MAKEMSI's Home Page
Microsoft awarded me an MVP (Most Valuable Professional award) in 2004, 2005, 2006, 2007, 2008 & 2009 for the Windows SDK (Windows Installer) area.