Difficulty with Custom Actions / File Permissions
I'm new to packaging and having some trouble.
I'm creating a .msi and want that msi to set permissions on files and folder it deploy with a custom action.
I read some posts and it seems there are a number of options to accomplish that, like:
XCACLS, Secedit, SetACL.
I prefer to use Secedit, because I find it easy to create an .inf file from Windows Security templates snap in, containing the required permissions.
Here's what I tried:
1. I created a .inf file with the correct permission from the templates snapin.
2. I add this template to the .msi so that it is installed with all the files in the .msi to the apps folder.
3. I created .vbs to run secedit with the .inf file in step 2. I tested the script and that works properly.
the code:
---------------
Set objshell = wscript.createobject("Wscript.Shell")
objshell.run ("secedit.exe /configure /db 'APPNAME' /cfg c:\progra~1\'APPFOLDERNAME'\'APPNAME'.inf /areas FILESTORE")
---------------
4. I add a custom action to the .msi with option "Vbscript installed with the product", "Immediate Execution" , "Synchronous Execution" , "Always Execute"
And then I selected the .VBS created.
5. I sequence the custom action just before "Install Finalize" in "InstallExecuteSequence"
Result: The Script runs, but cannot the the .inf. Seems logical because the script runs before file copy process has started...
Also tried to sequence the the custom action after "Install Finalize" then it runs after file copy, but then I get an error that the script could not finish.
Can some tell me how to create a working custom action combined with Secedit and .inf files to accomplish what i want?
And.. Can someone explain when to use options like "immediate execution, Deferred, Rollback etc."
Maybe some good links with info about that stuff.
Thanks
I'm creating a .msi and want that msi to set permissions on files and folder it deploy with a custom action.
I read some posts and it seems there are a number of options to accomplish that, like:
XCACLS, Secedit, SetACL.
I prefer to use Secedit, because I find it easy to create an .inf file from Windows Security templates snap in, containing the required permissions.
Here's what I tried:
1. I created a .inf file with the correct permission from the templates snapin.
2. I add this template to the .msi so that it is installed with all the files in the .msi to the apps folder.
3. I created .vbs to run secedit with the .inf file in step 2. I tested the script and that works properly.
the code:
---------------
Set objshell = wscript.createobject("Wscript.Shell")
objshell.run ("secedit.exe /configure /db 'APPNAME' /cfg c:\progra~1\'APPFOLDERNAME'\'APPNAME'.inf /areas FILESTORE")
---------------
4. I add a custom action to the .msi with option "Vbscript installed with the product", "Immediate Execution" , "Synchronous Execution" , "Always Execute"
And then I selected the .VBS created.
5. I sequence the custom action just before "Install Finalize" in "InstallExecuteSequence"
Result: The Script runs, but cannot the the .inf. Seems logical because the script runs before file copy process has started...
Also tried to sequence the the custom action after "Install Finalize" then it runs after file copy, but then I get an error that the script could not finish.
Can some tell me how to create a working custom action combined with Secedit and .inf files to accomplish what i want?
And.. Can someone explain when to use options like "immediate execution, Deferred, Rollback etc."
Maybe some good links with info about that stuff.
Thanks
0 Comments
[ + ] Show comments
Answers (20)
Please log in to answer
Posted by:
nheim
17 years ago
Hi Folks,
don't mess up with deferred CA's. From MSDN Library:
"A deferred execution custom action must be scheduled in the execute sequence table within the section that performs script generation. Deferred execution custom actions must come after InstallInitialize and come before InstallFinalize in the action sequence."
See: http://msdn2.microsoft.com/en-gb/library/aa368268.aspx
Your CA must be scheduled just BEFORE InstallFinalize, then it should work (but don't forget to make it deferred, e.g. add 1024 to the CA-Type).
Regards, Nick
don't mess up with deferred CA's. From MSDN Library:
"A deferred execution custom action must be scheduled in the execute sequence table within the section that performs script generation. Deferred execution custom actions must come after InstallInitialize and come before InstallFinalize in the action sequence."
See: http://msdn2.microsoft.com/en-gb/library/aa368268.aspx
Your CA must be scheduled just BEFORE InstallFinalize, then it should work (but don't forget to make it deferred, e.g. add 1024 to the CA-Type).
Regards, Nick
Posted by:
cygan
17 years ago
hi Marz28
are you using wise package studio
I can show you how to set permissions on reg keys , files, folders etc
using custom actions and SETACL
are you using wise package studio
I can show you how to set permissions on reg keys , files, folders etc
using custom actions and SETACL
Posted by:
Marz28
17 years ago
All, Thanks for your replies.
I haven't had the chance to look more into it. But I will be going on with it next week.
Cygan, I am using DA MSI Studio from Scriptlogic.
I'm not sure how that compares to Wise Package Studio.
If it is not to much trouble, I'd like to know how you do it in Wise, maybe I can translate to my Packaging APP.
Thanks!
I haven't had the chance to look more into it. But I will be going on with it next week.
Cygan, I am using DA MSI Studio from Scriptlogic.
I'm not sure how that compares to Wise Package Studio.
If it is not to much trouble, I'd like to know how you do it in Wise, maybe I can translate to my Packaging APP.
Thanks!
Posted by:
cygan
17 years ago
This is what I use for permissions and it works fine for me
In Wise Package Studio
Go to the MSI Script Tab
From the installation mode drop down choose all custom actions
Drag the custom action --- Execute Program from Installation
Name enter a name for your CA
Executable file browse to your setACL.exe
Command Line Arguments -on "C:\Program Files\FolderName" -ot
file -actn ace -ace "n:Users;p:change"
Condition Not Installed
Location Normal Execute Immediate/deferred.
After . InstallFinalise
If you are setting permissions on a reg key the then the command line should read eg
-on "HKLM\XXXXXXX\XXXXXX\" -ot reg -actn ace -ace "n:Users;p:full"
or
-on "HKCU\XXXXXXX\XXXXXX\" -ot reg -actn ace -ace "n:Users;p:full"
remember after the P: on the command line you can give full, change or what ever permission you require ie read, write etc
hope this helps
In Wise Package Studio
Go to the MSI Script Tab
From the installation mode drop down choose all custom actions
Drag the custom action --- Execute Program from Installation
Name enter a name for your CA
Executable file browse to your setACL.exe
Command Line Arguments -on "C:\Program Files\FolderName" -ot
file -actn ace -ace "n:Users;p:change"
Condition Not Installed
Location Normal Execute Immediate/deferred.
After . InstallFinalise
If you are setting permissions on a reg key the then the command line should read eg
-on "HKLM\XXXXXXX\XXXXXX\" -ot reg -actn ace -ace "n:Users;p:full"
or
-on "HKCU\XXXXXXX\XXXXXX\" -ot reg -actn ace -ace "n:Users;p:full"
remember after the P: on the command line you can give full, change or what ever permission you require ie read, write etc
hope this helps
Posted by:
cygan
17 years ago
opps
forgot to add this
you can also use that command line on a file
ie c:\xxxxxx\app name\ file name
forgot to add this
you can also use that command line on a file
ie c:\xxxxxx\app name\ file name
Posted by:
Marz28
17 years ago
Cygan,
I am trying to get the CA to work, but i am still receiving errors.
You say you can also add it with orca, how do you do that ?
I am trying to get the CA to work, but i am still receiving errors.
You say you can also add it with orca, how do you do that ?
Posted by:
cygan
17 years ago
HI Marz28
can you explain what type of permissions you are setting
are the permissions on files , folders or ini files
can you explain what type of permissions you are setting
are the permissions on files , folders or ini files
Posted by:
Marz28
17 years ago
Cygan,
I try to set permissions on the folder that the app is installed in. in this case c:\program files\sunsystems4
I use this :
-on "C:\Program Files\Sunsystems4" -ot file -actn ace -ace "n:Users;p:change"
As parameter
I try to set permissions on the folder that the app is installed in. in this case c:\program files\sunsystems4
I use this :
-on "C:\Program Files\Sunsystems4" -ot file -actn ace -ace "n:Users;p:change"
As parameter
Posted by:
Mackan75
17 years ago
Hi Marz28.
Do you have any special reason to set the rights with a Vbscript? Otherwise you should use a 'Execute Program from Destionation' CA as secedit.exe already should exist on the client. (Sorry if my English is not the best).
I Usualy do this (I use Wise Package Studio):
1. Put the *.inf and *.sdb in C:\Windows\Security\Database\*.,sdb and C:\Windows\Security\templates\*.inf (windows standard)
2. In MSI-Script the 'Execute Immediate' section, after 'InstallFinalize' create an "If Not Installed then" so the Custom Action (CA) doesn´t run when your uninstalling the application.
3. Create a CA 'Execute Program from Destination', set 'Working Directory' to SystemFolder, on 'EXE and Command Line write' write "secedit /configure /db C:\Windows\Security\Database\Sunaccounts426.sdb /cfg C:\WINDOWS\security\templates\Sunaccounts426.inf /quiet". on the Properties tab choose 'Synchronous' and 'Alwats Execute'
4. Put in an 'end' statement on the row below.
With the above commandline rights shold be set to both the registry and files. You can always create different inf files for settings in the registry and file, and create different CAs one for registry and one for files, but I usualy put both in the same file
Good Luck
/Marcus
Do you have any special reason to set the rights with a Vbscript? Otherwise you should use a 'Execute Program from Destionation' CA as secedit.exe already should exist on the client. (Sorry if my English is not the best).
I Usualy do this (I use Wise Package Studio):
1. Put the *.inf and *.sdb in C:\Windows\Security\Database\*.,sdb and C:\Windows\Security\templates\*.inf (windows standard)
2. In MSI-Script the 'Execute Immediate' section, after 'InstallFinalize' create an "If Not Installed then" so the Custom Action (CA) doesn´t run when your uninstalling the application.
3. Create a CA 'Execute Program from Destination', set 'Working Directory' to SystemFolder, on 'EXE and Command Line write' write "secedit /configure /db C:\Windows\Security\Database\Sunaccounts426.sdb /cfg C:\WINDOWS\security\templates\Sunaccounts426.inf /quiet". on the Properties tab choose 'Synchronous' and 'Alwats Execute'
4. Put in an 'end' statement on the row below.
With the above commandline rights shold be set to both the registry and files. You can always create different inf files for settings in the registry and file, and create different CAs one for registry and one for files, but I usualy put both in the same file
Good Luck
/Marcus
Posted by:
xichterl
17 years ago
ORIGINAL: cygan
From the installation mode drop down choose all custom actions
Drag the custom action --- Execute Program from Installation
Name enter a name for your CA
Executable file browse to your setACL.exe
Command Line Arguments -on "C:\Program Files\FolderName" -ot
file -actn ace -ace "n:Users;p:change"
Condition Not Installed
Location Normal Execute Immediate/deferred.
After . InstallFinalise
Hey,
actually I deploy SPSS Amos 6 and I have to set priviledges to the main Program Folder.
I followed your instructions and the script executes successfully and setting the permissions works perfectly, but after that I receive an internal error #2762.
[ I chose setacl because later on I have to set priviledges to the registry and I think setacl is the most comfortable way to do that. ]
Custom Action:
Execute Program From Installation Command Line -on "C:\Programme\AMOS 6" -ot file -actn ace -ace "n:Benutzer;p:change" (acl)
It's placed after InstallFinalize.
First I thought it might be an problem with the exit code of setacl so i set "ignore exit code", but the error message ist still being displayed.
Executing befor InstallFinalize is called brings the same result.
Thank you for helping me to find a solution.
Posted by:
dmack
12 years ago
Is there a specific way to do this in Windows 7 64bit? I understand setacl.exe no longer works here? Please provide solution if you know of any. Thanks
Posted by:
AngelD
17 years ago
Hi Marz28.
Remove "wscript." as windows installer already does support this by default.
Set objshell = createobject("Wscript.Shell")
You should also sequence the custom action to run under deferred (System context) after InstallFinalize.
Custom Actions running under:
Immediate; runs under the Installer's context
Deferred; system context (Windows Installer service)
Rollback; when something goes wrong and you want to reverted something you've done with a custom action.
Any system changes should be sequenced in Deferred.
Remove "wscript." as windows installer already does support this by default.
Set objshell = createobject("Wscript.Shell")
You should also sequence the custom action to run under deferred (System context) after InstallFinalize.
Custom Actions running under:
Immediate; runs under the Installer's context
Deferred; system context (Windows Installer service)
Rollback; when something goes wrong and you want to reverted something you've done with a custom action.
Any system changes should be sequenced in Deferred.
Posted by:
Marz28
17 years ago
Thanks.
I modified the script. It is now:
----------------
Set objshell = createobject("Wscript.Shell")
objshell.run ("secedit.exe /configure /db SunAccounts426 /cfg c:\progra~1\sunsystems4\Sunaccounts426.inf /areas FILESTORE")
----------------
Created the CA as deferred (system) and sequenced it just after InstallFinalize
The msi copies all files and then gives me an error: errorcode 2762 the arguments are:,,
Both the vbs and inf are copied to the program files dir for the app, like they should.
When I now manually run the VB after the installation, it adjusts the permissions properly.
The VBS just does not run when it's called from the MSI through the CA.
Also, in the CA properties there is and option "Return Processing" it is set to "Synchronous Execution" for the CA. That ok?
any more tips anyone might have?
I modified the script. It is now:
----------------
Set objshell = createobject("Wscript.Shell")
objshell.run ("secedit.exe /configure /db SunAccounts426 /cfg c:\progra~1\sunsystems4\Sunaccounts426.inf /areas FILESTORE")
----------------
Created the CA as deferred (system) and sequenced it just after InstallFinalize
The msi copies all files and then gives me an error: errorcode 2762 the arguments are:,,
Both the vbs and inf are copied to the program files dir for the app, like they should.
When I now manually run the VB after the installation, it adjusts the permissions properly.
The VBS just does not run when it's called from the MSI through the CA.
Also, in the CA properties there is and option "Return Processing" it is set to "Synchronous Execution" for the CA. That ok?
any more tips anyone might have?
Posted by:
AngelD
17 years ago
Try this
"secedit /configure /db ""C:\WINDOWS\security\Database\SunAccounts426.sdb"" /Cfg ""C:\Program Files\sunsystems4\Sunaccounts426.inf"" /areas FILESTORE"
"secedit /configure /db ""C:\WINDOWS\security\Database\SunAccounts426.sdb"" /Cfg ""C:\Program Files\sunsystems4\Sunaccounts426.inf"" /areas FILESTORE"
Posted by:
Marz28
17 years ago
Here's the script copy/paste from the one installed in the program dir:
-------------
Set objshell = createobject("Wscript.Shell")
objshell.run "secedit /configure /db ""c:\windows\security\Database\SunAccounts426.sdb"" /cfg ""c:\program files\sunsystems4\Sunaccounts426.inf"" /areas FILESTORE"
--------------------
I still get the same error message [:@]
Again when I doubleclick the the .vbs from where the MSI has installed the VBS runs without problems.
-------------
Set objshell = createobject("Wscript.Shell")
objshell.run "secedit /configure /db ""c:\windows\security\Database\SunAccounts426.sdb"" /cfg ""c:\program files\sunsystems4\Sunaccounts426.inf"" /areas FILESTORE"
--------------------
I still get the same error message [:@]
Again when I doubleclick the the .vbs from where the MSI has installed the VBS runs without problems.
Posted by:
aogilmor
17 years ago
try adding secedit as a binary. This would be a Custom Action Type 2, or EXE file stored in a Binary table stream.
then define your properties prior to running your CA. For example, if c:\program files\sunsystems4\Sunaccounts426.inf is an installed file you could use, say, [#Sunaccounts426.inf] which would give you the full path to your inf file, in your custom action target field. You have a a lot of command line arguments to run there, so to simplify things try condensing them into properties.
Also, if your vbscript is an installed file I don't think it will work until after InstallFinalize
then define your properties prior to running your CA. For example, if c:\program files\sunsystems4\Sunaccounts426.inf is an installed file you could use, say, [#Sunaccounts426.inf] which would give you the full path to your inf file, in your custom action target field. You have a a lot of command line arguments to run there, so to simplify things try condensing them into properties.
Also, if your vbscript is an installed file I don't think it will work until after InstallFinalize
Posted by:
jamsek19
17 years ago
Hello marz28.
My opinion:
you cannot assign this action just before InstallFinalize as Immediate, because at that time your files needs to be installed - they're not installed yet. You should assign this CA as Deffered.
Let me explain about executions: MSIEXEC run installation in 3-4 phases:
1. UserInterfaceExecution phase (this should be skipped in case of silent install). Here Installer collect information from user needed for installation (using dialogs, ..)
2. InstallExecute
2.b. Immediate phase. In this phase Installer creates "a script" which later in deffered phase actual do the installation and file system changes. The installer creates "a script" to do possible rollback in case of canceling or error. Therefore rollback sequences are just sequences assigned between InstallInitialize and InstallFinalize in InstallExecuteSequence. In this phase you can see most of the properties (like in UIInstallExecute).
NOTE: in your case, if you run your custom action Immediate it can happened that during running CA you do not have files there!
2.a. deffered phase. Here actual file system changes are done. The most important information for this phase are:
- File system changes: files are copied to proper location
- Installer do not know for the most properties therefore you have to managed this on the other way (for example using CA to read from registry, special file,...).
- rollback (in case of canceling or error) should be done just for sequence actions assigning in this phase,...
3. InstallExecute - immediate phase the rest of. It is like phase 2.
So think about it, where can you assign your custom action to.
Another hint for VBS:
I remember that I have almost the same problem: I needed to set security right to a share and I was not able to run CA (using VBS) on your way. Try this way:
[font="Courier New"]cmd = " your cmd here with all parameters "
Set ShellObj = CreateObject("WScript.Shell")
RunWindowedCMD = ShellObj.Run( cmd, 10, True) ' also possible state 7
Explanation:
10 means "Sets the show-state based on the state of the program that started the application." You can also use 7 - "Displays the window as a minimized window. The active window remains active."
True script execution halts until the program finishes, and Run returns any error code returned by the program.
On a way you run Run cmd uses default properties which means that the Run method returns immediately after starting the program, automatically returning 0 (not to be interpreted as an error code).
Instead of Run you can also use Exec method on the same shell object. See help for usage.
Regards
Andreo
My opinion:
you cannot assign this action just before InstallFinalize as Immediate, because at that time your files needs to be installed - they're not installed yet. You should assign this CA as Deffered.
Let me explain about executions: MSIEXEC run installation in 3-4 phases:
1. UserInterfaceExecution phase (this should be skipped in case of silent install). Here Installer collect information from user needed for installation (using dialogs, ..)
2. InstallExecute
2.b. Immediate phase. In this phase Installer creates "a script" which later in deffered phase actual do the installation and file system changes. The installer creates "a script" to do possible rollback in case of canceling or error. Therefore rollback sequences are just sequences assigned between InstallInitialize and InstallFinalize in InstallExecuteSequence. In this phase you can see most of the properties (like in UIInstallExecute).
NOTE: in your case, if you run your custom action Immediate it can happened that during running CA you do not have files there!
2.a. deffered phase. Here actual file system changes are done. The most important information for this phase are:
- File system changes: files are copied to proper location
- Installer do not know for the most properties therefore you have to managed this on the other way (for example using CA to read from registry, special file,...).
- rollback (in case of canceling or error) should be done just for sequence actions assigning in this phase,...
3. InstallExecute - immediate phase the rest of. It is like phase 2.
So think about it, where can you assign your custom action to.
Another hint for VBS:
I remember that I have almost the same problem: I needed to set security right to a share and I was not able to run CA (using VBS) on your way. Try this way:
[font="Courier New"]cmd = " your cmd here with all parameters "
Set ShellObj = CreateObject("WScript.Shell")
RunWindowedCMD = ShellObj.Run( cmd, 10, True) ' also possible state 7
Explanation:
10 means "Sets the show-state based on the state of the program that started the application." You can also use 7 - "Displays the window as a minimized window. The active window remains active."
True script execution halts until the program finishes, and Run returns any error code returned by the program.
On a way you run Run cmd uses default properties which means that the Run method returns immediately after starting the program, automatically returning 0 (not to be interpreted as an error code).
Instead of Run you can also use Exec method on the same shell object. See help for usage.
Regards
Andreo
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.