/build/static/layout/Breadcrumb_cap_w.png

Difficulty with Custom Actions / File Permissions

I'm new to packaging and having some trouble.

I'm creating a .msi and want that msi to set permissions on files and folder it deploy with a custom action.

I read some posts and it seems there are a number of options to accomplish that, like:
XCACLS, Secedit, SetACL.

I prefer to use Secedit, because I find it easy to create an .inf file from Windows Security templates snap in, containing the required permissions.

Here's what I tried:

1. I created a .inf file with the correct permission from the templates snapin.

2. I add this template to the .msi so that it is installed with all the files in the .msi to the apps folder.

3. I created .vbs to run secedit with the .inf file in step 2. I tested the script and that works properly.
the code:
---------------
Set objshell = wscript.createobject("Wscript.Shell")
objshell.run ("secedit.exe /configure /db 'APPNAME' /cfg c:\progra~1\'APPFOLDERNAME'\'APPNAME'.inf /areas FILESTORE")
---------------

4. I add a custom action to the .msi with option "Vbscript installed with the product", "Immediate Execution" , "Synchronous Execution" , "Always Execute"
And then I selected the .VBS created.

5. I sequence the custom action just before "Install Finalize" in "InstallExecuteSequence"

Result: The Script runs, but cannot the the .inf. Seems logical because the script runs before file copy process has started...


Also tried to sequence the the custom action after "Install Finalize" then it runs after file copy, but then I get an error that the script could not finish.

Can some tell me how to create a working custom action combined with Secedit and .inf files to accomplish what i want?
And.. Can someone explain when to use options like "immediate execution, Deferred, Rollback etc."
Maybe some good links with info about that stuff.

Thanks

0 Comments   [ + ] Show comments

Answers (20)

Posted by: nheim 17 years ago
10th Degree Black Belt
0
Hi Folks,
don't mess up with deferred CA's. From MSDN Library:
"A deferred execution custom action must be scheduled in the execute sequence table within the section that performs script generation. Deferred execution custom actions must come after InstallInitialize and come before InstallFinalize in the action sequence."
See: http://msdn2.microsoft.com/en-gb/library/aa368268.aspx
Your CA must be scheduled just BEFORE InstallFinalize, then it should work (but don't forget to make it deferred, e.g. add 1024 to the CA-Type).
Regards, Nick
Posted by: cygan 17 years ago
Fifth Degree Brown Belt
0
hi Marz28

are you using wise package studio

I can show you how to set permissions on reg keys , files, folders etc

using custom actions and SETACL
Posted by: Marz28 17 years ago
Senior Yellow Belt
0
All, Thanks for your replies.
I haven't had the chance to look more into it. But I will be going on with it next week.

Cygan, I am using DA MSI Studio from Scriptlogic.
I'm not sure how that compares to Wise Package Studio.

If it is not to much trouble, I'd like to know how you do it in Wise, maybe I can translate to my Packaging APP.

Thanks!
Posted by: cygan 17 years ago
Fifth Degree Brown Belt
0
This is what I use for permissions and it works fine for me


In Wise Package Studio

Go to the MSI Script Tab

From the installation mode drop down choose all custom actions


Drag the custom action --- Execute Program from Installation

Name enter a name for your CA

Executable file browse to your setACL.exe

Command Line Arguments -on "C:\Program Files\FolderName" -ot
file -actn ace -ace "n:Users;p:change"


Condition Not Installed


Location Normal Execute Immediate/deferred.
After . InstallFinalise


If you are setting permissions on a reg key the then the command line should read eg


-on "HKLM\XXXXXXX\XXXXXX\" -ot reg -actn ace -ace "n:Users;p:full"

or


-on "HKCU\XXXXXXX\XXXXXX\" -ot reg -actn ace -ace "n:Users;p:full"



remember after the P: on the command line you can give full, change or what ever permission you require ie read, write etc


hope this helps
Posted by: cygan 17 years ago
Fifth Degree Brown Belt
0
opps

forgot to add this

you can also use that command line on a file

ie c:\xxxxxx\app name\ file name
Posted by: cygan 17 years ago
Fifth Degree Brown Belt
0
you could also set the permissions using setacl with orca
Posted by: Marz28 17 years ago
Senior Yellow Belt
0
Cygan,

I am trying to get the CA to work, but i am still receiving errors.
You say you can also add it with orca, how do you do that ?
Posted by: cygan 17 years ago
Fifth Degree Brown Belt
0
HI Marz28


can you explain what type of permissions you are setting

are the permissions on files , folders or ini files
Posted by: Marz28 17 years ago
Senior Yellow Belt
0
Cygan,

I try to set permissions on the folder that the app is installed in. in this case c:\program files\sunsystems4

I use this :
-on "C:\Program Files\Sunsystems4" -ot file -actn ace -ace "n:Users;p:change"

As parameter
Posted by: Mackan75 17 years ago
Orange Belt
0
Hi Marz28.

Do you have any special reason to set the rights with a Vbscript? Otherwise you should use a 'Execute Program from Destionation' CA as secedit.exe already should exist on the client. (Sorry if my English is not the best).


I Usualy do this (I use Wise Package Studio):

1. Put the *.inf and *.sdb in C:\Windows\Security\Database\*.,sdb and C:\Windows\Security\templates\*.inf (windows standard)

2. In MSI-Script the 'Execute Immediate' section, after 'InstallFinalize' create an "If Not Installed then" so the Custom Action (CA) doesn´t run when your uninstalling the application.

3. Create a CA 'Execute Program from Destination', set 'Working Directory' to SystemFolder, on 'EXE and Command Line write' write "secedit /configure /db C:\Windows\Security\Database\Sunaccounts426.sdb /cfg C:\WINDOWS\security\templates\Sunaccounts426.inf /quiet". on the Properties tab choose 'Synchronous' and 'Alwats Execute'

4. Put in an 'end' statement on the row below.


With the above commandline rights shold be set to both the registry and files. You can always create different inf files for settings in the registry and file, and create different CAs one for registry and one for files, but I usualy put both in the same file

Good Luck
/Marcus
Posted by: xichterl 17 years ago
Yellow Belt
0
ORIGINAL: cygan

From the installation mode drop down choose all custom actions


Drag the custom action --- Execute Program from Installation

Name enter a name for your CA

Executable file browse to your setACL.exe

Command Line Arguments -on "C:\Program Files\FolderName" -ot
file -actn ace -ace "n:Users;p:change"


Condition Not Installed


Location Normal Execute Immediate/deferred.
After . InstallFinalise






Hey,

actually I deploy SPSS Amos 6 and I have to set priviledges to the main Program Folder.
I followed your instructions and the script executes successfully and setting the permissions works perfectly, but after that I receive an internal error #2762.
[ I chose setacl because later on I have to set priviledges to the registry and I think setacl is the most comfortable way to do that. ]

Custom Action:
Execute Program From Installation Command Line -on "C:\Programme\AMOS 6" -ot file -actn ace -ace "n:Benutzer;p:change" (acl)

It's placed after InstallFinalize.
First I thought it might be an problem with the exit code of setacl so i set "ignore exit code", but the error message ist still being displayed.

Executing befor InstallFinalize is called brings the same result.

Thank you for helping me to find a solution.
Posted by: cygan 17 years ago
Fifth Degree Brown Belt
0
hi xichterl

I am glad it worked . we are all here to help each other
Posted by: dmack 12 years ago
Senior Yellow Belt
0
Is there a specific way to do this in Windows 7 64bit? I understand setacl.exe no longer works here? Please provide solution if you know of any. Thanks
Posted by: kardock 12 years ago
Second Degree Green Belt
0
please start a new thread instead of reviving a 5 year old one.
Posted by: AngelD 17 years ago
Red Belt
0
Hi Marz28.

Remove "wscript." as windows installer already does support this by default.
Set objshell = createobject("Wscript.Shell")

You should also sequence the custom action to run under deferred (System context) after InstallFinalize.

Custom Actions running under:
Immediate; runs under the Installer's context
Deferred; system context (Windows Installer service)
Rollback; when something goes wrong and you want to reverted something you've done with a custom action.

Any system changes should be sequenced in Deferred.
Posted by: Marz28 17 years ago
Senior Yellow Belt
0
Thanks.

I modified the script. It is now:
----------------
Set objshell = createobject("Wscript.Shell")
objshell.run ("secedit.exe /configure /db SunAccounts426 /cfg c:\progra~1\sunsystems4\Sunaccounts426.inf /areas FILESTORE")
----------------
Created the CA as deferred (system) and sequenced it just after InstallFinalize
The msi copies all files and then gives me an error: errorcode 2762 the arguments are:,,

Both the vbs and inf are copied to the program files dir for the app, like they should.
When I now manually run the VB after the installation, it adjusts the permissions properly.
The VBS just does not run when it's called from the MSI through the CA.

Also, in the CA properties there is and option "Return Processing" it is set to "Synchronous Execution" for the CA. That ok?
any more tips anyone might have?
Posted by: AngelD 17 years ago
Red Belt
0
Try this

"secedit /configure /db ""C:\WINDOWS\security\Database\SunAccounts426.sdb"" /Cfg ""C:\Program Files\sunsystems4\Sunaccounts426.inf"" /areas FILESTORE"
Posted by: Marz28 17 years ago
Senior Yellow Belt
0
Here's the script copy/paste from the one installed in the program dir:
-------------
Set objshell = createobject("Wscript.Shell")
objshell.run "secedit /configure /db ""c:\windows\security\Database\SunAccounts426.sdb"" /cfg ""c:\program files\sunsystems4\Sunaccounts426.inf"" /areas FILESTORE"
--------------------

I still get the same error message [:@]
Again when I doubleclick the the .vbs from where the MSI has installed the VBS runs without problems.
Posted by: aogilmor 17 years ago
9th Degree Black Belt
0
try adding secedit as a binary. This would be a Custom Action Type 2, or EXE file stored in a Binary table stream.
then define your properties prior to running your CA. For example, if c:\program files\sunsystems4\Sunaccounts426.inf is an installed file you could use, say, [#Sunaccounts426.inf] which would give you the full path to your inf file, in your custom action target field. You have a a lot of command line arguments to run there, so to simplify things try condensing them into properties.

Also, if your vbscript is an installed file I don't think it will work until after InstallFinalize
Posted by: jamsek19 17 years ago
Orange Senior Belt
0
Hello marz28.

My opinion:
you cannot assign this action just before InstallFinalize as Immediate, because at that time your files needs to be installed - they're not installed yet. You should assign this CA as Deffered.

Let me explain about executions: MSIEXEC run installation in 3-4 phases:

1. UserInterfaceExecution phase (this should be skipped in case of silent install). Here Installer collect information from user needed for installation (using dialogs, ..)

2. InstallExecute
2.b. Immediate phase. In this phase Installer creates "a script" which later in deffered phase actual do the installation and file system changes. The installer creates "a script" to do possible rollback in case of canceling or error. Therefore rollback sequences are just sequences assigned between InstallInitialize and InstallFinalize in InstallExecuteSequence. In this phase you can see most of the properties (like in UIInstallExecute).
NOTE: in your case, if you run your custom action Immediate it can happened that during running CA you do not have files there!

2.a. deffered phase. Here actual file system changes are done. The most important information for this phase are:
- File system changes: files are copied to proper location
- Installer do not know for the most properties therefore you have to managed this on the other way (for example using CA to read from registry, special file,...).
- rollback (in case of canceling or error) should be done just for sequence actions assigning in this phase,...

3. InstallExecute - immediate phase the rest of. It is like phase 2.


So think about it, where can you assign your custom action to.

Another hint for VBS:
I remember that I have almost the same problem: I needed to set security right to a share and I was not able to run CA (using VBS) on your way. Try this way:
[font="Courier New"]cmd = " your cmd here with all parameters "
Set ShellObj = CreateObject("WScript.Shell")
RunWindowedCMD = ShellObj.Run( cmd, 10, True) ' also possible state 7

Explanation:
10 means "Sets the show-state based on the state of the program that started the application." You can also use 7 - "Displays the window as a minimized window. The active window remains active."
True script execution halts until the program finishes, and Run returns any error code returned by the program.

On a way you run Run cmd uses default properties which means that the Run method returns immediately after starting the program, automatically returning 0 (not to be interpreted as an error code).

Instead of Run you can also use Exec method on the same shell object. See help for usage.

Regards
Andreo
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ