- Different methods by which Security Permission can be applied in MSI are XCALCS,SECEDIT and via LockPermission table.
- Here i will discuss the improved capabilities added by windows installer 5.0 over the old LockPermission table through the availability of MSILOCKPERMISSIONSEX table.
- The new MSILOCKPERMISSIONSEX table uses SDDLText descriptor and not the bits concept.The SDDLText is a method for generating security permission in windows OS.Since it is difficult to learn the SDDLText Syntax,at the end of the post a link is provided which will guide on how to generate the SDDLText descriptor and using it in the MSILOCKPERMISSIONSEX table.
- Security settings can be applied to services as well in addition to Files, Folders, Registry keys .
- Ability to apply permissions specific to user accounts – including accounts that are newly created on the system during the course of installation.
- The MsiLockPermissionsEx Table can be used to secure services, files, registry keys, and created folders.
- A package should not contain both the MsiLockPermissionsEx Table and the LockPermissions Table.
- Windows Installer 4.5 or earlier: Not supported.This table is recommended for packages intended for installation with Windows Installer 5.0 or later.
- The MsiLockPermissionsEx Table has the following columns :
Here is an article on how to use this table and a helper script to extract SDDL from existing objects