Tuesday, November 08, 2011

What is MSILOCKPERMISSIONSEX table and Concept related MSILOCKPERMISSIONSEX in Windows Installer in 5.0

  1. Different methods by which Security Permission can be applied in MSI are XCALCS,SECEDIT and via LockPermission table.
  2. Here i will discuss the improved capabilities added by windows installer 5.0 over the old LockPermission table through the availability of MSILOCKPERMISSIONSEX table.
  3. The new MSILOCKPERMISSIONSEX table uses SDDLText descriptor and not the bits concept.The SDDLText is a method for generating security permission in windows OS.Since it is difficult to learn the SDDLText Syntax,at the end of the post a link is provided which will guide on how to generate the SDDLText descriptor and using it in the MSILOCKPERMISSIONSEX table.
  4. Security settings can be applied to services as well in addition to Files, Folders, Registry keys .
  5. Ability to apply permissions specific to user accounts – including accounts that are newly created on the system during the course of installation.

MsiLockPermissionsEx Table

  • The MsiLockPermissionsEx Table can be used to secure services, files, registry keys, and created folders.
  • A package should not contain both the MsiLockPermissionsEx Table and the LockPermissions Table.
  • Windows Installer 4.5 or earlier:  Not supported.This table is recommended for packages intended for installation with Windows Installer 5.0 or later.
  • The MsiLockPermissionsEx Table has the following columns :

This is the primary key of this table.

This column and the Table column together specify the file, directory, registry key, or service that is to be secured. The LockObject column is a foreign key that points to the primary key of the table specified by the Table column.

This column and the LockObject column specify the file, directory, registry key, or service that is to be secured. In the Table column, enter File, Registry, CreateFolder, or ServiceInstall to specify a LockObject listed in the File Table, Registry Table, CreateFolder Table, or ServiceInstall Table.

Enter the SDDL string to indicate permissions to apply to selected object. The SDDL must be provided in Security Descriptor String Format.

his column contains a conditional expression used to determine whether to apply the specified permission. If the condition evaluates to FALSE, the permission is not applied. If the condition evaluates to TRUE, the permission is applied.

Here is an article on how to use this table and a helper script to extract SDDL from existing objects

No comments: