Pages

Wednesday, 20 June 2012

MsiLockPermissionsEx Table


MsiLockPermissionsEx Table enhances the functionality over LockPermissions Table. With MsiLockPermissionsEx table, users now have the ability to set access permissions on objects impacted by the application install that previously required using custom actions or other methods outside of Windows Installer
·Expanding the set of permissions that can be applied to a resource by incorporating the Security Descriptor Definition Language(SDDL) in Windows Installer. This allows the security settings for an object to be more flexible, including;
o Ability to apply Deny ACLs to objects
o Indicate inheritance properties for permissions
o Expand the set of well-known SIDs
o Ability to set Owner, Group, and SACLs to the objects in addition to the regular access permissions
·Security settings can be applied to services as well in addition to Files, Folders, Registry keys
·Ability to apply permissions specific to user accounts – including accounts that are newly created on the system during the course of installation
Read more about this in Windows installer team blog
http://blogs.msdn.com/windows_installer_team/archive/2009/03/05/enhanced-permissions-setting-with-windows-installer-5-0.aspx

1E Nomad Branch


Users in the remote branches will be benified from Nomad in Software Distribution. Nomad has a very tight integration with Microsoft SMS and SCCM Config Manager .


Once the data is distributed by Nomad Branch , it shares the data with Peer's. You can configure Nomad branch with or without multicasting.


Benefits of Nomad Branch


- Cost Reduction by reducing the number of Servers in Branches
- Bandwidth Control
- Multicasting

Shared DLLS vs Merge Modules


Merge modules are similar in structure to a simplified Windows Installer, which helps to integrate shared code, files (DLLs / OCXs), resources, registry entries, and setup logic to applications as a single compound file.

Drawback of using downloadable Merge Modules while re-packaging: Most of the merge modules are present in their respective shared location, if not; it’s downloaded from the web. As the files integrated with the installer is from merge modules, it does not require isolation.
When you don’t find the proper network for the Share location on web during installation, then the application / installation fails to function. This is the main drawback of the Merge Modules. Shared DLL concept can be used to overcome this issue.
During the re-packaging process usually we don’t include the merge modules, that has to be downloaded during installation, in the WSI/MSI; this is to avoid the above mentioned network issues. The following screen shot shows how the merge modules will be excluded in the package:

In this case the DLL/ OCX files will be included directly within the WSI/ MSI.
Shared DLLs:
All the DLLs captured in the WSI/ MSI will be a shared DLL. When a DLL is already present in the machine and if we install the application, the DLL of the same version increments its DLL counter. Since the DLLs from the MSI are shared DLLs, any new application that would be installed on the same machine in future will increment the corresponding DLL count. All the Shared DLL counts can be viewed from the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls When there is a DLL conflict found using Wise Conflict Manager, we go for Isolation. This is named as DLL Redirection.

What is DLL Redirection?Since an executable imports API functions from DLL files, DLL redirection allows us to tell a program that the DLLs it needs are located in a different directory than the originals; in this way we can create a DLL with the same name as the original, which exports the same function names as the original, but each function can contain the code of developer’s choice.

There are two ways to achieve DLL redirection;
  1. “dot local” redirection:
    “Applications can depend on a specific version of a shared DLL and start to fail if another application is installed with a newer or older version of the same DLL. There are two ways to ensure that your application uses the correct DLL: DLL redirection and side-by-side components. Developers and administrators should use DLL redirection for existing applications, because it does not require any changes to the application. “
    In other words, dot local DLL redirection affords developers the ability to force an application to use a different version of a particular DLL file than that used by the rest of the system. For example, if an application called oldapp.exe only worked with an outdated version of user32.dll, then instead of replacing the user32.dll file in the system32 directory (potentially causing many other applications to break), you could tell it to load the older version of user32.dll from the program's current directory by creating an appropriate dot local file. All other applications will still load the newer DLL from system32 and remain unaffected. All that is needed is to create a dot local file (which is simply an empty file whose name contains the name of the target application followed by a .local extension; in this case it would be oldapp.exe.local), and place it and the older version of user32.dll in the same directory as oldapp.exe.
    Limitations with “dot local” redirection:
    Most notably, according to MSDN, certain DLL files (called 'Known DLLs') cannot be redirected in Windows XP (this restriction does not apply to Windows 2000). A list of all Known DLLs can be found in the
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs key; included in the list of known DLLs are kernel32.dll, user32.dll and gdi32.dll. However, this is not true - it seems that under Windows XP, an application will either allow you to redirect any DLL, or none at all. As such, if targeting a program running on the Windows XP platform, dot local redirection is an unreliable method, and should be used only on Windows 2000 machines.
  2. Using Manifest Files:Manifest files use the same naming convention as dot local files (i.e., oldapp.exe.manifest), but are not empty files. They must contain certain XML-formatted information in order to function properly, or else the target application will fail to load. In addition, manifest files are only supported on Windows XP and Vista; however, they are far more reliable than using dot local redirection, and allow us to redirect any DLL file. (NOTE: The testing was done under Windows XP only; it is possible that some restrictions/changes may be applied to Windows Vista).

What is a shared file?


A shared file is a file that can be used by more than one application. The Windows operating system provides a number of shared files that can be used by any application installed. Software developers can also create shared files for their own applications. Shared files allow for the creation of more efficient applications and save time because the same code does not have to be created for each application. It is created once and used by many applications.

During installation, files identified as shared are registered in the Windows registry. Each time the shared file is installed, the registry increments the registry value associated with it. This registry value is also known as the ref count or the shared reference count. So if two applications install the same shared file, the registry value (ref count) is 2. During uninstallation, a shared file's registry value is decremented. When the registry value reaches 0 the file will be deleted

What is Windows Installer

The Windows Installer engine (also called the MSI engine) drives the installation of your application. It is a part of the Windows Installer Service, a technology developed by Microsoft to standardize installations on the Windows platform. Without the Windows Installer engine, installations using the Windows Installer technology cannot be installed. The Windows Installer engine is already installed on Windows XP. For other operating systems, the Windows Installer engine must be installed by the installation or by the home user. Most installations based on the Windows Installer Service automatically install the Windows Installer engine on the computer prior to running the installation. In case of an error or other unexpected behavior, you may need to install the engine manually.



What is Registry


The registry is a central database used by the Windows operating system to track your personal settings and the software and hardware installed on your computer. When you install an application, installation choices are written to the registry. The registry contains 5 major branches:
  • HKEY_CLASSES_ROOT – contains information on file-related behavior including what files are associated with what applications
  • HKEY_CURRENT_USER – contains the preferences of the current user
  • HKEY_USERS – contains the preferences of each user on the system
  • HKEY_LOCAL_MACHINE – contains operating system, hardware, and application settings
  • HKEY_CURRENT_CONFIG – contains hardware settings users can modify for different circumstances

Disadvantages of Nested MSI Installation


The disadvantages of using the Nested MSI's are,
  • Nested Installations cannot share components.
  • An administrative installation cannot contain a nested installation.
  • Patching and upgrading will not work with nested installations.
  • The installer will not correctly cost a nested installation.
  • Integrated ProgressBars cannot be used with nested installations.
  • Resources that are to be advertised cannot be installed by the nested installation.
  • A package that performs a nested installation of an application should also uninstall the nested application when the parent product is uninstalled.