Windows Installer 3.1 Fails when Attempting to Update Protected Files

Windows Installer 3.1 Fails when Attempting to Update Protected Files

  • Comments 8

Windows File Protection is a feature that prevents critical files from being replaced by unauthorized programs. Currently, the only applications capable of updating WFP-protected files are the following:

  • Hotfix.exe for hotfix installations
  • Update.exe for hotfix and service pack installations
  • Winnt32.exe for operating system upgrades
  • Windows Update

Windows Installer (MSI) is not among the list of authorized applications. Any package that attempts to replace a WFP-protected file will cause an error that previously was logged and the package continued. Support article KB898628 mentions that one work around is to author your component or components that would update WFP-protected files so that the components would not install on platforms that supported WFP, which include Windows 2000, XP, and 2003.

To author your components accordingly, set the Condition column value for your components in the Component table to something like the following:

Version9X Or VersionNT < 500

For a list of operating system values read Operating System Property Values in the Windows Installer SDK. Quite simply, these values are obtained by multiplying the major Windows version number by 100 and adding the minor version number.

Leave a Comment
  • Please add 3 and 6 and type the answer here:
  • Post
  • You can also disable WFP within the registry, although I'm sure that's not a recommended solution.
  • Nick, that's definitely not recommended. WFP is there to protect the user and thwarting the system like that is as bad as disabling XP's firewall to save 5ms at boot time (! :)
  • When I read this I thought "Finally! Microsoft made it so that only THEIR applications can update THEIR files" then I saw you have a workaround, which totally defeats the purpose for having it in the first place.

    Honestly no file outside of Microsoft should be able to update WFP protected files, I don't care what sob story I hear. If you're not Microsoft you shouldn't have an opportunity to play with their binaries. I can't come up with a decent justification for getting around this other than for malicious purposes so I don't really understand why this should even be possible. Seems like a lot of work for nothing though I suppose it will get the majority of malicious software writers until they do a web search and stumble upon the workaround.

    There must be some justification for this I'm missing, though whatever it could be seems trite since it opens up a nice security hole. (That was already open in the first place, so it's not really something new or magical)
  • Jeremy, about what workaround are you referring? I make no mention of a workaround to get around WFP. The details of this bug are how to condition a component that would, say, update notepad.exe (a protected file under XP and newer) so that the component doesn't even install on a system with WFP supported.

    Replacing Windows binaries is definitely not recommended, but unless WFP is disable (also not recommended) on XP and newer trying to replace Windows binaries will simply fail.

    In the past, MSI would continue and log an error when attempting to update a WFP-protected file but will fail under 3.1.
  • Took me a while for it to register.

    In 3.0 it would error and continue. In 3.1 it errors and STOPS. The workaround is to get around it erroring and stopping, not to actually let something update notepad.exe.

    The workaround allows you to update those components on anything that doesn't use WFP, though if you were really on Windows 98 would WFP kick in? I suppose the installer has some code that "simulates" WFP by denying access to those components regardless of whether WFP is on the system or not. Then again I think this is only specific to if you're installing it on a WFP-enabled OS so being in Windows 98 actually has no effect but this allows you to make one installer for all supported OSes. There, I'm less confused.

    Sorry 'bout that. I started to understand it after I posted the comment *removes foot from mouth*.
  • Jeremy, WFP is only available on Windows XP and higher. The condition to add to your components I blog about above allows the component to install on Windows 95, 98, and Me (commonly referred to as Win9x) and on Windows NT 4.0 and 2000, but not on XP, 2003 Server, or the upcoming "Longhorn".
  • Windows Installer 3.1 redistributable available again.
  • PingBack from

Page 1 of 1 (8 items)