Size does Matter

Size does Matter

  • Comments 14

In response to a previous post where I mentioned that work was being done on Visual Studio 2005 SP1, reader ringi commented,

"I would match rather has SP1 as a complete 4GB install, including having to uninstall Visual Studio 2005 then have it delayed just to save a little bit of bandwidth."

Unfortunately, it's not just a question of bandwidth - even though that is a concern. Bandwidth costs money for our customers, too.

Digital signatures help ensure that a patch has not tampered with, but an additional level of security called Software Restriction Policies is used when Windows Installer calls the SaferIdentifyLevel function, which in turn calls the WinVerifyTrust function. Passing the SAFER_CRITERIA_IMAGEHASH causes the entire patch to be loaded into memory on Windows XP and 2003. The result can be seen from the following log fragment.

MSI (s) (BA:AD) [12:00:00:000]: SOFTWARE RESTRICTION POLICY: Verifying object --> 'D:\WINDOWS\Installer\50baad.msp' against software restriction policy
MSI (s) (BA:AD) [12:00:00:000]: SOFTWARE RESTRICTION POLICY: D:\WINDOWS\Installer\50baad.msp has a digital signature
MSI (s) (BA:AD) [12:00:00:000]: SOFTWARE RESTRICTION POLICY: SaferIdentifyLevel reported failure. Assuming untrusted. . . (GetLastError returned 5)
MSI (s) (BA:AD) [12:00:00:000]: The installation of D:\WINDOWS\Installer\50baad.msp is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

This happens during the server installation where the fallback is to assume - since an error occured - the file cannot be trusted. SAFER is looking for as much contiguous memory as the patch file is big. The user would see Windows Installer error 1718, which reads, "Error 1718.File D:\WINDOWS\Installer\50baad.msp was rejected by digital signature policy."

Why is the patch file so big? Consider what's in a patch. Patch files ship the source media for all files being added or updated, plus transforms for each target product. Visual Studio is a large product with many files, so patches that touch a significant portion of those files - like service packs - will be large as well. We are working toward being able to use binary delta compression but have other dependent problems to solve first.

A workaround does exist and we're exploring additional options. Since our patches write to privileged locations, they require administrative privileges. Local administrators can use the following steps on Windows XP and newer if you are prompted with error message 1718.

  1. Click Start -> Control Panel
  2. Open Administrative Tools
  3. Open Local Security Settings
  4. Click Software Restriction Policies
    1. If no software restrictions are defined, right click the Software Restriction Policies node and select New Software Restriction Policy
  5. Double click Enforcement
  6. Select "All users except local administrators"
  7. Click OK
  8. Reboot the machine

After installing a large patch that may have raised this issue, it is advised that you follow the instructions above to select "All users" in step 6 above.

Leave a Comment
  • Please add 8 and 3 and type the answer here:
  • Post
  • Thanks for keeping us in the loop Heath.
    Would it be fair to say that SP1 is actually ready, and that the only hold up is problems with the install?
  • For availability of Visual Studio 2005 SP1, please keep an eye on http://blogs.msdn.com/somasegar/.
  • Right now...the size is ZERO...you can't get much smaller than that...where is this thing at?  What is the status?  Somasegar's blog says nothing - no updates, no comments, nothing!
  • We've been seeing this behavior since the day after the release (and application) of the August security patches, even on already-released installs that had not shown a problem. Testers have said that removing MS06-040 will allow the install to run if the .msi is copied to a local drive but not over the network if the hosting machine has the updates installed. The software restriction policy workaround has worked thus far but we are working with MS to figure out what is causing this.
  • In response to a previous post about how large patches can cause problems, reader Zodman asks,  "Would...
  • As we prepare to ship a large minor upgrade known as Visual Studio 2005 Service Pack 1, I'd like to again...
  • As announced on Soma's blog, Visual Studio 2005 Service Pack 1 Beta is available today. You can sign...
  • As announced on Soma's blog, Visual Studio 2005 Service Pack 1 Beta is available today. You can sign
  • As we prepare to ship a large minor upgrade known as Visual Studio 2005 Service Pack 1 , I'd like to
  • In response to a previous post about how large patches can cause problems, reader Zodman asks , "Would
  • PingBack from http://blogs.msdn.com/heaths/archive/2006/08/29/Making-of-a-Service-Pack.aspx
  • Why don’t who remove support for the express editions of visual studio in the service pack, and just say to anyone using these that this must 1st uninstall the express edition of the software and reinstall a new version that includes the service pack in the original install.

  • Buzz, there are separate service packs for the Express editions that are much smaller in size.

Page 1 of 1 (14 items)