Windows Installer Team Blog

Adopting Windows Installer 4.5

It's been a few months now since the Windows Installer 4.5 redistributable was released [link]. Over the past couple months I have received several questions (quite often similar in nature) that warrants this blog post <grin>. In this post, I will attempt to answer some of the most frequently asked questions with regards to adoption & deployment of MSI 4.5.

1.       I’m considering taking a dependency on MSI 4.5 for my next release. I would like to know how prevalent MSI 4.5 might be in our target environments. Do you have any data on this?

We are pleased to hear that you are considering taking advantage of the new feature set and functionality provided in MSI 4.5. We have some data that may help you understand the current penetration of MSI 4.5 in the ecosystem.

a.       Statistics from the Microsoft download center:

As of March 2009, there have been over 5.6 million downloads of MSI 4.5 (combined across all supported platforms & OSes).

b.      Other ways in which MSI 4.5 is being deployed to users machines:

Yes, besides the fact that users are downloading MSI 4.5 from Microsoft download center, there are also other mechanisms via which MSI 4.5 is being deployed to users machines. For example;

-          SQL Server 2008 (both full server as well as express version) requires MSI 4.5 as a pre-requisite.

-          This dependency in turn has a cascading effect on other products that are already dependent on SQL Server 2008 or will be in the future.

c.       Future Windows service packs:

MSI 4.5 will be natively included in all future service packs of Windows. It is already included in Windows Vista and Server 2008 SP2. Release candidate for this service pack is presently available from the Microsoft download center.

2.       When will MSI 4.5 be deployed via Windows Update?

MSI 4.5 will be on Windows Update as part of future service packs to Windows (see #1, part c). It will not be available independently as a required mandatory update like Windows Installer 3.1 v2.

3.       Is it true that there is a forced reboot required on Windows Vista and Windows Server 2008 with MSI 4.5? Unlike Windows XP and Windows 2003, this reboot can't be deferred?

Yes, it is true that servicing Windows Installer always requires a reboot on Vista and above. The new changes made to the Windows Vista servicing stack in combination with the change made by Windows Update to always have the Windows Installer loaded, causes the update to be “pended” until a subsequent reboot thus generating the mandatory reboot requirement when servicing the Windows Installer. We understand that a reboot can be difficult to absorb for applications taking a dependency on MSI 4.5. Unfortunately, none of the solutions that could be pursued were low cost and low risk enough to be acceptable at that point in the Windows Vista SP1 and Windows Server 2008 ship cycle. However, the growing prevalence of MSI 4.5 (details provided in #1), is mitigating the reboot issue to some extent.

4.       We are considering the possibility of bootstrapping Windows Installer 4.5 with our product’s setup. Is there a single 4.5 redistributable that can cover multiple OS versions and CPU architecture that is of a smaller size?

No, there is no single redistributable package to install MSI 4.5. There exist different installation technologies to install a Windows component like Windows Installer on Vista and above OSes versus down-level OSes (Windows XP and Server 2003). Additionally, the binaries itself are different based on OS version and platform architecture.

[Author: Zainab Hakim]
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

Enhanced Permissions Setting with Windows Installer 5.0

Setting appropriate permissions for an object is one of the core operations in creating an application installer. One of the most frequent pieces of feedback has been to provide enhanced capabilities around securing resources installed on the system. MsiLockPermissionsEx Table in Windows 7 enhances the functionality over LockPermissions Table. With MsiLockPermissionsEx table, users now have the ability to set access permissions on objects impacted by the application install that previously required using custom actions or other methods outside of Windows Installer.

·         Expanding the set of permissions that can be applied to a resource by incorporating the Security Descriptor Definition Language(SDDL) in Windows Installer. This allows the security settings for an object to be more flexible, including;

o   Ability to apply Deny ACLs to objects

o   Indicate inheritance properties for permissions

o   Expand the set of well-known SIDs

o   Ability to set Owner, Group, and SACLs to the objects in addition to the regular access permissions

·         Security settings can be applied to services as well in addition to Files, Folders, Registry keys

·         Ability to apply permissions specific to user accounts – including accounts that are newly created on the system during the course of installation

FormattedSDDLText is a new column data type used by the SDDLText field of the MsiLockPermissionsEx Table to secure a selected object.

Q: How does new MsiLockPermissionsEx table change the semantics or behavior of the older LockPermissions table?

A: Packages using the older LockPermissions table will continue to work as expected. However, we encourage you to author your packages targeted for Windows 7 and above to use the new MsiLockPermissionsEx table to take advantage of the power and flexibility provided by SDDL while customizing security settings for your resources.

Q: Can I author both LockPermissions and MsiLockPermissionsEx tables in my package?

A: No, in the interest of simplifying authoring and avoiding collisions, it is not allowed to have both LockPermissions and MsiLockPermissionsEx tables in the same package. If both tables are present, the installation will fail. ICE 104 verifies that only one of the two tables: MsiLockPermissionsEx or LockPermissions is present in the package.

Q: What happens if two conditions in different rows evaluate to true for the same LockObject/Table pair in MsiLockPermissionsEx table? Which SDDLText will be applied?

A: If a LockObject/Table pair has multiple conditional expressions that evaluate to true, the installation will fail. So, be careful while authoring your conditions: if you have more than one security setting in your package for an object – make sure the corresponding conditions are mutually exclusive.

Q: What happens if the SDDL specified in MsiLockPermissionsEx is incorrect, or if the user does not have permissions to apply the security settings described by the SDDL?

A: The installation fails if Windows Installer is unable to resolve the SDDL specified in the MsiLockPermissionsEx table into a valid security descriptor, or if the user doesn’t have the permissions to apply those settings, unless the package is blessed by an administrator.

Q: When is the resolution of SDDLText into the binary security descriptor done?

A: Unlike the older LockPermissions table, the resolution of permissions into the binary security descriptor for MsiLockPermissionsEx is done during the execution phase, at the time when an object is actually being installed. This is important because it means you can even set security settings referencing a new user account that is being created as part of the installation as long as the account creation is scheduled before the object is installed.

Q: Now that I can set security attributes on a service installed by a package via the MsiLockPermissionsEx table, can I do so with the LockPermissions table as well?

A: No, if you wish to set security attributes on a service, you will have to use the MsiLockPermissionsEx table. The behavior and semantics of the LockPermissions table will not change.

Q: My product has already been released. Can I use MsiLockPermissionsEx table to secure objects that are already installed? Can I use this feature to secure objects via a patch?

A: Similar to the LockPermissions table, you can use a patch to secure objects that are being installed on the machine with MsiLockPermissionsEx table, including objects that replace existing ones on the machine as part of the installation. If an object is not installed as part of the current installation, security settings specified in MsiLockPermissionsEx will not be applied to it. It should be kept in mind that a patch that includes either of these two tables – MsiLockPermissionsEx or LockPermissions – will be marked as not uninstallable.

Q: Will there be an ICE validation test to help me author the new table?

A: Yes, ICE 104 is being introduced to help validate the MsiLockPermissionsEx table.

 Q: Will this feature be available on down-level platforms?

A: No, as of now, this feature is being introduced only in Windows 7. Down-level platforms will ignore MsiLockPermissionsEx table, if present. See the table below for behavior on various platforms:

*“Default security settings” mean that if an object does not replace an existing object, it receives no explicit security descriptor: the access to the new object is based on the attributes of its parent or container object. If an object replaces an existing object on the system, the replacement gets the security settings of the object it replaces. If the replaced object had no explicit security descriptor, the access to the new object is based on the attributes of its parent or container object.

 [Author:  Ashish Awasthi]
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

Enhanced Service Configuration with Windows Installer 5.0

In Windows 7, Windows Installer provides enhanced native support for setup authors to configure services as part of an application install.

Starting with Windows Vista, Windows provides a powerful set of configuration options to configure services. These enhancements result in better security, performance and reliability for services. For example, the least privilege and resource isolation principles for services address security related issues by minimizing the vulnerabilities in a system. At the same time, delayed auto-start helps system startup performance by speeding up system boot time. Similarly, preshutdown notification for a service and improved failure detection and recovery options increase system reliability and a better end user experience.

MsiServiceConfig table provides options for configuring a service that is being installed or one that already exists on the machine by specifying the type of configuration as well as the parameters needed for that configuration. MsiServiceConfigFailureActions table is used to document failure actions that need to be invoked in the event of a service failure. This change takes effect the next time the system is started. Both these tables will be processed during the MsiConfigureServices action. The MsiConfigureServices standard action should be scheduled in the following order:

1.       StopServices – From ServiceControl table

2.       DeleteServices – From ServiceControl table

3.       InstallServices – From ServiceInstall table

4.       MsiConfigureServices – From MsiServiceConfig and MsiServiceConfigFailureActions tables

5.       StartServices – From ServiceControl table

Q: Can I configure a service already installed on the system with this table?

A: Yes, as long as the corresponding component is being acted upon (installed/uninstalled/re-installed), you can configure an existing service. This is similar to stopping an already existing service via the StopServices standard action. Make sure the user has the privilege to configure services.

Q: When will the changed configuration take effect?

A: Generally the configuration options take effect when the service is restarted. An option like delayed auto-start will be manifested when the system restarts.

 Q: Will this change the behavior of packages not using the new tables or the new standard action?

A: No, all existing tables and standard actions retain their current semantics. Packages not using the new standard action or the new tables will continue to work as earlier.

Q: My product has already been released. Can I use this feature to configure my services via a patch?

A: Yes, service configuration can be done via a patch. However, a patch that includes either of these two tables will be marked as not uninstallable.

Q: What happens if MsiConfigureServices action encounters an error?

A: The installation fails if MsiConfigureServices standard action fails. So, be extra careful while authoring these tables and ensure that the user has privileges to configure services if the package is not blessed by an administrator.

Q: Will this standard action work on down-level platforms?

A: No, as of now, the standard action MsiConfigureServices is introduced only in Windows 7.

Q: Will there be an ICE validation test to help me author these new tables?

A: Yes, ICE 102 is introduced to validate the two new tables.

[Author:  Ashish Awasthi]
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

MSI 5.0 in Windows 7 Beta

Update to MSI 4.5 (KB958655)

Hello everyone,

We wanted to let you know that a non-security QFE was released recently for MSI 4.5 redistributable, available via Microsoft download center (Search for KB958655). The KB article contains information on the symptoms and cause of the issue. The intent of this post is to clarify some concerns/questions you may have that are necessarily not addressed via the KB article. Additionally, we will monitor this post, so feel free to post comments.

Also as noted in the KB article, you are most likely to be affected by this issue during installation of SQL Server 2008 or during upgrade from SQL Server 2005 to SQL Server 2008.

Some FAQs:

1.       I already have MSI 4.5 on my machine. Do I need to install this update?

It’s optional. As mentioned above, this issue is hit only in rare cases, so it’s not absolutely critical for you to install this update.

2.       Is this update applicable to all OSes and architecture types?

Yes, this update is applicable to all supported OSes and architecture types as the original MSI 4.5 redistributable. Vista RTM/SP1, Windows Server 2008, Windows XP SP2/SP3, and Windows Server 2003 SP1/SP2.

3.       Is it true that on Vista & above platforms, I can install this update even if MSI 4.5 redist is NOT present on my machine?

Yes. The QFE packages for Vista & above platforms are just like a refresh to the original MSI 4.5 redist. It targets both MSI versions 4.0 and 4.5. If MSI version on the machine is 4.0, the QFE installs just like the original redist package, while if MSI version is already 4.5 then only the affected binaries are updated. So if you have not already installed 4.5, you can choose to do so by installing this QFE package directly.

4.       I have removed the MSI 4.5 redistributable from my Vista machine, but why is the MSI version on my machine still 4.5?

If MSI 4.5 redist is uninstalled, the Windows Installer version on the machine will still remain 4.5 as long as this QFE is present. If MSI 4.5 redist is uninstalled followed by removal of the QFE, only then the Windows Installer version on your machine will go back to 4.0.

5.       Are these changes (specifically #3 and #4 above) also applicable to Windows XP and Windows Server 2003?

No. For these Operating systems, the QFE package will only be applicable if you have already installed MSI 4.5 redist on your machine. Also if you later try to uninstall MSI 4.5, you will be warned about dependent QFEs still existing and be asked to remove these manually.

6.       What is the expected version of Windows Installer after I install this QFE?

[Author: Zainab Hakim]
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

Take the Windows Application Platform Team survey

Hey all,

The Windows engineering teams are putting together plans for how application installation and servicing will work in future versions of the operating system. We would like to take this opportunity to hear from you to better understand your current pain points and needs going forward.

We have put together a survey to collect your valuable feedback. We hope you will take this opportunity to tell Microsoft what you feel are the needs and priorities to take into consideration to improve the overall application setup & deployment experience.

Sincerely,

Windows Application Platform team

[Author: Zainab Hakim]
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

Did you miss PDC 2008?

Hey everyone --

In case you missed my presentation at PDC 2008 in Los Angeles last weekend, the streaming version is now available online! This talk covers recent changes in Windows Installer and ClickOnce, plus information about upcoming changes in Windows 7.

http://channel9.msdn.com/pdc2008/PC42/

[Author: Tyler Robinson]
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

Windows Installer 4.5 versions

The current version of Windows Installer is in the form; major.minor.build.update. We have received a few questions regarding the differences in the "build" and "update" fields of the version of Windows Installer 4.5 installed across different supported Windows Operating Systems . I will try to explain what these differences are and why they are expected.

The Windows Installer 4.5 redistributable can install on the following Windows Operating Systems:

Windows Vista RTM build number is 6000, while Windows Vista SP1 and Windows Server 2008 RTM are build number 6001. Hence, to comply with the different OS build numbers and applicability logic on Vista RTM and Vista SP1/Server 2008 operating systems, the Windows Installer binaries are built from the Vista RTM and Vista SP1 servicing branches respectively.

The "update" field is based on the OS revision number.  Since the redistributable packages to install Window Installer 4.5 on the different target operating systems are built from different Windows servicing branches, the revision number is different for each.

However, the different versions have no effect on the functionality provided by Windows Installer 4.5.

[Author: Zainab Hakim]
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

Introduction for Zainab Hakim - An update

Hi all,

It was recently pointed out to me that I had not yet updated my introduction post. So I wanted to take a moment to let you all know of a change in my job description and role. Since October 2008, I have been the Program Manager (commonly known as PM at Microsoft) for Windows Installer. I’m excited about my new role and its been a great journey so far. Thank you for your continued interest in the Windows Installer and I look forward to your comments and feedback as always.

Hi, I'm Zainab (pronounced Zay'nab) and I am the test engineer for the Windows Installer (MSI) team. I have been a part of the MSI team for just a little under 3 years now. I love coming in every day to my job and working on the technology that significantly affects a variety of customers worldwide and enables them to provide a great installation and configuration experience of their applications.

I served as the test lead for Windows Installer 4.5 out-of-band release, which is the latest release of Windows Installer. This article describes all the new and improved features of Windows Installer 4.5. 

Windows Installer 4.5 is now available!

Join us at TechEd 2008! (part 2)

Members of the Windows Installer team will be at both the TechEd Developers (June 3-6) and TechEd IT Professionals (June 10-13) conferences in sunny Orlando, Florida. For information about our Breakout and Interactive Theatre Sessions, please see my previous post. In addition to the scheduled sessions, we will be staffing the Technical Learning Center (TLC) for both conferences. Information on the TLC area for the Developers conference is available here and information on the TLC area for the IT Professionals conference is available here.  

Robert Flaming and Hemchander Sannidhanam will be manning the TLC area at the Developers conference. You will be able to find them at the Microsoft Product Demo Station area during the following times:

·         Robert Flaming – Windows Presentation Foundation

o   June 03 8:30 AM - 12:00 PM

o   June 03 11:45 AM - 2:45 PM

o   June 03 2:30 PM - 6:00 PM

o   June 04 8:15 AM - 11:45 AM

o   June 04 11:30 AM - 2:45 PM

o   June 04 2:30 PM - 6:00 PM

o   June 05 8:15 AM - 11:45 AM

·         Hemchander Sannidhanam - .NET Framework

o    June 03 8:30 AM - 12:00 PM

o    June 03 11:45 AM - 2:45 PM

o    June 04 8:15 AM - 11:45 AM

o    June 04 2:30 PM - 6:00 PM

o    June 06 11:30 AM - 2:45 PM

o    June 06 2:30 PM - 6:00 PM        

Tyler Robinson and Ken Wong will be manning the TLC area at the IT Professionals conference. You will be able to find them at the Microsoft Product Demo Station area during the following times:

·         Tyler Robinson – Vista Application Compatibility and Deployment

o   June 10 11:45 AM – 2:45 PM

o   June 11 11:45 AM – 2:45 PM

·         Ken Wong – Vista Application Compatibility and Deployment

o    June 10 11:45 AM - 2:45 PM

o    June 11 8:15 AM - 11:45 AM

o    June 11 2:30 PM - 6:00 PM

o    June 12 8:15 AM - 11:45 AM

o   June 12 11:30 AM - 2:45 PM

See you there!

[Author: Tyler Robinson]
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

What changed in Windows Installer 4.5?

Apart from the feature work that we did in Windows Installer 4.5, we made a few changes to Windows Installer to address some user feedback or pain points. Here's some of the important issues that were addressed:

1. Added SeBackupPrivilige back to the Windows Installer service. This sould help any custom actions that needed this privilige like the ones that were reported on the Vista Compatability Team blog.
2. Some case sensitive service name comparisions in InstallValidate used to result in an unnecessary files-in-use message on Vista. This is now fixed in Windows Installer 4.5.
3. When a patch added new content in the form of a new component and that patch was being uninstalled, we used to remove that content, even if that content is shared by other products. This is now fixed in Windows Installer 4.5.

In addition to this, since Windows Installer 4.5 is the latest release of Windows Installer, it will have all the fixes and feature work that we did till Vista SP1.

[Author: Hemchander  Sannidhanam]
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

What changed in Windows Installer (MSI) in Windows Vista Service Pack 1?

Stefan Krueger met with us a few weeks ago for the Microsoft MVP Global Summit. Among the many topics we discussed was a suggestion from Stefan that we use the team’s blog to communicate relevant bug fixes that we make in our releases. This posting is the result of that suggestion. (Thanks, Stefan!)

Windows Vista Service Pack 1 was recently released and you may have noticed that the version of MSI on the system has incremented to 4.0.6001.18000. Below you will find a list of the most important issues that we addressed in Service Pack 1 and the SDK.

Updates that can be found in Windows Vista Service Pack 1:

·         User Shortcuts in Redirected Start Menu Do Not Get Removed On App Uninstall

If you attempt to uninstall an application that was installed for a roaming user, you may receive error 1910 and the shortcuts from the start menu will not get removed.

·         Win32_product does not work on vista when more than one per-user application is installed

Queries to the Win32_Product WMI class will fail if the machine has at least 2 per-user applications installed with a generic failure error.

Updates that can be found in the Windows SDK for Windows Server 2008:

·         PatchWiz 4.0 ignores the IgnoreMissingSrcFile property

This property in the TargetImages Table is often used to reduce the time necessary to generate a patch, but the property was ignored in patchwiz 4.0 that was included in the Windows Vista SDK.

·         Patchwiz 4.0 does not recreate the Patch table if dropped

Previous versions of patchwiz would automatically recreate critical tables (eg: Patch, PatchPackage) if they were dropped in the patch. Patchwiz 4.0 did not include this behavior, which caused failures in some cases.

·         PatchWiz 4.0 does not support authoring of OptimizeCA MsiPatchMetadata property

The OptimizeCA property can be included in the MsiPatchMetadata of a MSP to restrict custom action usage and improve performance during patch application. Using this property with patchwiz 4.0 caused a build failure.

·         PatchWiz 4.0 is unable to build patch for products with large number of files (>32767)

Previous versions of patchwiz supported building patches with a large number of files, but patchwiz 4.0 did not.

·         Orca crashes when a transform is generated and a row is deleted from the current table

Orca crashes if the user attempts to generate a new transform and deletes a row from an existing table.  (Using Orca, select New Transform, then delete a row from a table).

·         ICE30 does not display all ICE errors

ICE30 only detects a subset of the total number of SFN/LFN collisions for components that contain files.

[Author: Tyler Robinson]
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

We're Hiring!

The Windows Installer (MSI) team is part of the rapidly-growing Windows Application Platform (WAP) team here at Microsoft. We currently have several openings for talented Program Managers with real-world knowledge of the Application Deployment, Platform and/or related Tools space.

The positions we have open are job codes 225586, 225368, 228382, 223260, and 226806. (Please go to the Microsoft Career web site and log in before clicking on these links.) If you think you might be a good fit for any of these positions, please apply through Microsoft’s Career web site.

[Author: Tyler Robinson]
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

Join us at TechEd 2008!

Hello Everyone --

The schedules for Microsoft TechEd 2008 in sunny Orlando, Florida have recently been posted and I am pleased to announce that we will have FOUR Windows Installer-related sessions: two during the Developers Conference June 3-6 and two during the IT Professionals Conference June 10-13.

IT Professionals Conference Sessions:

Developers Conference Sessions:

If you plan to attend TechEd, please attend our sessions and say HI to myself, Ken, Hem and Robert!

[Author: Tyler Robinson]
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.