The lines "Begin DatabaseCA" and "Connection String" are not standard MSI log messages. Some CA must be writing those strings. The Windows Installer does not (not sure how it would) hide stuff that a CA explicitly requests to log.
On Mon, May 6, 2013 at 8:08 AM, Jeremiahf <jeremi...@gmail.com> wrote: > Hi Rob, > > I'm pretty certain it is the installer logging what the custom action is > doing. I ran the installer in verbose mode and noticed the password and > server parameters were not being displayed in plain text. > MSI (c) (A8:F8) [09:58:01:363]: Command Line: USERNAME=sa > PASSWORD=********** SERVER=********** > Then when my custom action is called it is logging sql connection string in > plain text. > Begin DatabaseCA > Connecton String: Data Source=source;Packet Size=4096;Uid=sqluser;Pwd= > mypassword > > J > > > On Sat, May 4, 2013 at 1:49 AM, Rob Mensching <r...@robmensching.com> > wrote: > > > Is the message showing the password actually being logged by the custom > > action itself? > > > > > > On Fri, May 3, 2013 at 3:53 PM, Jeremiahf <jeremi...@gmail.com> wrote: > > > > > Steven, > > > > > > "Tried adding: HideTarget="yes" that didn't help" Indeed! > > > > > > I'm even tried to remove logging from the custom action and I still see > > the > > > password... > > > I've even checked MsiHiddenProperties and see that PASSWORD is listed > > along > > > with CA_DBAction... Not in SecureCustomProperties... I added > secure="yes" > > > and now it is there.. Execute the installer with logging and it is > still > > > unsecure in plain text in the log. It must be between the MSI installer > > and > > > the SQL connection that is being made. Thoughts? > > > > > > J > > > > > > > > > On Fri, May 3, 2013 at 1:48 PM, Steven Ogilvie < > steven.ogil...@titus.com > > > >wrote: > > > > > > > I was not using managed code custom actions... > > > > > > > > I was doing: > > > > <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" Secure="yes"/> > > > > > > > > <CustomAction Id="CA_WebAppPoolPassword.SetProperty" > > > > Property="CA_WebAppPoolPassword." > > > > Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/> > > > > Tried adding: HideTarget="yes" that didn't help > > > > <InstallExecuteSequence> > > > > <Custom Action="CA_WebAppPoolPassword.SetProperty" > > > > After="CA_DataBasePassword.SetProperty">NOT Installed</Custom> > > > > > > > > This property was in a custom dialog: > > > > <Control Id="labelPassword" Type="Text" Height="15" Width="152" > X="17" > > > > Y="152" Text="Web App Pool user password:" Transparent="yes" > > > NoPrefix="yes" > > > > /> > > > > <Control Id="textBoxPassword" Type="Edit" Height="15" Width="177" > > X="180" > > > > Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" TabSkip="no" /> > > > > <Publish Property="WEBAPPPOOL_PASSWORD" Value="[WEBAPPPOOL_PASSWORD]" > > > > Order="9">1</Publish> > > > > > > > > It was the custom action " CA_WebAppPoolPassword.SetProperty " that > was > > > > displaying the property in the MSI log file. > > > > > > > > Took it out and now the password is not being displayed in plain > > > letters... > > > > > > > > Steve > > > > > > > > > > > > -----Original Message----- > > > > From: Phil Wilson [mailto:phil.wil...@mvps.org] > > > > Sent: May-03-13 2:27 PM > > > > To: 'General discussion for Windows Installer XML toolset.' > > > > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI > log > > > > file > > > > > > > > The way it works in MSI isn't really mysterious. Basically the > property > > > > name needs to be public (and that means it must be all uppercase). If > > WiX > > > > does its thing properly then you can open the generated MSI file with > > an > > > > editor such as Orca, look in the Properties table, and in the > Property > > > > table there'll be a SecureCustomProperties property and your property > > > name > > > > will be in that list. > > > > > > > > This works. If it didn't work then Microsoft would be all over it as > a > > > > security bug. > > > > > > > > Generally speaking, people get account passwords from a MSI dialog > and > > > > store it in a property such as MYPASSWORD, and then pass it to a > custom > > > > action that uses it. > > > > > > > > However, you're using managed code custom actions, and it seems from > > the > > > > log that the (DTF?) code just does its own logging into the MSI log > > > without > > > > caring whether there's a password in there. So it may be a DTF thing, > > not > > > > sure, and if it is then HideTarget etc won't help at all. The short > > > answer > > > > is that if the DTF code is logging a connection string that typically > > > > contains a password, then it probably shouldn't. > > > > > > > > Phil > > > > > > > > -----Original Message----- > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > Sent: Thursday, May 02, 2013 4:17 PM > > > > To: General discussion for Windows Installer XML toolset. > > > > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI > log > > > > file > > > > > > > > Hi Steve, > > > > > > > > My requirements are strictly to use command line. Crazy? Maybe. I > have > > to > > > > say I have seen this topic all over blogs. Seems like there is > always a > > > > way, you just have to figure out how.... > > > > > > > > > > > > On Thu, May 2, 2013 at 5:43 PM, Steven Ogilvie > > > > <steven.ogil...@titus.com>wrote: > > > > > > > > > Hmm... I commented out my custom action that sets the property: > > > > > <!--<CustomAction Id="CA_WebAppPoolPassword.SetProperty" > > > HideTarget="yes" > > > > > Property="CA_WebAppPoolPassword." > > > > > Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/>--> > > > > > > > > > > And ran the install, everything worked and my Web App Pool + Web > site > > > > > launched without errors (would have failed if I didn't have a > > password > > > > > for the Web App Pool) > > > > > > > > > > However I do publish the property during the UI: > > > > > <Publish Property="WEBAPPPOOL_PASSWORD" > Value="[WEBAPPPOOL_PASSWORD]" > > > > > Order="9">1</Publish> (my web site info dialog page during install) > > > > > > > > > > I checked my MSI log file and there wasn't any viewable strings for > > > > > the WebAppPool_Password it was all: WEBAPPPOOL_PASSWORD property. > Its > > > > > value is '**********' > > > > > > > > > > Publish your password within the UI area and see if that works... > > > > > (also commenting out your custom action to set the property > > > > > > > > > > Steve > > > > > > > > > > -----Original Message----- > > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > > Sent: May-02-13 6:29 PM > > > > > To: General discussion for Windows Installer XML toolset. > > > > > Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log file > > > > > > > > > > Sure thing... > > > > > > > > > > Action start 17:26:56: CA_DBAction. > > > > > Action ended 17:26:56: CA_DBAction. Return value 1. > > > > > Action start 17:26:56: InstallFinalize. > > > > > SFXCA: Extracting custom action to temporary directory: > > > > > C:\WINDOWS\Installer\MSI1045.tmp-\ > > > > > SFXCA: Binding to CLR version v2.0.50727 Calling custom action > > > > > DatabaseCA!DatabaseCA.CustomActions.DatabaseCA > > > > > Begin DatabaseCA > > > > > Connecton String: Data Source=source;Packet > > > > > Size=4096;Uid=sqluser;Pwd=mypassword > > > > > > > > > > I as well have a custom action and HideTarget does nothing. > > > > > > > > > > > > > > > On Thu, May 2, 2013 at 4:53 PM, Chad Petersen > > > > > <chad.peter...@harlandfs.com>wrote: > > > > > > > > > > > If possible paste in a snippet of your log file around where the > > > > > > password is seen. I tried for a long time to hide passwords using > > > > > > the > > > > > same method. > > > > > > But it was some built-in custom actions that were logging my > > > > > > passwords rather than code I'd written myself. > > > > > > > > > > > > <Property Id="ConfigureIIsExec" Hidden="yes"/> <Property > > > > > > Id="ExecuteSqlStrings" Hidden="yes"/> > > > > > > > > > > > > These were two entries that I made to make those extensions hide > > the > > > > > > data passed to them, such as my password. > > > > > > > > > > > > -----Original Message----- > > > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > > > Sent: Thursday, May 02, 2013 2:38 PM > > > > > > To: General discussion for Windows Installer XML toolset. > > > > > > Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log file > > > > > > > > > > > > I have tried that and no luck. My MSI is installed via command > > line. > > > > > > > > > > > > I've even tried to give the property Id a value in case I missed > > > > > > something and still doesn't work. > > > > > > > > > > > > <Property Id="PASSWORD" Value="password" Hidden="yes" > Secure="yes" > > > > > > /> > > > > > > > > > > > > My test system is running Server 2003 R2 SP 2 windows installer > > > > > > version > > > > > > 4.5 6001.22159 > > > > > > > > > > > > I've upgraded from WIX 3.6 TO 3.7 in case it was a bug as I have > > > > > > found in hundreds of blogs online but every time I see that a fix > > > > > > was submitted, I can't tell what version it was submitted in. > > (sorry > > > > > > for the run on > > > > > > sentence.) > > > > > > > > > > > > J > > > > > > > > > > > > > > > > > > On Thu, May 2, 2013 at 4:24 PM, Steven Ogilvie > > > > > > <steven.ogil...@titus.com > > > > > > >wrote: > > > > > > > > > > > > > I declare the property: > > > > > > > <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" Secure="yes"/> > > > > > > > This is how I use my password controls: > > > > > > > <Control Id="textBoxPassword" Type="Edit" Height="15" > Width="177" > > > > > X="180" > > > > > > > Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" > > TabSkip="no" > > > > > > > /> > > > > > > > > > > > > > > Logfile: > > > > > > > MSI (c) (70:1C) [14:50:59:778]: PROPERTY CHANGE: Adding > > > > > > > WEBAPPPOOL_PASSWORD property. Its value is '**********' > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > > > > Sent: May-02-13 5:08 PM > > > > > > > To: wix-users@lists.sourceforge.net > > > > > > > Subject: [WiX-users] Hide/blank out Passwords in MSI log file > > > > > > > > > > > > > > Has anyone had luck with this? > > > > > > > > > > > > > > > > > > > > > > > > > > > > I have tried using Hidden, HideTarget and I still see the > > > > > > > password in my logs. Is this still a bug in windows installer? > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks in advance, > > > > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > > > > -- > > > > > > > -- > > > > > > > -------- Get 100% visibility into Java/.NET code with > AppDynamics > > > > > > > Lite It's a free troubleshooting tool designed for production > Get > > > > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > > > > Download for free and get started troubleshooting in minutes. > > > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > > > _______________________________________________ > > > > > > > WiX-users mailing list > > > > > > > WiX-users@lists.sourceforge.net > > > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > > > > -- > > > > > > > -- > > > > > > > -------- Get 100% visibility into Java/.NET code with > AppDynamics > > > > > > > Lite It's a free troubleshooting tool designed for production > Get > > > > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > > > > Download for free and get started troubleshooting in minutes. > > > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > > > _______________________________________________ > > > > > > > WiX-users mailing list > > > > > > > WiX-users@lists.sourceforge.net > > > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > "They may forget what you said but they will never forget how you > > > > > > made them feel." -- Anonymous > > > > > > > > > > > > > > -------------------------------------------------------------------- > > > > > > -- > > > > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > > > > > Lite It's a free troubleshooting tool designed for production Get > > > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > > > Download for free and get started troubleshooting in minutes. > > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > > _______________________________________________ > > > > > > WiX-users mailing list > > > > > > WiX-users@lists.sourceforge.net > > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------- > > > > > > -- > > > > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > > > > > Lite It's a free troubleshooting tool designed for production Get > > > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > > > Download for free and get started troubleshooting in minutes. > > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > > _______________________________________________ > > > > > > WiX-users mailing list > > > > > > WiX-users@lists.sourceforge.net > > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > "They may forget what you said but they will never forget how you > > made > > > > > them feel." -- Anonymous > > > > > > > > > > > > ---------------------------------------------------------------------- > > > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > Lite > > > > > It's a free troubleshooting tool designed for production Get down > to > > > > > code-level detail for bottlenecks, with <2% overhead. > > > > > Download for free and get started troubleshooting in minutes. > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > _______________________________________________ > > > > > WiX-users mailing list > > > > > WiX-users@lists.sourceforge.net > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > ---------------------------------------------------------------------- > > > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > Lite > > > > > It's a free troubleshooting tool designed for production Get down > to > > > > > code-level detail for bottlenecks, with <2% overhead. > > > > > Download for free and get started troubleshooting in minutes. > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > _______________________________________________ > > > > > WiX-users mailing list > > > > > WiX-users@lists.sourceforge.net > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > ---------------------------------------------------------------------------- > > > > -- > > > > Get 100% visibility into Java/.NET code with AppDynamics Lite It's a > > free > > > > troubleshooting tool designed for production Get down to code-level > > > detail > > > > for bottlenecks, with <2% overhead. > > > > Download for free and get started troubleshooting in minutes. > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Get 100% visibility into Java/.NET code with AppDynamics Lite It's a > > free > > > > troubleshooting tool designed for production Get down to code-level > > > detail > > > > for bottlenecks, with <2% overhead. > > > > Download for free and get started troubleshooting in minutes. > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Get 100% visibility into Java/.NET code with AppDynamics Lite > > > > It's a free troubleshooting tool designed for production > > > > Get down to code-level detail for bottlenecks, with <2% overhead. > > > > Download for free and get started troubleshooting in minutes. > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > -- > > > "They may forget what you said but they will never forget how you made > > them > > > feel." -- Anonymous > > > > > > > > > ------------------------------------------------------------------------------ > > > Get 100% visibility into Java/.NET code with AppDynamics Lite > > > It's a free troubleshooting tool designed for production > > > Get down to code-level detail for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > ------------------------------------------------------------------------------ > > Get 100% visibility into Java/.NET code with AppDynamics Lite > > It's a free troubleshooting tool designed for production > > Get down to code-level detail for bottlenecks, with <2% overhead. > > Download for free and get started troubleshooting in minutes. > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > _______________________________________________ > > WiX-users mailing list > > WiX-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > -- > "They may forget what you said but they will never forget how you made them > feel." -- Anonymous > > ------------------------------------------------------------------------------ > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET > Get 100% visibility into your production application - at no cost. > Code-level diagnostics for performance bottlenecks with <2% overhead > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap1 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > > ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
