Thank you for the feedback. I'll keep digging. J
On May 6, 2013, at 10:47 AM, Rob Mensching <r...@robmensching.com> wrote: > The lines "Begin DatabaseCA" and "Connection String" are not standard MSI > log messages. Some CA must be writing those strings. The Windows Installer > does not (not sure how it would) hide stuff that a CA explicitly requests > to log. > > > On Mon, May 6, 2013 at 8:08 AM, Jeremiahf <jeremi...@gmail.com> wrote: > >> Hi Rob, >> >> I'm pretty certain it is the installer logging what the custom action is >> doing. I ran the installer in verbose mode and noticed the password and >> server parameters were not being displayed in plain text. >> MSI (c) (A8:F8) [09:58:01:363]: Command Line: USERNAME=sa >> PASSWORD=********** SERVER=********** >> Then when my custom action is called it is logging sql connection string in >> plain text. >> Begin DatabaseCA >> Connecton String: Data Source=source;Packet Size=4096;Uid=sqluser;Pwd= >> mypassword >> >> J >> >> >> On Sat, May 4, 2013 at 1:49 AM, Rob Mensching <r...@robmensching.com> >> wrote: >> >>> Is the message showing the password actually being logged by the custom >>> action itself? >>> >>> >>> On Fri, May 3, 2013 at 3:53 PM, Jeremiahf <jeremi...@gmail.com> wrote: >>> >>>> Steven, >>>> >>>> "Tried adding: HideTarget="yes" that didn't help" Indeed! >>>> >>>> I'm even tried to remove logging from the custom action and I still see >>> the >>>> password... >>>> I've even checked MsiHiddenProperties and see that PASSWORD is listed >>> along >>>> with CA_DBAction... Not in SecureCustomProperties... I added >> secure="yes" >>>> and now it is there.. Execute the installer with logging and it is >> still >>>> unsecure in plain text in the log. It must be between the MSI installer >>> and >>>> the SQL connection that is being made. Thoughts? >>>> >>>> J >>>> >>>> >>>> On Fri, May 3, 2013 at 1:48 PM, Steven Ogilvie < >> steven.ogil...@titus.com >>>>> wrote: >>>> >>>>> I was not using managed code custom actions... >>>>> >>>>> I was doing: >>>>> <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" Secure="yes"/> >>>>> >>>>> <CustomAction Id="CA_WebAppPoolPassword.SetProperty" >>>>> Property="CA_WebAppPoolPassword." >>>>> Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/> >>>>> Tried adding: HideTarget="yes" that didn't help >>>>> <InstallExecuteSequence> >>>>> <Custom Action="CA_WebAppPoolPassword.SetProperty" >>>>> After="CA_DataBasePassword.SetProperty">NOT Installed</Custom> >>>>> >>>>> This property was in a custom dialog: >>>>> <Control Id="labelPassword" Type="Text" Height="15" Width="152" >> X="17" >>>>> Y="152" Text="Web App Pool user password:" Transparent="yes" >>>> NoPrefix="yes" >>>>> /> >>>>> <Control Id="textBoxPassword" Type="Edit" Height="15" Width="177" >>> X="180" >>>>> Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" TabSkip="no" /> >>>>> <Publish Property="WEBAPPPOOL_PASSWORD" Value="[WEBAPPPOOL_PASSWORD]" >>>>> Order="9">1</Publish> >>>>> >>>>> It was the custom action " CA_WebAppPoolPassword.SetProperty " that >> was >>>>> displaying the property in the MSI log file. >>>>> >>>>> Took it out and now the password is not being displayed in plain >>>> letters... >>>>> >>>>> Steve >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: Phil Wilson [mailto:phil.wil...@mvps.org] >>>>> Sent: May-03-13 2:27 PM >>>>> To: 'General discussion for Windows Installer XML toolset.' >>>>> Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI >> log >>>>> file >>>>> >>>>> The way it works in MSI isn't really mysterious. Basically the >> property >>>>> name needs to be public (and that means it must be all uppercase). If >>> WiX >>>>> does its thing properly then you can open the generated MSI file with >>> an >>>>> editor such as Orca, look in the Properties table, and in the >> Property >>>>> table there'll be a SecureCustomProperties property and your property >>>> name >>>>> will be in that list. >>>>> >>>>> This works. If it didn't work then Microsoft would be all over it as >> a >>>>> security bug. >>>>> >>>>> Generally speaking, people get account passwords from a MSI dialog >> and >>>>> store it in a property such as MYPASSWORD, and then pass it to a >> custom >>>>> action that uses it. >>>>> >>>>> However, you're using managed code custom actions, and it seems from >>> the >>>>> log that the (DTF?) code just does its own logging into the MSI log >>>> without >>>>> caring whether there's a password in there. So it may be a DTF thing, >>> not >>>>> sure, and if it is then HideTarget etc won't help at all. The short >>>> answer >>>>> is that if the DTF code is logging a connection string that typically >>>>> contains a password, then it probably shouldn't. >>>>> >>>>> Phil >>>>> >>>>> -----Original Message----- >>>>> From: Jeremiahf [mailto:jeremi...@gmail.com] >>>>> Sent: Thursday, May 02, 2013 4:17 PM >>>>> To: General discussion for Windows Installer XML toolset. >>>>> Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI >> log >>>>> file >>>>> >>>>> Hi Steve, >>>>> >>>>> My requirements are strictly to use command line. Crazy? Maybe. I >> have >>> to >>>>> say I have seen this topic all over blogs. Seems like there is >> always a >>>>> way, you just have to figure out how.... >>>>> >>>>> >>>>> On Thu, May 2, 2013 at 5:43 PM, Steven Ogilvie >>>>> <steven.ogil...@titus.com>wrote: >>>>> >>>>>> Hmm... I commented out my custom action that sets the property: >>>>>> <!--<CustomAction Id="CA_WebAppPoolPassword.SetProperty" >>>> HideTarget="yes" >>>>>> Property="CA_WebAppPoolPassword." >>>>>> Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/>--> >>>>>> >>>>>> And ran the install, everything worked and my Web App Pool + Web >> site >>>>>> launched without errors (would have failed if I didn't have a >>> password >>>>>> for the Web App Pool) >>>>>> >>>>>> However I do publish the property during the UI: >>>>>> <Publish Property="WEBAPPPOOL_PASSWORD" >> Value="[WEBAPPPOOL_PASSWORD]" >>>>>> Order="9">1</Publish> (my web site info dialog page during install) >>>>>> >>>>>> I checked my MSI log file and there wasn't any viewable strings for >>>>>> the WebAppPool_Password it was all: WEBAPPPOOL_PASSWORD property. >> Its >>>>>> value is '**********' >>>>>> >>>>>> Publish your password within the UI area and see if that works... >>>>>> (also commenting out your custom action to set the property >>>>>> >>>>>> Steve >>>>>> >>>>>> -----Original Message----- >>>>>> From: Jeremiahf [mailto:jeremi...@gmail.com] >>>>>> Sent: May-02-13 6:29 PM >>>>>> To: General discussion for Windows Installer XML toolset. >>>>>> Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log file >>>>>> >>>>>> Sure thing... >>>>>> >>>>>> Action start 17:26:56: CA_DBAction. >>>>>> Action ended 17:26:56: CA_DBAction. Return value 1. >>>>>> Action start 17:26:56: InstallFinalize. >>>>>> SFXCA: Extracting custom action to temporary directory: >>>>>> C:\WINDOWS\Installer\MSI1045.tmp-\ >>>>>> SFXCA: Binding to CLR version v2.0.50727 Calling custom action >>>>>> DatabaseCA!DatabaseCA.CustomActions.DatabaseCA >>>>>> Begin DatabaseCA >>>>>> Connecton String: Data Source=source;Packet >>>>>> Size=4096;Uid=sqluser;Pwd=mypassword >>>>>> >>>>>> I as well have a custom action and HideTarget does nothing. >>>>>> >>>>>> >>>>>> On Thu, May 2, 2013 at 4:53 PM, Chad Petersen >>>>>> <chad.peter...@harlandfs.com>wrote: >>>>>> >>>>>>> If possible paste in a snippet of your log file around where the >>>>>>> password is seen. I tried for a long time to hide passwords using >>>>>>> the >>>>>> same method. >>>>>>> But it was some built-in custom actions that were logging my >>>>>>> passwords rather than code I'd written myself. >>>>>>> >>>>>>> <Property Id="ConfigureIIsExec" Hidden="yes"/> <Property >>>>>>> Id="ExecuteSqlStrings" Hidden="yes"/> >>>>>>> >>>>>>> These were two entries that I made to make those extensions hide >>> the >>>>>>> data passed to them, such as my password. >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Jeremiahf [mailto:jeremi...@gmail.com] >>>>>>> Sent: Thursday, May 02, 2013 2:38 PM >>>>>>> To: General discussion for Windows Installer XML toolset. >>>>>>> Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log file >>>>>>> >>>>>>> I have tried that and no luck. My MSI is installed via command >>> line. >>>>>>> >>>>>>> I've even tried to give the property Id a value in case I missed >>>>>>> something and still doesn't work. >>>>>>> >>>>>>> <Property Id="PASSWORD" Value="password" Hidden="yes" >> Secure="yes" >>>>>>> /> >>>>>>> >>>>>>> My test system is running Server 2003 R2 SP 2 windows installer >>>>>>> version >>>>>>> 4.5 6001.22159 >>>>>>> >>>>>>> I've upgraded from WIX 3.6 TO 3.7 in case it was a bug as I have >>>>>>> found in hundreds of blogs online but every time I see that a fix >>>>>>> was submitted, I can't tell what version it was submitted in. >>> (sorry >>>>>>> for the run on >>>>>>> sentence.) >>>>>>> >>>>>>> J >>>>>>> >>>>>>> >>>>>>> On Thu, May 2, 2013 at 4:24 PM, Steven Ogilvie >>>>>>> <steven.ogil...@titus.com >>>>>>>> wrote: >>>>>>> >>>>>>>> I declare the property: >>>>>>>> <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" Secure="yes"/> >>>>>>>> This is how I use my password controls: >>>>>>>> <Control Id="textBoxPassword" Type="Edit" Height="15" >> Width="177" >>>>>> X="180" >>>>>>>> Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" >>> TabSkip="no" >>>>>>>> /> >>>>>>>> >>>>>>>> Logfile: >>>>>>>> MSI (c) (70:1C) [14:50:59:778]: PROPERTY CHANGE: Adding >>>>>>>> WEBAPPPOOL_PASSWORD property. Its value is '**********' >>>>>>>> >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Jeremiahf [mailto:jeremi...@gmail.com] >>>>>>>> Sent: May-02-13 5:08 PM >>>>>>>> To: wix-users@lists.sourceforge.net >>>>>>>> Subject: [WiX-users] Hide/blank out Passwords in MSI log file >>>>>>>> >>>>>>>> Has anyone had luck with this? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I have tried using Hidden, HideTarget and I still see the >>>>>>>> password in my logs. Is this still a bug in windows installer? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks in advance, >>>>>>>> >>>>>>>> >>> ------------------------------------------------------------------ >>>>>>>> -- >>>>>>>> -- >>>>>>>> -------- Get 100% visibility into Java/.NET code with >> AppDynamics >>>>>>>> Lite It's a free troubleshooting tool designed for production >> Get >>>>>>>> down to code-level detail for bottlenecks, with <2% overhead. >>>>>>>> Download for free and get started troubleshooting in minutes. >>>>>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>>>>> _______________________________________________ >>>>>>>> WiX-users mailing list >>>>>>>> WiX-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>>>>> >>>>>>>> >>>>>>>> >>> ------------------------------------------------------------------ >>>>>>>> -- >>>>>>>> -- >>>>>>>> -------- Get 100% visibility into Java/.NET code with >> AppDynamics >>>>>>>> Lite It's a free troubleshooting tool designed for production >> Get >>>>>>>> down to code-level detail for bottlenecks, with <2% overhead. >>>>>>>> Download for free and get started troubleshooting in minutes. >>>>>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>>>>> _______________________________________________ >>>>>>>> WiX-users mailing list >>>>>>>> WiX-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> "They may forget what you said but they will never forget how you >>>>>>> made them feel." -- Anonymous >>>>>>> >>>>>>> >>> -------------------------------------------------------------------- >>>>>>> -- >>>>>>> -------- Get 100% visibility into Java/.NET code with AppDynamics >>>>>>> Lite It's a free troubleshooting tool designed for production Get >>>>>>> down to code-level detail for bottlenecks, with <2% overhead. >>>>>>> Download for free and get started troubleshooting in minutes. >>>>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>>>> _______________________________________________ >>>>>>> WiX-users mailing list >>>>>>> WiX-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>> -------------------------------------------------------------------- >>>>>>> -- >>>>>>> -------- Get 100% visibility into Java/.NET code with AppDynamics >>>>>>> Lite It's a free troubleshooting tool designed for production Get >>>>>>> down to code-level detail for bottlenecks, with <2% overhead. >>>>>>> Download for free and get started troubleshooting in minutes. >>>>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>>>> _______________________________________________ >>>>>>> WiX-users mailing list >>>>>>> WiX-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> "They may forget what you said but they will never forget how you >>> made >>>>>> them feel." -- Anonymous >>>>>> >>>>>> >>> ---------------------------------------------------------------------- >>>>>> -------- Get 100% visibility into Java/.NET code with AppDynamics >>> Lite >>>>>> It's a free troubleshooting tool designed for production Get down >> to >>>>>> code-level detail for bottlenecks, with <2% overhead. >>>>>> Download for free and get started troubleshooting in minutes. >>>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>>> _______________________________________________ >>>>>> WiX-users mailing list >>>>>> WiX-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>>> >>>>>> >>>>>> >>> ---------------------------------------------------------------------- >>>>>> -------- Get 100% visibility into Java/.NET code with AppDynamics >>> Lite >>>>>> It's a free troubleshooting tool designed for production Get down >> to >>>>>> code-level detail for bottlenecks, with <2% overhead. >>>>>> Download for free and get started troubleshooting in minutes. >>>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>>> _______________________________________________ >>>>>> WiX-users mailing list >>>>>> WiX-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> >>>> >>> >> ---------------------------------------------------------------------------- >>>>> -- >>>>> Get 100% visibility into Java/.NET code with AppDynamics Lite It's a >>> free >>>>> troubleshooting tool designed for production Get down to code-level >>>> detail >>>>> for bottlenecks, with <2% overhead. >>>>> Download for free and get started troubleshooting in minutes. >>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>> _______________________________________________ >>>>> WiX-users mailing list >>>>> WiX-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>> >> ------------------------------------------------------------------------------ >>>>> Get 100% visibility into Java/.NET code with AppDynamics Lite It's a >>> free >>>>> troubleshooting tool designed for production Get down to code-level >>>> detail >>>>> for bottlenecks, with <2% overhead. >>>>> Download for free and get started troubleshooting in minutes. >>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>> _______________________________________________ >>>>> WiX-users mailing list >>>>> WiX-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>> >>>>> >>>>> >>>> >>> >> ------------------------------------------------------------------------------ >>>>> Get 100% visibility into Java/.NET code with AppDynamics Lite >>>>> It's a free troubleshooting tool designed for production >>>>> Get down to code-level detail for bottlenecks, with <2% overhead. >>>>> Download for free and get started troubleshooting in minutes. >>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>> _______________________________________________ >>>>> WiX-users mailing list >>>>> WiX-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>> >>>> >>>> >>>> >>>> -- >>>> "They may forget what you said but they will never forget how you made >>> them >>>> feel." -- Anonymous >>>> >>>> >>> >> ------------------------------------------------------------------------------ >>>> Get 100% visibility into Java/.NET code with AppDynamics Lite >>>> It's a free troubleshooting tool designed for production >>>> Get down to code-level detail for bottlenecks, with <2% overhead. >>>> Download for free and get started troubleshooting in minutes. >>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>> _______________________________________________ >>>> WiX-users mailing list >>>> WiX-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>> >>>> >>> >>> >> ------------------------------------------------------------------------------ >>> Get 100% visibility into Java/.NET code with AppDynamics Lite >>> It's a free troubleshooting tool designed for production >>> Get down to code-level detail for bottlenecks, with <2% overhead. >>> Download for free and get started troubleshooting in minutes. >>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>> _______________________________________________ >>> WiX-users mailing list >>> WiX-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/wix-users >>> >> >> >> >> -- >> "They may forget what you said but they will never forget how you made them >> feel." -- Anonymous >> >> ------------------------------------------------------------------------------ >> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET >> Get 100% visibility into your production application - at no cost. >> Code-level diagnostics for performance bottlenecks with <2% overhead >> Download for free and get started troubleshooting in minutes. >> http://p.sf.net/sfu/appdyn_d2d_ap1 >> _______________________________________________ >> WiX-users mailing list >> WiX-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/wix-users >> >> > ------------------------------------------------------------------------------ > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET > Get 100% visibility into your production application - at no cost. > Code-level diagnostics for performance bottlenecks with <2% overhead > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap1 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
