...and at the risk of stating the obvious, custom actions can put messages in the MSI log by calling MsiProcessMessage(). That's a good thing of course, except when it gives away secrets ;)
Phil -----Original Message----- From: Phil Wilson [mailto:phil.wil...@mvps.org] Sent: Monday, May 06, 2013 10:22 AM To: 'General discussion for Windows Installer XML toolset.' Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file Well it's not "their" CA, it's DTF, so they or I can't answer the question directly, but it just seems that DTF is logging the connection string, however it gets it. Phil -----Original Message----- From: Hoover, Jacob [mailto:jacob.hoo...@greenheck.com] Sent: Monday, May 06, 2013 9:56 AM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file Are they setting a property within their CA called ConnectionString? -----Original Message----- From: Phil Wilson [mailto:phil.wil...@mvps.org] Sent: Monday, May 06, 2013 11:48 AM To: 'General discussion for Windows Installer XML toolset.' Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file In context, that full log entry was previously posted as: =========================================== Action start 17:26:56: InstallFinalize. SFXCA: Extracting custom action to temporary directory: C:\WINDOWS\Installer\MSI1045.tmp-\ SFXCA: Binding to CLR version v2.0.50727 Calling custom action DatabaseCA!DatabaseCA.CustomActions.DatabaseCA Begin DatabaseCA Connecton String: Data Source=source;Packet Size=4096;Uid=sqluser;Pwd=mypassword ========================================= Whicc is DTF doing the logging, methinks. Jeremiahf didn't show all the data in that recent reply, so without the SFXCA prefix it is misleading. Phil -----Original Message----- From: Jeremiahf [mailto:jeremi...@gmail.com] Sent: Monday, May 06, 2013 8:08 AM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file Hi Rob, I'm pretty certain it is the installer logging what the custom action is doing. I ran the installer in verbose mode and noticed the password and server parameters were not being displayed in plain text. MSI (c) (A8:F8) [09:58:01:363]: Command Line: USERNAME=sa PASSWORD=********** SERVER=********** Then when my custom action is called it is logging sql connection string in plain text. Begin DatabaseCA Connecton String: Data Source=source;Packet Size=4096;Uid=sqluser;Pwd= mypassword J On Sat, May 4, 2013 at 1:49 AM, Rob Mensching <r...@robmensching.com> wrote: > Is the message showing the password actually being logged by the > custom action itself? > > > On Fri, May 3, 2013 at 3:53 PM, Jeremiahf <jeremi...@gmail.com> wrote: > > > Steven, > > > > "Tried adding: HideTarget="yes" that didn't help" Indeed! > > > > I'm even tried to remove logging from the custom action and I still > > see > the > > password... > > I've even checked MsiHiddenProperties and see that PASSWORD is > > listed > along > > with CA_DBAction... Not in SecureCustomProperties... I added secure="yes" > > and now it is there.. Execute the installer with logging and it is > > still unsecure in plain text in the log. It must be between the MSI > > installer > and > > the SQL connection that is being made. Thoughts? > > > > J > > > > > > On Fri, May 3, 2013 at 1:48 PM, Steven Ogilvie > > <steven.ogil...@titus.com > > >wrote: > > > > > I was not using managed code custom actions... > > > > > > I was doing: > > > <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" Secure="yes"/> > > > > > > <CustomAction Id="CA_WebAppPoolPassword.SetProperty" > > > Property="CA_WebAppPoolPassword." > > > Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/> > > > Tried adding: HideTarget="yes" that didn't help > > > <InstallExecuteSequence> > > > <Custom Action="CA_WebAppPoolPassword.SetProperty" > > > After="CA_DataBasePassword.SetProperty">NOT Installed</Custom> > > > > > > This property was in a custom dialog: > > > <Control Id="labelPassword" Type="Text" Height="15" Width="152" X="17" > > > Y="152" Text="Web App Pool user password:" Transparent="yes" > > NoPrefix="yes" > > > /> > > > <Control Id="textBoxPassword" Type="Edit" Height="15" Width="177" > X="180" > > > Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" TabSkip="no" > > > /> <Publish Property="WEBAPPPOOL_PASSWORD" Value="[WEBAPPPOOL_PASSWORD]" > > > Order="9">1</Publish> > > > > > > It was the custom action " CA_WebAppPoolPassword.SetProperty " > > > that was displaying the property in the MSI log file. > > > > > > Took it out and now the password is not being displayed in plain > > letters... > > > > > > Steve > > > > > > > > > -----Original Message----- > > > From: Phil Wilson [mailto:phil.wil...@mvps.org] > > > Sent: May-03-13 2:27 PM > > > To: 'General discussion for Windows Installer XML toolset.' > > > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in > > > MSI log file > > > > > > The way it works in MSI isn't really mysterious. Basically the > > > property name needs to be public (and that means it must be all > > > uppercase). If > WiX > > > does its thing properly then you can open the generated MSI file > > > with > an > > > editor such as Orca, look in the Properties table, and in the > > > Property table there'll be a SecureCustomProperties property and > > > your property > > name > > > will be in that list. > > > > > > This works. If it didn't work then Microsoft would be all over it > > > as a security bug. > > > > > > Generally speaking, people get account passwords from a MSI dialog > > > and store it in a property such as MYPASSWORD, and then pass it to > > > a custom action that uses it. > > > > > > However, you're using managed code custom actions, and it seems > > > from > the > > > log that the (DTF?) code just does its own logging into the MSI > > > log > > without > > > caring whether there's a password in there. So it may be a DTF > > > thing, > not > > > sure, and if it is then HideTarget etc won't help at all. The > > > short > > answer > > > is that if the DTF code is logging a connection string that > > > typically contains a password, then it probably shouldn't. > > > > > > Phil > > > > > > -----Original Message----- > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > Sent: Thursday, May 02, 2013 4:17 PM > > > To: General discussion for Windows Installer XML toolset. > > > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in > > > MSI log file > > > > > > Hi Steve, > > > > > > My requirements are strictly to use command line. Crazy? Maybe. I > > > have > to > > > say I have seen this topic all over blogs. Seems like there is > > > always a way, you just have to figure out how.... > > > > > > > > > On Thu, May 2, 2013 at 5:43 PM, Steven Ogilvie > > > <steven.ogil...@titus.com>wrote: > > > > > > > Hmm... I commented out my custom action that sets the property: > > > > <!--<CustomAction Id="CA_WebAppPoolPassword.SetProperty" > > HideTarget="yes" > > > > Property="CA_WebAppPoolPassword." > > > > Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/>--> > > > > > > > > And ran the install, everything worked and my Web App Pool + Web > > > > site launched without errors (would have failed if I didn't have > > > > a > password > > > > for the Web App Pool) > > > > > > > > However I do publish the property during the UI: > > > > <Publish Property="WEBAPPPOOL_PASSWORD" Value="[WEBAPPPOOL_PASSWORD]" > > > > Order="9">1</Publish> (my web site info dialog page during > > > > install) > > > > > > > > I checked my MSI log file and there wasn't any viewable strings > > > > for the WebAppPool_Password it was all: WEBAPPPOOL_PASSWORD > > > > property. Its value is '**********' > > > > > > > > Publish your password within the UI area and see if that works... > > > > (also commenting out your custom action to set the property > > > > > > > > Steve > > > > > > > > -----Original Message----- > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > Sent: May-02-13 6:29 PM > > > > To: General discussion for Windows Installer XML toolset. > > > > Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log > > > > file > > > > > > > > Sure thing... > > > > > > > > Action start 17:26:56: CA_DBAction. > > > > Action ended 17:26:56: CA_DBAction. Return value 1. > > > > Action start 17:26:56: InstallFinalize. > > > > SFXCA: Extracting custom action to temporary directory: > > > > C:\WINDOWS\Installer\MSI1045.tmp-\ > > > > SFXCA: Binding to CLR version v2.0.50727 Calling custom action > > > > DatabaseCA!DatabaseCA.CustomActions.DatabaseCA > > > > Begin DatabaseCA > > > > Connecton String: Data Source=source;Packet > > > > Size=4096;Uid=sqluser;Pwd=mypassword > > > > > > > > I as well have a custom action and HideTarget does nothing. > > > > > > > > > > > > On Thu, May 2, 2013 at 4:53 PM, Chad Petersen > > > > <chad.peter...@harlandfs.com>wrote: > > > > > > > > > If possible paste in a snippet of your log file around where > > > > > the password is seen. I tried for a long time to hide > > > > > passwords using the > > > > same method. > > > > > But it was some built-in custom actions that were logging my > > > > > passwords rather than code I'd written myself. > > > > > > > > > > <Property Id="ConfigureIIsExec" Hidden="yes"/> <Property > > > > > Id="ExecuteSqlStrings" Hidden="yes"/> > > > > > > > > > > These were two entries that I made to make those extensions > > > > > hide > the > > > > > data passed to them, such as my password. > > > > > > > > > > -----Original Message----- > > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > > Sent: Thursday, May 02, 2013 2:38 PM > > > > > To: General discussion for Windows Installer XML toolset. > > > > > Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log > > > > > file > > > > > > > > > > I have tried that and no luck. My MSI is installed via command > line. > > > > > > > > > > I've even tried to give the property Id a value in case I > > > > > missed something and still doesn't work. > > > > > > > > > > <Property Id="PASSWORD" Value="password" Hidden="yes" Secure="yes" > > > > > /> > > > > > > > > > > My test system is running Server 2003 R2 SP 2 windows > > > > > installer version > > > > > 4.5 6001.22159 > > > > > > > > > > I've upgraded from WIX 3.6 TO 3.7 in case it was a bug as I > > > > > have found in hundreds of blogs online but every time I see > > > > > that a fix was submitted, I can't tell what version it was submitted in. > (sorry > > > > > for the run on > > > > > sentence.) > > > > > > > > > > J > > > > > > > > > > > > > > > On Thu, May 2, 2013 at 4:24 PM, Steven Ogilvie > > > > > <steven.ogil...@titus.com > > > > > >wrote: > > > > > > > > > > > I declare the property: > > > > > > <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" > > > > > > Secure="yes"/> This is how I use my password controls: > > > > > > <Control Id="textBoxPassword" Type="Edit" Height="15" Width="177" > > > > X="180" > > > > > > Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" > TabSkip="no" > > > > > > /> > > > > > > > > > > > > Logfile: > > > > > > MSI (c) (70:1C) [14:50:59:778]: PROPERTY CHANGE: Adding > > > > > > WEBAPPPOOL_PASSWORD property. Its value is '**********' > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > > > Sent: May-02-13 5:08 PM > > > > > > To: wix-users@lists.sourceforge.net > > > > > > Subject: [WiX-users] Hide/blank out Passwords in MSI log > > > > > > file > > > > > > > > > > > > Has anyone had luck with this? > > > > > > > > > > > > > > > > > > > > > > > > I have tried using Hidden, HideTarget and I still see the > > > > > > password in my logs. Is this still a bug in windows installer? > > > > > > > > > > > > > > > > > > > > > > > > Thanks in advance, > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > > > -- > > > > > > -- > > > > > > -------- Get 100% visibility into Java/.NET code with > > > > > > AppDynamics Lite It's a free troubleshooting tool designed > > > > > > for production Get down to code-level detail for > > > > > > bottlenecks, with <2% overhead. > > > > > > Download for free and get started troubleshooting in minutes. > > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > > _______________________________________________ > > > > > > WiX-users mailing list > > > > > > WiX-users@lists.sourceforge.net > > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > > > -- > > > > > > -- > > > > > > -------- Get 100% visibility into Java/.NET code with > > > > > > AppDynamics Lite It's a free troubleshooting tool designed > > > > > > for production Get down to code-level detail for > > > > > > bottlenecks, with <2% overhead. > > > > > > Download for free and get started troubleshooting in minutes. > > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > > _______________________________________________ > > > > > > WiX-users mailing list > > > > > > WiX-users@lists.sourceforge.net > > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > "They may forget what you said but they will never forget how > > > > > you made them feel." -- Anonymous > > > > > > > > > > > -------------------------------------------------------------------- > > > > > -- > > > > > -------- Get 100% visibility into Java/.NET code with > > > > > AppDynamics Lite It's a free troubleshooting tool designed for > > > > > production Get down to code-level detail for bottlenecks, with > > > > > <2% overhead. > > > > > Download for free and get started troubleshooting in minutes. > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > _______________________________________________ > > > > > WiX-users mailing list > > > > > WiX-users@lists.sourceforge.net > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------- > > > > > -- > > > > > -------- Get 100% visibility into Java/.NET code with > > > > > AppDynamics Lite It's a free troubleshooting tool designed for > > > > > production Get down to code-level detail for bottlenecks, with > > > > > <2% overhead. > > > > > Download for free and get started troubleshooting in minutes. > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > _______________________________________________ > > > > > WiX-users mailing list > > > > > WiX-users@lists.sourceforge.net > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > -- > > > > "They may forget what you said but they will never forget how > > > > you > made > > > > them feel." -- Anonymous > > > > > > > > > ---------------------------------------------------------------------- > > > > -------- Get 100% visibility into Java/.NET code with > > > > AppDynamics > Lite > > > > It's a free troubleshooting tool designed for production Get > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > Download for free and get started troubleshooting in minutes. > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > ---------------------------------------------------------------------- > > > > -------- Get 100% visibility into Java/.NET code with > > > > AppDynamics > Lite > > > > It's a free troubleshooting tool designed for production Get > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > Download for free and get started troubleshooting in minutes. > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > -- > > > > > > > > > ---------------------------------------------------------------------- > ------ > > > -- > > > Get 100% visibility into Java/.NET code with AppDynamics Lite It's > > > a > free > > > troubleshooting tool designed for production Get down to > > > code-level > > detail > > > for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > ---------------------------------------------------------------------- > -------- > > > Get 100% visibility into Java/.NET code with AppDynamics Lite It's > > > a > free > > > troubleshooting tool designed for production Get down to > > > code-level > > detail > > > for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > ---------------------------------------------------------------------- > -------- > > > Get 100% visibility into Java/.NET code with AppDynamics Lite It's > > > a free troubleshooting tool designed for production Get down to > > > code-level detail for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > -- > > "They may forget what you said but they will never forget how you > > made > them > > feel." -- Anonymous > > > > > ---------------------------------------------------------------------- > -------- > > Get 100% visibility into Java/.NET code with AppDynamics Lite It's a > > free troubleshooting tool designed for production Get down to > > code-level detail for bottlenecks, with <2% overhead. > > Download for free and get started troubleshooting in minutes. > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > _______________________________________________ > > WiX-users mailing list > > WiX-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > ---------------------------------------------------------------------- > -------- Get 100% visibility into Java/.NET code with AppDynamics Lite > It's a free troubleshooting tool designed for production Get down to > code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap2 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > -- "They may forget what you said but they will never forget how you made them feel." -- Anonymous ---------------------------------------------------------------------------- -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ---------------------------------------------------------------------------- -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ---------------------------------------------------------------------------- -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ---------------------------------------------------------------------------- -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
