Your messages seemed to indicate that the custom action was a black box to you and/or that you didn't have access to the source. You use ORCA to stream the foo.ca.dll out of the binary table and then you use winzip to extract the custom action assembly, the interop library and anything else that you packaged into the custom action dll. Redgate is then used to decompile it back into source so you can find the session.Log() entry that was logging your secrets.
So you have the source and you found it. Great. Now you know how to do it the other way if you ever need to one day. ---------------------------------------- From: "Jeremiahf" <jeremi...@gmail.com> Sent: Monday, May 06, 2013 10:38 PM To: chr...@iswix.com, "General discussion for Windows Installer XML toolset." <wix-users@lists.sourceforge.net> Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file Chris, Winzip? Its an MSI. Why use Redgate when I have the source to the CA? No offense, I guess I just don't understand your response. I FINALLY FOUND THE LINE OF CODE that was passing the connection string to the log and commented it out. Rob was absolutely correct. It WAS the CA logging the parameters! I was stuck on looking at HideTarget and Hidden at the time in the WIX code... NOTE! Take a break from the screen! Thank you everyone for all your help!!!!!! Cheers! Jeremiah On Mon, May 6, 2013 at 3:11 PM, Christopher Painter <chr...@iswix.com> wrote: Except when they are called by a ControlEvent. :-) It looks to me that the C#/DTF custom action has some initialization to called session.Log(). This would be easy enough to tell by using WinZip to extract the assembly from the self extract custom action ( foo.dll from foo.ca.dll ) and then decompile it using a program like RedGate Reflector. ---------------------------------------- From: "Phil Wilson" <phil.wil...@mvps.org> Sent: Monday, May 06, 2013 12:40 PM To: "General discussion for Windows Installer XML toolset." <wix-users@lists.sourceforge.net> Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file ...and at the risk of stating the obvious, custom actions can put messages in the MSI log by calling MsiProcessMessage(). That's a good thing of course, except when it gives away secrets ;) Phil -----Original Message----- From: Phil Wilson [mailto:phil.wil...@mvps.org] Sent: Monday, May 06, 2013 10:22 AM To: 'General discussion for Windows Installer XML toolset.' Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file Well it's not "their" CA, it's DTF, so they or I can't answer the question directly, but it just seems that DTF is logging the connection string, however it gets it. Phil -----Original Message----- From: Hoover, Jacob [mailto:jacob.hoo...@greenheck.com] Sent: Monday, May 06, 2013 9:56 AM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file Are they setting a property within their CA called ConnectionString? -----Original Message----- From: Phil Wilson [mailto:phil.wil...@mvps.org] Sent: Monday, May 06, 2013 11:48 AM To: 'General discussion for Windows Installer XML toolset.' Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file In context, that full log entry was previously posted as: =========================================== Action start 17:26:56: InstallFinalize. SFXCA: Extracting custom action to temporary directory: C:\WINDOWS\Installer\MSI1045.tmp-\ SFXCA: Binding to CLR version v2.0.50727 Calling custom action DatabaseCA!DatabaseCA.CustomActions.DatabaseCA Begin DatabaseCA Connecton String: Data Source=source;Packet Size=4096;Uid=sqluser;Pwd=mypassword ========================================= Whicc is DTF doing the logging, methinks. Jeremiahf didn't show all the data in that recent reply, so without the SFXCA prefix it is misleading. Phil -----Original Message----- From: Jeremiahf [mailto:jeremi...@gmail.com] Sent: Monday, May 06, 2013 8:08 AM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file Hi Rob, I'm pretty certain it is the installer logging what the custom action is doing. I ran the installer in verbose mode and noticed the password and server parameters were not being displayed in plain text. MSI (c) (A8:F8) [09:58:01:363]: Command Line: USERNAME=sa PASSWORD=********** SERVER=********** Then when my custom action is called it is logging sql connection string in plain text. Begin DatabaseCA Connecton String: Data Source=source;Packet Size=4096;Uid=sqluser;Pwd= mypassword J On Sat, May 4, 2013 at 1:49 AM, Rob Mensching <r...@robmensching.com> wrote: > Is the message showing the password actually being logged by the > custom action itself? > > > On Fri, May 3, 2013 at 3:53 PM, Jeremiahf <jeremi...@gmail.com> wrote: > > > Steven, > > > > "Tried adding: HideTarget="yes" that didn't help" Indeed! > > > > I'm even tried to remove logging from the custom action and I still > > see > the > > password... > > I've even checked MsiHiddenProperties and see that PASSWORD is > > listed > along > > with CA_DBAction... Not in SecureCustomProperties... I added secure="yes" > > and now it is there.. Execute the installer with logging and it is > > still unsecure in plain text in the log. It must be between the MSI > > installer > and > > the SQL connection that is being made. Thoughts? > > > > J > > > > > > On Fri, May 3, 2013 at 1:48 PM, Steven Ogilvie > > <steven.ogil...@titus.com > > >wrote: > > > > > I was not using managed code custom actions... > > > > > > I was doing: > > > <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" Secure="yes"/> > > > > > > <CustomAction Id="CA_WebAppPoolPassword.SetProperty" > > > Property="CA_WebAppPoolPassword." > > > Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/> > > > Tried adding: HideTarget="yes" that didn't help > > > <InstallExecuteSequence> > > > <Custom Action="CA_WebAppPoolPassword.SetProperty" > > > After="CA_DataBasePassword.SetProperty">NOT Installed</Custom> > > > > > > This property was in a custom dialog: > > > <Control Id="labelPassword" Type="Text" Height="15" Width="152" X="17" > > > Y="152" Text="Web App Pool user password:" Transparent="yes" > > NoPrefix="yes" > > > /> > > > <Control Id="textBoxPassword" Type="Edit" Height="15" Width="177" > X="180" > > > Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" TabSkip="no" > > > /> <Publish Property="WEBAPPPOOL_PASSWORD" Value="[WEBAPPPOOL_PASSWORD]" > > > Order="9">1</Publish> > > > > > > It was the custom action " CA_WebAppPoolPassword.SetProperty " > > > that was displaying the property in the MSI log file. > > > > > > Took it out and now the password is not being displayed in plain > > letters... > > > > > > Steve > > > > > > > > > -----Original Message----- > > > From: Phil Wilson [mailto:phil.wil...@mvps.org] > > > Sent: May-03-13 2:27 PM > > > To: 'General discussion for Windows Installer XML toolset.' > > > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in > > > MSI log file > > > > > > The way it works in MSI isn't really mysterious. Basically the > > > property name needs to be public (and that means it must be all > > > uppercase). If > WiX > > > does its thing properly then you can open the generated MSI file > > > with > an > > > editor such as Orca, look in the Properties table, and in the > > > Property table there'll be a SecureCustomProperties property and > > > your property > > name > > > will be in that list. > > > > > > This works. If it didn't work then Microsoft would be all over it > > > as a security bug. > > > > > > Generally speaking, people get account passwords from a MSI dialog > > > and store it in a property such as MYPASSWORD, and then pass it to > > > a custom action that uses it. > > > > > > However, you're using managed code custom actions, and it seems > > > from > the > > > log that the (DTF?) code just does its own logging into the MSI > > > log > > without > > > caring whether there's a password in there. So it may be a DTF > > > thing, > not > > > sure, and if it is then HideTarget etc won't help at all. The > > > short > > answer > > > is that if the DTF code is logging a connection string that > > > typically contains a password, then it probably shouldn't. > > > > > > Phil > > > > > > -----Original Message----- > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > Sent: Thursday, May 02, 2013 4:17 PM > > > To: General discussion for Windows Installer XML toolset. > > > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in > > > MSI log file > > > > > > Hi Steve, > > > > > > My requirements are strictly to use command line. Crazy? Maybe. I > > > have > to > > > say I have seen this topic all over blogs. Seems like there is > > > always a way, you just have to figure out how.... > > > > > > > > > On Thu, May 2, 2013 at 5:43 PM, Steven Ogilvie > > > <steven.ogil...@titus.com>wrote: > > > > > > > Hmm... I commented out my custom action that sets the property: > > > > <!--<CustomAction Id="CA_WebAppPoolPassword.SetProperty" > > HideTarget="yes" > > > > Property="CA_WebAppPoolPassword." > > > > Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/>--> > > > > > > > > And ran the install, everything worked and my Web App Pool + Web > > > > site launched without errors (would have failed if I didn't have > > > > a > password > > > > for the Web App Pool) > > > > > > > > However I do publish the property during the UI: > > > > <Publish Property="WEBAPPPOOL_PASSWORD" Value="[WEBAPPPOOL_PASSWORD]" > > > > Order="9">1</Publish> (my web site info dialog page during > > > > install) > > > > > > > > I checked my MSI log file and there wasn't any viewable strings > > > > for the WebAppPool_Password it was all: WEBAPPPOOL_PASSWORD > > > > property. Its value is '**********' > > > > > > > > Publish your password within the UI area and see if that works... > > > > (also commenting out your custom action to set the property > > > > > > > > Steve > > > > > > > > -----Original Message----- > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > Sent: May-02-13 6:29 PM > > > > To: General discussion for Windows Installer XML toolset. > > > > Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log > > > > file > > > > > > > > Sure thing... > > > > > > > > Action start 17:26:56: CA_DBAction. > > > > Action ended 17:26:56: CA_DBAction. Return value 1. > > > > Action start 17:26:56: InstallFinalize. > > > > SFXCA: Extracting custom action to temporary directory: > > > > C:\WINDOWS\Installer\MSI1045.tmp-\ > > > > SFXCA: Binding to CLR version v2.0.50727 Calling custom action > > > > DatabaseCA!DatabaseCA.CustomActions.DatabaseCA > > > > Begin DatabaseCA > > > > Connecton String: Data Source=source;Packet > > > > Size=4096;Uid=sqluser;Pwd=mypassword > > > > > > > > I as well have a custom action and HideTarget does nothing. > > > > > > > > > > > > On Thu, May 2, 2013 at 4:53 PM, Chad Petersen > > > > <chad.peter...@harlandfs.com>wrote: > > > > > > > > > If possible paste in a snippet of your log file around where > > > > > the password is seen. I tried for a long time to hide > > > > > passwords using the > > > > same method. > > > > > But it was some built-in custom actions that were logging my > > > > > passwords rather than code I'd written myself. > > > > > > > > > > <Property Id="ConfigureIIsExec" Hidden="yes"/> <Property > > > > > Id="ExecuteSqlStrings" Hidden="yes"/> > > > > > > > > > > These were two entries that I made to make those extensions > > > > > hide > the > > > > > data passed to them, such as my password. > > > > > > > > > > -----Original Message----- > > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > > Sent: Thursday, May 02, 2013 2:38 PM > > > > > To: General discussion for Windows Installer XML toolset. > > > > > Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log > > > > > file > > > > > > > > > > I have tried that and no luck. My MSI is installed via command > line. > > > > > > > > > > I've even tried to give the property Id a value in case I > > > > > missed something and still doesn't work. > > > > > > > > > > <Property Id="PASSWORD" Value="password" Hidden="yes" Secure="yes" > > > > > /> > > > > > > > > > > My test system is running Server 2003 R2 SP 2 windows > > > > > installer version > > > > > 4.5 6001.22159 > > > > > > > > > > I've upgraded from WIX 3.6 TO 3.7 in case it was a bug as I > > > > > have found in hundreds of blogs online but every time I see > > > > > that a fix was submitted, I can't tell what version it was submitted in. > (sorry > > > > > for the run on > > > > > sentence.) > > > > > > > > > > J > > > > > > > > > > > > > > > On Thu, May 2, 2013 at 4:24 PM, Steven Ogilvie > > > > > <steven.ogil...@titus.com > > > > > >wrote: > > > > > > > > > > > I declare the property: > > > > > > <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" > > > > > > Secure="yes"/> This is how I use my password controls: > > > > > > <Control Id="textBoxPassword" Type="Edit" Height="15" Width="177" > > > > X="180" > > > > > > Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" > TabSkip="no" > > > > > > /> > > > > > > > > > > > > Logfile: > > > > > > MSI (c) (70:1C) [14:50:59:778]: PROPERTY CHANGE: Adding > > > > > > WEBAPPPOOL_PASSWORD property. Its value is '**********' > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > > > Sent: May-02-13 5:08 PM > > > > > > To: wix-users@lists.sourceforge.net > > > > > > Subject: [WiX-users] Hide/blank out Passwords in MSI log > > > > > > file > > > > > > > > > > > > Has anyone had luck with this? > > > > > > > > > > > > > > > > > > > > > > > > I have tried using Hidden, HideTarget and I still see the > > > > > > password in my logs. Is this still a bug in windows installer? > > > > > > > > > > > > > > > > > > > > > > > > Thanks in advance, > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > > > -- > > > > > > -- > > > > > > -------- Get 100% visibility into Java/.NET code with > > > > > > AppDynamics Lite It's a free troubleshooting tool designed > > > > > > for production Get down to code-level detail for > > > > > > bottlenecks, with <2% overhead. > > > > > > Download for free and get started troubleshooting in minutes. > > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > > _______________________________________________ > > > > > > WiX-users mailing list > > > > > > WiX-users@lists.sourceforge.net > > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > > > -- > > > > > > -- > > > > > > -------- Get 100% visibility into Java/.NET code with > > > > > > AppDynamics Lite It's a free troubleshooting tool designed > > > > > > for production Get down to code-level detail for > > > > > > bottlenecks, with <2% overhead. > > > > > > Download for free and get started troubleshooting in minutes. > > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > > _______________________________________________ > > > > > > WiX-users mailing list > > > > > > WiX-users@lists.sourceforge.net > > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > "They may forget what you said but they will never forget how > > > > > you made them feel." -- Anonymous > > > > > > > > > > > -------------------------------------------------------------------- > > > > > -- > > > > > -------- Get 100% visibility into Java/.NET code with > > > > > AppDynamics Lite It's a free troubleshooting tool designed for > > > > > production Get down to code-level detail for bottlenecks, with > > > > > <2% overhead. > > > > > Download for free and get started troubleshooting in minutes. > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > _______________________________________________ > > > > > WiX-users mailing list > > > > > WiX-users@lists.sourceforge.net > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------- > > > > > -- > > > > > -------- Get 100% visibility into Java/.NET code with > > > > > AppDynamics Lite It's a free troubleshooting tool designed for > > > > > production Get down to code-level detail for bottlenecks, with > > > > > <2% overhead. > > > > > Download for free and get started troubleshooting in minutes. > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > _______________________________________________ > > > > > WiX-users mailing list > > > > > WiX-users@lists.sourceforge.net > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > -- > > > > "They may forget what you said but they will never forget how > > > > you > made > > > > them feel." -- Anonymous > > > > > > > > > ---------------------------------------------------------------------- > > > > -------- Get 100% visibility into Java/.NET code with > > > > AppDynamics > Lite > > > > It's a free troubleshooting tool designed for production Get > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > Download for free and get started troubleshooting in minutes. > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > ---------------------------------------------------------------------- > > > > -------- Get 100% visibility into Java/.NET code with > > > > AppDynamics > Lite > > > > It's a free troubleshooting tool designed for production Get > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > Download for free and get started troubleshooting in minutes. > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > -- > > > > > > > > > ---------------------------------------------------------------------- > ------ > > > -- > > > Get 100% visibility into Java/.NET code with AppDynamics Lite It's > > > a > free > > > troubleshooting tool designed for production Get down to > > > code-level > > detail > > > for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > ---------------------------------------------------------------------- > -------- > > > Get 100% visibility into Java/.NET code with AppDynamics Lite It's > > > a > free > > > troubleshooting tool designed for production Get down to > > > code-level > > detail > > > for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > ---------------------------------------------------------------------- > -------- > > > Get 100% visibility into Java/.NET code with AppDynamics Lite It's > > > a free troubleshooting tool designed for production Get down to > > > code-level detail for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > -- > > "They may forget what you said but they will never forget how you > > made > them > > feel." -- Anonymous > > > > > ---------------------------------------------------------------------- > -------- > > Get 100% visibility into Java/.NET code with AppDynamics Lite It's a > > free troubleshooting tool designed for production Get down to > > code-level detail for bottlenecks, with <2% overhead. > > Download for free and get started troubleshooting in minutes. > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > _______________________________________________ > > WiX-users mailing list > > WiX-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > ---------------------------------------------------------------------- > -------- Get 100% visibility into Java/.NET code with AppDynamics Lite > It's a free troubleshooting tool designed for production Get down to > code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap2 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > -- "They may forget what you said but they will never forget how you made them feel." -- Anonymous ---------------------------------------------------------------------------- -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ---------------------------------------------------------------------------- -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ---------------------------------------------------------------------------- -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ---------------------------------------------------------------------------- -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ---------------------------------------------------------------------------- -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ---------------------------------------------------------------------------- -- Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- "They may forget what you said but they will never forget how you made them feel." -- Anonymous ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
