This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Did Microsoft break per-user minor upgrades with their recent kb2918614 Fix?
Subscribe
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Aug 19, 2014
04:05 PM
Did Microsoft break per-user minor upgrades with their recent kb2918614 Fix?
After applying Microsoft’s latest fix for the windows installer (kb2918614/MS14-049), we started noticing that our minor upgrades for the per-user installation started prompting for the UAC to be completed. No UAC is prompted if we do a fresh install but if we do a minor upgrade using a new full msi with REINSTALL=ALL REINSTALLMODE=vomus, the upgrade hangs in the middle requiring UAC. This was not the case before we applied the windows update fix where both fresh and upgrade scenarios worked fine with no UAC.
Their fix is documented in the following links and they mentioned that the vulnerability they fixed is caused when the Windows Installer service improperly handles the repair of a previously installed application
http://support.microsoft.com/kb/2918614
https://technet.microsoft.com/library/security/MS14-049
Here are log entries before accepting the UAC request:
SOURCEDIR product ==> {F6B5B61D-8883-4494-A0A0-A437F173AA6A}
Determining source type
Source type from package 'application.msi': 8
SECREPAIR: Hash Database: C:\windows\Installer\SourceHash{F6B5B61D-8883-4494-A0A0-A437F173AA6A}
SECREPAIR: CryptAcquireContext succeeded
SECREPAIR: filename: application.msi Stored Hash Value:fjqR6m0/jCq5sAIj5WLUu06KFNqEkxuAJ0ZslZQpdYw= Current Hash:loNavG/BPRd9nn0ofrH8Q12W/TUq0rXJfb2KpozV3Qw=
Machine policy value 'AlwaysInstallElevated' is 0
User policy value 'AlwaysInstallElevated' is 0
MSI_LUA: Credential Request return = 0x0
MSI_LUA: Elevated credential consent provided. Install will run elevated
In other locations in the log, I confirmed that the windows installer is aware that this is a per-user non-managed installation package that doesn’t require any admin rights.
My guess is that the Microsoft fix for the repair issue is to compare the Stored Hash Value of the old package with the new Hash value of the new package and if it is different, it would prompt for UAC.
But then how are we suppose to handle the minor upgrade cases where these values should always be different. (Both repairing the product or upgrading the product shares the same command REINSTALL=ALL REINSTALLMODE=vomus )
How are we supposed now to do minor upgrades without requiring UAC? Am I missing something fundamental here?
Thanks
Their fix is documented in the following links and they mentioned that the vulnerability they fixed is caused when the Windows Installer service improperly handles the repair of a previously installed application
http://support.microsoft.com/kb/2918614
https://technet.microsoft.com/library/security/MS14-049
Here are log entries before accepting the UAC request:
SOURCEDIR product ==> {F6B5B61D-8883-4494-A0A0-A437F173AA6A}
Determining source type
Source type from package 'application.msi': 8
SECREPAIR: Hash Database: C:\windows\Installer\SourceHash{F6B5B61D-8883-4494-A0A0-A437F173AA6A}
SECREPAIR: CryptAcquireContext succeeded
SECREPAIR: filename: application.msi Stored Hash Value:fjqR6m0/jCq5sAIj5WLUu06KFNqEkxuAJ0ZslZQpdYw= Current Hash:loNavG/BPRd9nn0ofrH8Q12W/TUq0rXJfb2KpozV3Qw=
Machine policy value 'AlwaysInstallElevated' is 0
User policy value 'AlwaysInstallElevated' is 0
MSI_LUA: Credential Request return = 0x0
MSI_LUA: Elevated credential consent provided. Install will run elevated
In other locations in the log, I confirmed that the windows installer is aware that this is a per-user non-managed installation package that doesn’t require any admin rights.
My guess is that the Microsoft fix for the repair issue is to compare the Stored Hash Value of the old package with the new Hash value of the new package and if it is different, it would prompt for UAC.
But then how are we suppose to handle the minor upgrade cases where these values should always be different. (Both repairing the product or upgrading the product shares the same command REINSTALL=ALL REINSTALLMODE=vomus )
How are we supposed now to do minor upgrades without requiring UAC? Am I missing something fundamental here?
Thanks
(3) Replies
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Aug 20, 2014
10:25 AM
I tried to do it silently, here is the log produced:
===
MSI_LUA: Elevation prompt disabled for silent installs
Note: 1: 3
SECUREREPAIR: SecureRepair Failed. Error code: 3F8F434B8
===
I couldn't find any documentation for this error code 3F8F434B8
Any Idea?
===
MSI_LUA: Elevation prompt disabled for silent installs
Note: 1: 3
SECUREREPAIR: SecureRepair Failed. Error code: 3F8F434B8
===
I couldn't find any documentation for this error code 3F8F434B8
Any Idea?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 03, 2014
02:30 AM
Hello all,
I had the same problem .
I don't know if Microsoft has confirmed this issue . Do you have some news about this topic ?
Thanks.
I had the same problem .
I don't know if Microsoft has confirmed this issue . Do you have some news about this topic ?
Thanks.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 08, 2014
09:29 AM
Our silent installers also broke due to this.
Is there any known workaround?
Any official say from Flexera Software about it?
Is there any known workaround?
Any official say from Flexera Software about it?