cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
InstallDev
Level 3

Did Microsoft break per-user minor upgrades with their recent kb2918614 Fix?

After applying Microsoft’s latest fix for the windows installer (kb2918614/MS14-049), we started noticing that our minor upgrades for the per-user installation started prompting for the UAC to be completed. No UAC is prompted if we do a fresh install but if we do a minor upgrade using a new full msi with REINSTALL=ALL REINSTALLMODE=vomus, the upgrade hangs in the middle requiring UAC. This was not the case before we applied the windows update fix where both fresh and upgrade scenarios worked fine with no UAC.



Their fix is documented in the following links and they mentioned that the vulnerability they fixed is caused when the Windows Installer service improperly handles the repair of a previously installed application


http://support.microsoft.com/kb/2918614

https://technet.microsoft.com/library/security/MS14-049


Here are log entries before accepting the UAC request:



SOURCEDIR product ==> {F6B5B61D-8883-4494-A0A0-A437F173AA6A}

Determining source type

Source type from package 'application.msi': 8

SECREPAIR: Hash Database: C:\windows\Installer\SourceHash{F6B5B61D-8883-4494-A0A0-A437F173AA6A}

SECREPAIR: CryptAcquireContext succeeded

SECREPAIR: filename: application.msi Stored Hash Value:fjqR6m0/jCq5sAIj5WLUu06KFNqEkxuAJ0ZslZQpdYw= Current Hash:loNavG/BPRd9nn0ofrH8Q12W/TUq0rXJfb2KpozV3Qw=

Machine policy value 'AlwaysInstallElevated' is 0

User policy value 'AlwaysInstallElevated' is 0

MSI_LUA: Credential Request return = 0x0

MSI_LUA: Elevated credential consent provided. Install will run elevated


In other locations in the log, I confirmed that the windows installer is aware that this is a per-user non-managed installation package that doesn’t require any admin rights.


My guess is that the Microsoft fix for the repair issue is to compare the Stored Hash Value of the old package with the new Hash value of the new package and if it is different, it would prompt for UAC.

But then how are we suppose to handle the minor upgrade cases where these values should always be different. (Both repairing the product or upgrading the product shares the same command REINSTALL=ALL REINSTALLMODE=vomus )


How are we supposed now to do minor upgrades without requiring UAC? Am I missing something fundamental here?


Thanks
Labels (1)
0 Kudos
(3) Replies
InstallDev
Level 3

I tried to do it silently, here is the log produced:

===

MSI_LUA: Elevation prompt disabled for silent installs
Note: 1: 3
SECUREREPAIR: SecureRepair Failed. Error code: 3F8F434B8

===

I couldn't find any documentation for this error code 3F8F434B8

Any Idea?
0 Kudos
Jean_Yves
Level 2

Hello all,

I had the same problem .

I don't know if Microsoft has confirmed this issue . Do you have some news about this topic ?

Thanks.
0 Kudos
Ashish_Mishra
Level 2

Our silent installers also broke due to this.
Is there any known workaround?

Any official say from Flexera Software about it?
0 Kudos