Hide sensitive information in logs
we are using basic msi project that creates an exe file. we are using deferred custom action and customactiondata to pass the data to csharp customaction. we need to hide password into the log file and we have tried following ways, (we also looked into available solutions and by which able to hide only few instances of the passwords but still at few places passwords are being logged) but unfortunately it display the password inside the log file.
(1) MsiHiddenProperties property with the password property value and custom action that uses that properties. (all the values with delimeter semicolon)
(2) we have tried by adding 8192 into the customaction type and also added prooeprties name into target column
(3) I have also checked that password property is exist into the secure property.
Hi @tirtht ,
"but still at few places passwords are being logged" can you tell us what instances like which execution sequence level doesn't work?
in general MsiHiddenProperties should do the work,the below link can give more information:
Use the custom action type flag 0x2000 / 8192 Custom Action Hidden Target Option to prevent logging the value of a deferred action's
CustomActionData property, for example. Again this does not propagate to any further logging based on values the custom action extracts from this property. Note that you must add (technically bitwise OR) the value 8192 to the existing value in the Type column of the CustomAction table; the other bits of that value contain important information as well, such as its base type and its execution options.
Hi @tirtht ,
Thanks for sharing sample files.I had quickly checked data in project files where things seem to be fine.
- I couldn't open solution file in either VS2015/VS2019/VS2012 as well.
- But on building ism file,i could get setup without files been added.
- After installing the setup,I could see password property DEMODATA in log file which is been masked or hidden properly.
- Where exactly DEMODATA isn't getting masked is the place it is missing here?It would be better if you could clarify here.
Hope i am in-sync with your setup other than files from ClassLibrary1 project being added.
apologies for inconvenience caused.
I am in concordance with all your points. as you rightly mentioned, property is password (also MsiHiddenProperties is implemented) and still DEMODATA property is not masked.
kindly provide solution Or any way which we implemented wrong, thanks in advance.
Hi @tirtht ,
As MsiHiddenProperties is not available in Deferred mode, its value has to be passed in CustomActionData. InstallShield will hide the property value if the MsiHiddenProperties is passed in the CustomActionData. To do this for a Managed code custom action, add the following to the Custom Action that sets the CustomActionData:
i couldn't see setproperty custom action which tries to set MsiHiddenProperties to CustomActionData
Below link can help you:
What you should do is insert a type 51 custom action (Set Property) in IMMEDIATE context. The name of the property you set should be the NAME of the deferred custom action you want to use. So if the name of the deferred CA is MyAction, the name of the property you set should be MyAction
Thanks for your response.
currently, I am trying your solution and will revert the result.
meanwhile, could you please give me reference where I can find (just for my reference so in future avoid such type of implementation) supported and non-supported items with deferred custom action, especially for the MsiHiddenProperties one.
Hi @tirtht ,
To get idea on different custom action types,below link can help:
Deferred, commit, and rollback custom actions in Basic MSI and InstallScript MSI installations have access to only some of the built-in Windows Installer properties: CustomActionData, ProductCode, and UserSID.
More information can be found in:
I have tried your solution -
below is the snap of all the steps. but it gives the exception
exception detail - CustomAction CallToDef returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
firstly, value of MsiHiddenPropertis -
I have set it to- [DEMODATA] - Only the password property.
step- 2 - I have changed the setproperty custom action (type 51) to the below value
Property Name - CallToDef (same as custom action)
Property Value - MsiHiddenProperties="[MsiHiddenProperties]";[CURRENTDIRECTORY]
Any other change do I need to make ?
one more update -
I have changed the value for now of MsiHiddenProperty to this => MsiHiddenProperties="[MsiHiddenProperties]"
and it called my custom action without any error / exception. 🙂
but now problem is inside the code (C#) while I fetch the value of CustomActionData it gives me like this =>
so as you can see, this is not the actual value of the DEMODATA. instead this is the name of the property.
PFB - snapshot for csharp code that I used.
Code line whch i used to fetch CustomActionData -
public bool GetTest(int msiHandler)
using (Msi.Install msi = Msi.CustomActionHandle(msiHandler))
string data = msi.GetProperty("CustomActionData");
Hi @tirtht ,
How about passing CustomActionData via custom method signature ?
Deferred, commit, and rollback custom actions have access to only some of the built-in Windows Installer properties: CustomActionData, ProductCode, and UserSID. Therefore, if you use a custom method signature and you want your managed assembly custom action to access or pass any other properties during deferred, commit, or rollback execution, you must pass them through the CustomActionData property.
You can get more detail here:
could you please give some more detail about how we can pass custom action method signature. I have gone through the link and it is concluded that the only way is CustomActionData.
thanks in advance.
Hi @tirtht ,
What i meant was:
- You can create setproperty custom action for the specific property with the name of managed custom action say "MyAction" with property value MsiHiddenProperties="[MsiHiddenProperties]"
- If you give any other property value here say [DEMODATA],it will get logged in log file since MsiHiddenProperties functionality dint come to picture here.
- You can use "Use Custom method signature" to pass MsiHiddenProperties/which ever property you want deferred managed custom action to make use of .
- As given in snap,you can pass MsiHiddenProperties to the deferred managed custom action
- In this way can you verify how the system behaves with respect to MsiHiddenProperties?