Preventing passwords from getting written to log files
Hi
I have a Basic MSI project and a slight dilemma there. I'd need to ask user credentials during the UI phase and pass them to a custom action in the execute phase to be handled. However, doing that the normal way using CustomActionData would cause those credentials (especially the password) to be written to the MSI log file. I wouldn't like to disable MSI logging as that provides useful troubleshooting information but having passwords there is an obvious security issue. Is there a way to prevent certain data from being written to the log in clear text? Or do I have to write a separate application that's launched during the execute phase to request those credentials?
Unfortunately there's a little problem with that. Even though I've hidden the actual property containing the password as well as the property used for passing custom action data, it's still written to the log at this point:
[CODE]MSI (s) (E4:A8) [12:05:59:540]: Executing op: CustomActionSchedule(Action=CreatePasswordAlias,ActionType=3073,Source=BinaryData,Target=f10,CustomActionData=)[/CODE]
You may also want to try the Custom Action Hidden Target Option. InstallShield currently does not expose the setting in the Custom Actions view. In the Direct Editor, you need to add 0x2000 (8192) to the type of your custom action that you want to prevent from writing the value in the Target column into the log file.
