PDA

View Full Version : Preventing passwords from getting written to log files



IlkkaV
11-23-2015, 08:40 AM
Hi

I have a Basic MSI project and a slight dilemma there. I'd need to ask user credentials during the UI phase and pass them to a custom action in the execute phase to be handled. However, doing that the normal way using CustomActionData would cause those credentials (especially the password) to be written to the MSI log file. I wouldn't like to disable MSI logging as that provides useful troubleshooting information but having passwords there is an obvious security issue. Is there a way to prevent certain data from being written to the log in clear text? Or do I have to write a separate application that's launched during the execute phase to request those credentials?

hidenori
11-23-2015, 02:40 PM
Have you considered using the MsiHiddenProperties property (https://msdn.microsoft.com/en-us/library/aa370308(v=vs.85).aspx)?

IlkkaV
11-23-2015, 02:57 PM
Have you considered using the MsiHiddenProperties property (https://msdn.microsoft.com/en-us/library/aa370308(v=vs.85).aspx)?

I forgot about that one, it's just the thing I need! Thanks :)

IlkkaV
11-24-2015, 05:11 AM
Unfortunately there's a little problem with that. Even though I've hidden the actual property containing the password as well as the property used for passing custom action data, it's still written to the log at this point:


MSI (s) (E4:A8) [12:05:59:540]: Executing op: CustomActionSchedule(Action=CreatePasswordAlias,ActionType=3073,Source=BinaryData,Target=f10,CustomActionData=<password in clear text>)

Any ideas on how to solve this one?

hidenori
11-24-2015, 09:51 AM
You may also want to try the Custom Action Hidden Target Option (https://msdn.microsoft.com/en-us/library/aa368068(v=vs.85).aspx). InstallShield currently does not expose the setting in the Custom Actions view. In the Direct Editor, you need to add 0x2000 (8192) to the type of your custom action that you want to prevent from writing the value in the Target column into the log file.

IlkkaV
11-25-2015, 01:37 AM
Thanks again hidenori, seems to work fine once again :)