Documentation (Included in Download As Well)
Version
This document is for version 2.4 Please see the script for complete
version history information. For detailed syntax information, run the
script help ("cscript msiscript.vbs /?").
Attention, as of Version 2.1 the comparison operators
for mode=PREVENTLAUNCH have been automatically "reversed" (NOTTED) for you when
the MSI file is editted. If you have existing batch files that automate
this script and include mode=PREVENTLAUNCH, please reverse your comparison
operators to retain the desired behavior. For instance, "NE" would become
"EQ".
Why This Script
Sample usage scenarios for this script:
- For Removable Media Distributions - Prevent Employees From Casually
Installing Licensed Software on Non-corporate Computers. Once a package has
been configured with this script, the wrapper script can be used to determine if
the target machine is a corporate machine. A wrapper script is not even required
if this verification can be done by simply checking an environment variable.
- For Removable Media / Public Locations - Prevent Installing Packages
Without Required Customizations. This script can configure a package so that
users must use your wrapper script. This wrapper could be a compiled executable
or an encoded VBScript - or any other mechanism that allows you to hide the
command line being run. Or if you cannot or do not wish to hide the
command line read the section in this document titled Clever Obscurity. This helps ensure that your
specific command line is run so that all applicable Transforms and
properties other desired command line attributes such as logging location or
parameters are included in the installation command line.
- Prevent Accidental Installation of Packages on Specialized or Change
Regulated Computers. Some companies have Windows computers that control
laboratory equipment, manufacturing equipment or regulated systems. This
script can prevent MSI packages from running on those machines (without
requiring group policy).
- Prevent Mis-configuration by IT Staff - by requiring a special IT
Managed transform when packages are configured for deployment by Junior Admins
or Regional or local IT staff.
- Prevent User Based Installs - if users are administrators or you are
using elevated privileges then double-clicking results in a user based install -
which are not manageable in enterprise environments..
- Prevent Packages from Being Installed Outside of your Software
Distribution System or Pull Menu - packages that run in pull menus and
distribution systems must be stored in place where users have read access.
If users are able to discover the location of packages they can usually run them
by double clicking. Policies and security rights must allow them to be run
from this location for the packages to work with the distribution system or pull
menu.
- Automated and Consistent Changes to Packages. Using MSIRestrictRun to
configure packages ensures that the changes made are consistent. With a
batch file, these changes can be completely automated.
Significant Features and Attributes:
- Completely flexible condition building based on either environment
variables or properties. >
- Enabled for multiple runs of the same package file by recognizing
changes made by previous script runs and handling them appropriately.
- Full cleanup of package files using a special switch that removes
changes made by the script.
- Exhaustive logging, taken from the good example set by Windows
Installer itself, this script allows verbose logging of all operations.
- No Dependency on Policies by embedding your restrictions right inside
the MSI file they will be active whether or not your security or policies are
active on the machines the package is run on. This includes machines in
other companies or home machines or in other divisions or your company.
- Prevent Unnecessary Authoring Tool Changes to Packages. Almost all
authoring tools add some data to the package and "correct" problems. Full
feature authoring tools may also require recompiling the entire package. For
third party packages from software vendors these alterations could make the
package inoperable or unpredictable. This script only adds rows to the required
tables
- Use on In-House Packages and Software Vendor Packages. This script
works consistently with packages from any vendor, or built internally.
- Use on All Packages Regardless of Tools Used to Build Them. This
script will work on packages build by any authoring tool.
Methods of Restriction:
| Check Value Type (Property, Env. Var, Reg
Key) |
Set Secret Value in |
Scenario / Result |
Typical Usage |
| Private Property |
Set in Transform |
Install only works when run with "IT Managed" Transform. |
Prevent User Double Click or departmental IT deployments from
leaving out central IT transforms. |
| Public Property |
Set in Transform |
Install only works when run with "IT Managed" Transform.
(but could be overridden by command line - not secure because tranforms can
be dumped relatively easily) |
Prevent User Double Click. |
| Set on MSIEXEC Command Line |
Install only works when "IT Managed" command line is used or
from "IT Managed" wrappered activities (e.g. wrapper scripts, software
distribution systems, pull menus). If used, command line should to
be obscured (e.g. by compiling into an EXE or script encoding) If you
cannot or prefer not to obscure the command line because you must enter it in a
distribution system or shortcut, read the section titled Clever Obscurity. |
Ensure that packages can only run in managed contexts such as
through a pull menu system or through software distribution.
Ensure that packages only run with IT Managed setup wrapper of some
type. |
| Environment Variable |
Set in Wrapper Script |
Install only works from "IT Managed" wrappered activities (e.g.
wrapper scripts, software distribution systems, pull menus) |
Ensure that packages can only run in managed contexts such as
through a pull menu system or through software distribution. |
| Set in Computer, Logon Script, etc. |
Install only works on "IT Managed" computers or is prevented
from running on specific sub-sets of IT Managed computers. Install only
works on specific versions of "IT Managed" desktop. |
Prevent packages from being installed in other companies,
divisions of your own company, specific company computers or home
machines. |
| Registry Key |
Set on Computer |
Install only works on "IT Managed" computers or is prevent from
running on specific sub-sets of IT Managed computers. Install only works
on specific versions of "IT Managed" desktop. |
Prevent packages from being installed in other companies,
divisions of your own company, specific company computers or home
machines. |
Methods of Restriction:
| Operators |
Typical Usage |
| Equal (EQ), Not Equal (NE) |
Exact Value Match - Numeric or Alpha |
| Greater Than (GT), Greater Than or Equal (GE), Less Than (LT),
Less Than or Equal (LE) |
Range Match - Usually Numeric |
| Contains (CT), Does Not Contain (NCT) |
Substring Match - Numeric or Alpha
Range Match for structured numbers like version
numbers |
Script and Documentation Updates
For updates to this script and documentation visit http://desktopengineer.com/msirestrictrun
Running The Script
MSIRestrictRun has built-in help and command line parameter validation. Type
"cscript msirestrictrun.vbs /?" to read the command line help.
"sample.bat" is provided in this directory to
help you figure out the command lines.
One script variable should edited in the script. sCorpMsgID contains
the text tag used to identify launch conditions iinserted by this script. This
allows multiple runs as well as the cleanup setting to easily identify launch
conditions inserted by this script and update or remove them. The script error
checking will not allow a Launch condition message (PREVENTLAUNCHMSG switch)
that does not contain this text tag. Using your company name or acronym is the
easiest way to incorporate the text tag. For instance, makeing the text tag
"ACME" allows all PREVENTLAUNCHMSG's to start with the text tag and make sense
(e.g. "ACME: This is not a corporate machine." or "This is not an ACME corporate
machine.")
The script can be run two times on the same file to give it both
preventlaunch" and an "interfacewithnochange" modes. This can be handy if one is
used to prevent double clicking (avoiding customizations) and the other is used
to verify the machine as being corporate (prevents install even if wrapper is
used on non-corporate machine).
When using a registry key as the checkvalue specify the entire registry key
and path, use the following registry hive abbreviations:
- HKCU for HKEY_CURRENT_USER (e.g. "HKLM\Software\MyCompany\MyValue")
- HKLM for HKEY_LOCAL_MACHINE (e.g. "HKCR\jpegfile\FriendlyTypeName")
- HKCR for HKEY_CLASSES_ROOT (e.g. "HKCR\jpegfile\FriendlyTypeName")
- HKEY_USERS for HKEY_USERS (e.g. "HKEY_USERS\.DEFAULT\Environment\TMP")
The CLEANUP=YES parameter will remove all items inserted by MSIRestrictRun.
You should always keep an untouched backup copy of your script before running
MSIRestrictRun.
This script automatically NOTs Launch conditions so that the logic used by
both script modes (PREVENTLAUNCH and INTERFACEWITHNOCHANGES) matches and so that
the logic of both modes follows the flow:
If such and such condition
is not true then prevent the package install by
doing this.
If your command line cannot be obscured by compiling an EXE or encoding
vbscript (which isn't super secure anyway) you can be clever with the name of
the property you pass as well as the required value. This can also be done
for configurations where IT people may attempt to investigate
- For your test value use names like LICENSECODE, ENCRYPTIONCODE, PASSKEY,
ACTIVATIONCODE, AUTHORIZATIONKEY or ONETIMEKEY to give an official sounding air
that make it less likely to guess that it has been added by IT.
- For the checkvalue use a totally arbitrary string that contains hex type
numbers such as 0ef628a5e, A6E34FB, 7ED38FF14.
- Then by using the "Not Contains" ("NCT") operator you can use a hex
formatted number that is longer than the actual checkvalue. The not
contains operator also allows you to pass many different property values on your
command line, as long as they contain the checkvalue as a substring. You
could even makes this an official looking Windows GUID.
For instance if you configured your package with this command:
cscript msirestrictrun.vbs package=package.msi mode=interfacewithnochanges
checktype=property checkname=ONETIMEPASSKEY checktest=NCT
checkvalue=A6E34FB
It would work with any of these command lines:
MSIEXEC /i package.msi ONETIMEPASSKEY=3E572AC8A6E34FB
MSIEXEC /i package.msi ONETIMEPASSKEY=3E572AC8A6E34FB83ED2A7C
MSIEXEC /i package.msi
ONETIMEPASSKEY={D387287C-F042-4f34-9988-3E3A6E34FBF7}
/qn
This approach would also be effective for putting a private property in a
transform to help ensure that central IT transforms are properly configured when
distributed IT departments or personnel are free to configure deployment command
lines.
Additional Usage Notes
The "CT" (Contains) operator gives exceptional flexibility on the conditions
used to control the launch of your msi package. If you have machines which a
package should not run on and they can be identified by a common substring
retrieved from an environment variable or registry key - you can use this
operator to prevent the package from accidentally running.
The script supports a "does not contain" operator ("NCT") so that you can
check if a property, environment variable or registry key does not contain a
specific value - such as part of your company name.
The UNINSTALL switch can hide the "remove" button from add/remove programs or
completely remove the packages Add/Remove Programs line item.
MSI allows authors to set a type of "Read Only" attribute. It is
controlled by the "Security" Summary Information Property (not in the property
table) and described in the SDK under Summary Info. Some MSI editors may
not display this value in their interface. MSIrestrictrun honors this setting
and will generate an error when it encounters this attribute. Howerver, it
also allows you to oeverride this behavior and make the needed changes
anyway. Simply use the argument "ignoremsireadonly=yes". It is best
to leave this property off and turn it only after discovering that a database
has this attribute set.
If you wish to learn about how to insert information into msi packages, the
1.1 version of this script is a super-simple version is a better learning
experience. 1.1 does not have any of the features of 1.8. The script is in the
same directory as this documentation and is called msirestrictrun.1.1.txt
Debugging
The variables for controlling the tracing and logging routine can be used to
debug the script. By setting sTraceLevel to 5 (or constant VERBOSEMSG)
all error and informational messages will be activated. msgAction can
then be set to view the error messages. Addional calls to TraceandLog can be
inserted in the code for debugging or generating appropriate user error
messages. Seperate trace levels can be set for the log than the screen so that
the same routine can be used for user error messages and verbose log files.
License
MSIRestrictRun is licensed under the GNU General Public License. See "license.txt" or http://www.gnu.org/copyleft/gpl.html
Reporting Problems and Requesting Improvements
If you find bugs in this script or make any improvements, please contact me
at darwin@desktopengineer.com.
Reporting Problems and Requesting Improvements
The
Desktop Engineer's Junk
Drawer is a site that finds and organizes useful tools, books and reference
articles Windows 98, NT and 2000. It is intended for individuals who are
involved in the deployment, automation and management of these operating systems
in corporate enterprise environments.
msirestrictrun.exe