Hi,
I am having one exe, when we extract this will get 2 folders(eg: A & B folders) and one setup.exe. This root setup.exe is launching "B" folder setup.exe and this "B" folder exe is launching "A" folder setup.exe. This is the actual flow.
I don't want to launch "A" folder setup.exe directly by the customer. Need to restrict this either by restrict direct launching or hide this file from the customer.
Is there any suitable option for this?
Thanks in advance
Sari
Suggested Articles
-
sari s nair
- Posts: 5
- Joined: Mon Aug 28, 2017 7:32 am
Re: Restrict direct launching of setup.exe / or make this file hidden
Hello Sari,
1. you can hide the folder, as you have mentioned. Unfortunately, we do not have predefined support for this task, therefore we may need to use a custom action (e.g. a script/executable/dll) to achieve this. As you may know, the folder object from Windows has different attributes assigned to it, one of them being the "hidden" attribute. We can add the hidden attribute to a folder by using the "attrib" command.
For instance, let's consider we have the following folder structure:
As you can see, our folder structure looks like this:
Please note that between "APPDIR" and "NewFolder", there is no backslash character ("\"), as the APPDIR property, at install time, when it resolves, it already ends in a backslash character.
If we want to hide this server, we will need to add a script that will set its hidden attribute. To do so, we will need to schedule the script after the folder is created (as we can not set an attribute for a folder that does not exist). The folders are created during the "Add resources" action group (in "Install Execution Stage" --> "Custom Actions" page).
For example, a PowerShell script which does that could look like this:
In addition to that, few more options have to be checked (as they did not make it in the screenshot):
What happens in the script:
- through the "Parameters" field, we get the value of APPDIR in a variable
- we join the paths
- add the hidden attribute to our folder
This way, the folder will be hidden. However, please keep in mind that the folder can still be viewed if the appropriate option is selected by the user.
2. Another solution would be to simply restrict the user's access to the folder by setting only "Read" permissions for that folder. This can be implemented separately towards the first method or together with it (e.g. if he user has the "Show hidden objects" option enabled, he will still not be able to access the folder)
This can be achieved by going to "Files and Folders" page --> right click on your folder --> "Properties" --> "Permissions" tab --> create a new permission as it follows:
This way, when the user will try to access the folder, he will receive an error, as the folder can only be read:
However, please note that this might interfere with launching the application. For instance, you will need administrative privileges in order to run the setup from your setup.
Hope this helps.
Best regards,
Catalin
I believe there are two ways in which you can achieve this:I don't want to launch "A" folder setup.exe directly by the customer. Need to restrict this either by restrict direct launching or hide this file from the customer.
1. you can hide the folder, as you have mentioned. Unfortunately, we do not have predefined support for this task, therefore we may need to use a custom action (e.g. a script/executable/dll) to achieve this. As you may know, the folder object from Windows has different attributes assigned to it, one of them being the "hidden" attribute. We can add the hidden attribute to a folder by using the "attrib" command.
For instance, let's consider we have the following folder structure:
- folderStructure.png (128.91 KiB) Viewed 2336 times
As you can see, our folder structure looks like this:
Code: Select all
APPDIRNewFolder\ConsoleApp1.exeIf we want to hide this server, we will need to add a script that will set its hidden attribute. To do so, we will need to schedule the script after the folder is created (as we can not set an attribute for a folder that does not exist). The folders are created during the "Add resources" action group (in "Install Execution Stage" --> "Custom Actions" page).
For example, a PowerShell script which does that could look like this:
- script.png (125.3 KiB) Viewed 2336 times
In addition to that, few more options have to be checked (as they did not make it in the screenshot):
- Execution time --> When the system is being modified (deferred)
- Run under the LocalSystem account with full privileges (no impersonation)
- Uncheck "Uninstall" and "Maintenance" options from under "Execution Stage Condition"
What happens in the script:
- through the "Parameters" field, we get the value of APPDIR in a variable
- we join the paths
- add the hidden attribute to our folder
This way, the folder will be hidden. However, please keep in mind that the folder can still be viewed if the appropriate option is selected by the user.
2. Another solution would be to simply restrict the user's access to the folder by setting only "Read" permissions for that folder. This can be implemented separately towards the first method or together with it (e.g. if he user has the "Show hidden objects" option enabled, he will still not be able to access the folder)
This can be achieved by going to "Files and Folders" page --> right click on your folder --> "Properties" --> "Permissions" tab --> create a new permission as it follows:
- Permissions.png (59.21 KiB) Viewed 2336 times
This way, when the user will try to access the folder, he will receive an error, as the folder can only be read:
- error.png (47.59 KiB) Viewed 2336 times
However, please note that this might interfere with launching the application. For instance, you will need administrative privileges in order to run the setup from your setup.
Hope this helps.
Best regards,
Catalin
-
sari s nair
- Posts: 5
- Joined: Mon Aug 28, 2017 7:32 am
Re: Restrict direct launching of setup.exe / or make this file hidden
Thanks a lot Catalin for the detailed explanation.
1.I have done the renaming and hiding of exe file using msbuild script and it worked.
<Move SourceFiles="D:\temp\Driver\setup.exe" DestinationFiles="D:\temp\Driver\karnak.exe" />
<Exec Command="attrib +H D:\temp\Driver\karnak.exe" WorkingDirectory="D:\temp\Appfolder\Driver"></Exec>
But as you mentioned the hidden file can be viewed by the user if he select "show hidden files" option
.
2. Standalone installation blocking also tried by modifying permissions, but that not worked for me.
<Exec Command="icacls 'D:\temp\Driver\setup.exe' /grant User:R"/>
Got the below error for this command
"User: No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 1 files
D:\Users\temp\msbuild_test.proj(7,1): error MSB3073: The command "icacls exited with code 1332."
And also i am not sure if it works will affect the actual installation of the setup.exe.
Thanks
Sari
1.I have done the renaming and hiding of exe file using msbuild script and it worked.
<Move SourceFiles="D:\temp\Driver\setup.exe" DestinationFiles="D:\temp\Driver\karnak.exe" />
<Exec Command="attrib +H D:\temp\Driver\karnak.exe" WorkingDirectory="D:\temp\Appfolder\Driver"></Exec>
But as you mentioned the hidden file can be viewed by the user if he select "show hidden files" option
. 2. Standalone installation blocking also tried by modifying permissions, but that not worked for me.
<Exec Command="icacls 'D:\temp\Driver\setup.exe' /grant User:R"/>
Got the below error for this command
"User: No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 1 files
D:\Users\temp\msbuild_test.proj(7,1): error MSB3073: The command "icacls exited with code 1332."
And also i am not sure if it works will affect the actual installation of the setup.exe.
Thanks
Sari
Re: Restrict direct launching of setup.exe / or make this file hidden
Hello Sari,
You are always welcome!
However, that is not what we should do here. As this is quite different from our predefined support which I've highlighted above, we will need to have a different approach. Instead of granting a user a permission, we will deny one.
Basically, what we need to do here is to deny the execute permission a user (for instance, I have denied the execute permission for the current user - using the %username% environment variable). Here is the MSBuild code for that:
The project should then be built using a command line as it follows:
If you name the "Target" element otherwise, please change it accordingly.
This way, the read and execute permissions will be denied for your executable. When the current user will try to launch it, the following error will be encountered:
Hope this helps.
Best regards,
Catalin
You are always welcome!
I am glad you got this working.I have done the renaming and hiding of exe file using msbuild script and it worked.
This is happening due to the fact that there is not any account named "User" on your PC (it does not have a SID assigned to it). The appropriate group for that is named "Users".Standalone installation blocking also tried by modifying permissions, but that not worked for me.
However, that is not what we should do here. As this is quite different from our predefined support which I've highlighted above, we will need to have a different approach. Instead of granting a user a permission, we will deny one.
Basically, what we need to do here is to deny the execute permission a user (for instance, I have denied the execute permission for the current user - using the %username% environment variable). Here is the MSBuild code for that:
Code: Select all
<Target Name="SetPermissions">
<Exec Command="icacls C:\Users\Catalin\Desktop\sample.exe /deny %username%:RX"/>
</Target>Code: Select all
msbuild your_project -t:SetPermissionsThis way, the read and execute permissions will be denied for your executable. When the current user will try to launch it, the following error will be encountered:
- error.png (7.43 KiB) Viewed 2316 times
Best regards,
Catalin