/build/static/layout/Breadcrumb_cap_w.png

self-heal in a terminal server environment

I am packaging an application on a Windows Server Standard Edition 2003 SP1 load. Users connect to the server via Citrix. Since the server has several applications installed, all users do not have access to all the application - in fact our servers are set so that users do not even have Read Access to application folders if they are not in the appropriate groups - very locked down.

Our MSI packages have un-advertised shortcuts and un-advertised features. We do have keypaths for our components though.

My issue is this - On testing with a regular non-privileged ID, when I launch Application A, Application B self-heals. On checking the Event log, I can see that it is trying to find a file in the Application B folder under program files - that file exists, but with my ID, I do not have access to that file. I do not need access to that folder. It is looking for a random .ico file. The 2 applications have not files in common - only a few merge modules that are identical and getting installed to the system32 folder.

What would cause App B to self-heal. App A works fine though inspite of the self-heal.

0 Comments   [ + ] Show comments

Answers (12)

Posted by: AngelD 17 years ago
Red Belt
0
Hi meenasm,

could you please post the repair log, if too long chop it off.
Posted by: meenasm 17 years ago
Senior Yellow Belt
0
Detection of product '{B01A9330-7F6A-4231-A056-735539E04E0E}', feature 'PeepNewFeature' failed during request for component '{B45E23EE-B235-4D88-BA0E-8A839EE04F16}'

I verified that the {B45E23EE-B235-4D88-BA0E-8A839EE04F16} component exists only in Peep (which self-heals when I use the reporting feature in my application – Accutrac). It is the msxml 4.0 component (from the xml 4.0 merge module) – this component does not exist in the Accutrac MSI though.

Detection of product '{B01A9330-7F6A-4231-A056-735539E04E0E}', feature 'PeepNewFeature', component '{E318B6A4-3C3B-4E7D-8FA1-02410AC4C367}' failed. The resource 'C:\Program Files\PEEP.30\Peep\Merak.ico' does not exist.

The 'C:\Program Files\PEEP.30\Peep\Merak.ico' file does exist, but the user cannot see it since this user does not have even read access to C:\Program Files\Peep.30 folder.

When I run filemon, all I can see is Access Denied for the above file.

Here are a couple of portions of the log file for the repair:
MSI (s) (D4:C4) [13:11:08:351]: APPCOMPAT: unable to initialize database.
MSI (s) (D4:C4) [13:11:08:351]: Transforms are not secure.
MSI (s) (D4:C4) [13:11:08:351]: Transforming table Property.
MSI (s) (D4:C4) [13:11:08:351]: Command Line: REINSTALL=PeepNewFeature REINSTALLMODE=pocmus CURRENTDIRECTORY=C:\Program Files\AccutracXE.116 CLIENTUILEVEL=2 CLIENTPROCESSID=2056
MSI (s) (D4:C4) [13:11:08:351]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{B83B9632-0584-4CC3-9D3E-45CD4F77CE80}'.
MSI (s) (D4:C4) [13:11:08:351]: PROPERTY CHANGE: Adding TRANSFORMS property. Its value is 'C:\WINDOWS\Installer\{B01A9330-7F6A-4231-A056-735539E04E0E}\Peep.mst'.
MSI (s) (D4:C4) [13:11:08:351]: Product Code passed to Engine.Initialize: '{B01A9330-7F6A-4231-A056-735539E04E0E}'
MSI (s) (D4:C4) [13:11:08:351]: Product Code from property table before transforms: '{B01A9330-7F6A-4231-A056-735539E04E0E}'
MSI (s) (D4:C4) [13:11:08:351]: Product Code from property table after transforms: '{B01A9330-7F6A-4231-A056-735539E04E0E}'
MSI (s) (D4:C4) [13:11:08:351]: Product registered: entering maintenance mode
MSI (s) (D4:C4) [13:11:08:351]: PROPERTY CHANGE: Adding ProductState property. Its value is '5'.
MSI (s) (D4:C4) [13:11:08:351]: PROPERTY CHANGE: Adding ProductToBeRegistered property. Its value is '1'.
MSI (s) (D4:C4) [13:11:08:351]: Package name retrieved from configuration data: 'Peep.msi'
MSI (s) (D4:C4) [13:11:08:351]: Determined that existing product (either this product or the product being upgraded with a patch) is installed per-machine.
MSI (s) (D4:C4) [13:11:08:351]: Note: 1: 2729
MSI (s) (D4:C4) [13:11:08:351]: Note: 1: 2729
MSI (s) (D4:C4) [13:11:08:351]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (D4:C4) [13:11:08:351]: PROPERTY CHANGE: Modifying ALLUSERS property. Its current value is '2'. Its new value: '1'.
MSI (s) (D4:C4) [13:11:08:351]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (D4:C4) [13:11:08:351]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (D4:C4) [13:11:08:351]: Product {B01A9330-7F6A-4231-A056-735539E04E0E} is admin assigned: LocalSystem owns the publish key.
MSI (s) (D4:C4) [13:11:08:351]: Product {B01A9330-7F6A-4231-A056-735539E04E0E} is managed.
MSI (s) (D4:C4) [13:11:08:351]: Running product '{B01A9330-7F6A-4231-A056-735539E04E0E}' with elevated privileges: Product is assigned.
MSI (s) (D4:C4) [13:11:08:351]: Machine policy value 'EnableUserControl' is 0
MSI (s) (D4:C4) [13:11:08:351]: PROPERTY CHANGE: Adding RestrictedUserControl property. Its value is '1'.
MSI (s) (D4:C4) [13:11:08:351]: PROPERTY CHANGE: Adding REINSTALL property. Its value is 'PeepNewFeature'.
MSI (s) (D4:C4) [13:11:08:351]: PROPERTY CHANGE: Adding REINSTALLMODE property. Its value is 'pocmus'.
MSI (s) (D4:C4) [13:11:08:351]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Program Files\AccutracXE.116'.
MSI (s) (D4:C4) [13:11:08:351]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '2'.
MSI (s) (D4:C4) [13:11:08:351]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '2056'.
MSI (s) (D4:C4) [13:11:08:351]: TRANSFORMS property is now: C:\WINDOWS\Installer\{B01A9330-7F6A-4231-A056-735539E04E0E}\Peep.mst
MSI (s) (D4:C4) [13:11:08:351]: PROPERTY CHANGE: Adding PRODUCTLANGUAGE property. Its value is '1033'.
MSI (s) (D4:C4) [13:11:08:351]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'[hr]

MSI (s) (D4:C4) [13:11:08:460]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (s) (D4:C4) [13:11:08:460]: Running install from non-console Terminal Server session.
MSI (s) (D4:C4) [13:11:08:460]: Rejecting attempt to install from non-console Terminal Server Session
MSI (s) (D4:C4) [13:11:08:476]: Note: 1: 1729
MSI (s) (D4:C4) [13:11:08:476]: Note: 1: 2729
MSI (s) (D4:C4) [13:11:08:476]: Note: 1: 2729
MSI (s) (D4:C4) [13:11:08:476]: Product: Peep 3.0 -- Configuration failed.


MSI (s) (D4:C4) [13:11:08:491]: Attempting to delete file C:\WINDOWS\Installer\35054d.mst
MSI (s) (D4:C4) [13:11:08:507]: MainEngineThread is returning 1640
Info 1640.Only administrators have permission to add, remove, or configure server software during a Terminal services remote session. If you want to install or configure software on the server, contact your network administrator.
C:\WINDOWS\Installer\a3db1.msi
MSI (c) (08:F4) [13:11:08:507]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (08:F4) [13:11:08:507]: MainEngineThread is returning 1640
Posted by: AngelD 17 years ago
Red Belt
0
This seems kinda fishy

According to the log:
The log states that it's reparing the package with the ProductCode {B83B9632-0584-4CC3-9D3E-45CD4F77CE80}, which I assume is the product code for the Accutrac application. The transform that is applied during the self-healing is pointed to 'C:\WINDOWS\Installer\{B01A9330-7F6A-4231-A056-735539E04E0E}\Peep.mst'. The {B01A9330-7F6A-4231-A056-735539E04E0E} (GUID) folder under C:\WINDOWS\Installer\ directory where the transform is located seems to be the product code for the Peep application.

I can't really follow why the Peep transform is applied to the Accutrac package.
Posted by: meenasm 17 years ago
Senior Yellow Belt
0
That is not the Product Code for Accutrac - it is the package code for Peep - {B83B9632-0584-4CC3-9D3E-45CD4F77CE80}. Product code for Peep is {B01A9330-7F6A-4231-A056-735539E04E0E}. It seems to be Peep all the way....

In addition, we also identified that if I give at least the bare minimum Read permissions to 'C:\Program Files\PEEP.30 folder - self-heal does not happen at all. What I cannot understand is why would Accutrac even look at Peep and why does it want to look only when it has No Access to the Peep.30 folder. In case of Read permissions, the Application Log is clear.
Posted by: AngelD 17 years ago
Red Belt
0
Hi meenasm,

sorry for the late delay.
What packaging tool are you using?
Wise Package Studio has a conflict manager where you can determine what files/registry that is included in both of your packages. InstallShield may have the same but as I don't use that I'm not sure. This could provide you with the information you need to pindown the issue you have.
Posted by: meenasm 17 years ago
Senior Yellow Belt
0
We ran conflict manager on the two applications - and the only common files between the two packages were a few merge modules. In the mean time, I also found this post on appdeploy: http://itninja.com/question/what-is-your-primary-method-of-deploying-software-with-group-policy?3390&mpage=1&key=citrix%2Clist䣁

The self-heal disappears with just List permissions. We are trying to see if this will be allowed in our environment.

In addition, we are trying to remove advertising for COM components - but we are now having this issue with a few other applications as well... so repackaging and testing all of them might be more trouble as well.
Posted by: kkaminsk 17 years ago
9th Degree Black Belt
0
The site I am at is removing COM advertising from their Citrix MSIs due to the ammount of damage being done by random self heals. Eventually they will be on Softricity which should completely eliminate that sort of nonsense.
Posted by: meenasm 17 years ago
Senior Yellow Belt
0
How are you removing COM advertising for merge modules though? What do you do for vendor MSIs - if you remove COM advertising from the transform eventually you are going to end up with a .MST that doesn not resemble the original MSI at all.

And are you using the self-reg option instead? We don't have that option either. So do I start capturing everything and make sure that they get into the registry table?
Posted by: AngelD 17 years ago
Red Belt
0
It's preferred not to use self-reg but instead extension, verb, typelib, progid... but in your case I would use an MST and add the COM info to the Registry table.
Posted by: meenasm 17 years ago
Senior Yellow Belt
0
It would have to be a combination of the Class, Typelib, extension, ProgID and verb tables right? Are there other tables that I need to consider too - maybe MIME and AppId as well?

How do I consolidate all this information and add it into the registry table?
Posted by: AngelD 17 years ago
Red Belt
0
Either find out which com/activex component it is and do a capture when you register this/these. Or capture the whole installation and make sure not to use advertesing info but retain the registry as is. Dunno if you can do this with installshield as I do not use that but with Wise Package Studio or Wise For Windows Installer this is possible. You really need to know what files/registry the com component(s) are connected with and filter out the files/registry part of it.
Posted by: meenasm 17 years ago
Senior Yellow Belt
0
I am back with this issue. Here is what I have identified:
When App A is installed and launched, App B self-heals. User using App A does not have access to App B's folder. App A and App B have zero conflicts with each other.
1. Applying the bare minimum List permissions to App B's folder solves the problem. But to implement this throughout our environment is something that our Terminal Server team is not comfortable with.
2. On checking the eventlog, App B was self-healing on two components - comdlg32.ocx and comctl32.ocx On adding these to App A self-heal of App B stopped.

It seems that App A wants to use the two files but because it did not install it, App B self-heals? - I am only looking for an explanation for this???
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ