Steven, "Tried adding: HideTarget="yes" that didn't help" Indeed!
I'm even tried to remove logging from the custom action and I still see the password... I've even checked MsiHiddenProperties and see that PASSWORD is listed along with CA_DBAction... Not in SecureCustomProperties... I added secure="yes" and now it is there.. Execute the installer with logging and it is still unsecure in plain text in the log. It must be between the MSI installer and the SQL connection that is being made. Thoughts? J On Fri, May 3, 2013 at 1:48 PM, Steven Ogilvie <steven.ogil...@titus.com>wrote: > I was not using managed code custom actions... > > I was doing: > <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" Secure="yes"/> > > <CustomAction Id="CA_WebAppPoolPassword.SetProperty" > Property="CA_WebAppPoolPassword." > Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/> > Tried adding: HideTarget="yes" that didn't help > <InstallExecuteSequence> > <Custom Action="CA_WebAppPoolPassword.SetProperty" > After="CA_DataBasePassword.SetProperty">NOT Installed</Custom> > > This property was in a custom dialog: > <Control Id="labelPassword" Type="Text" Height="15" Width="152" X="17" > Y="152" Text="Web App Pool user password:" Transparent="yes" NoPrefix="yes" > /> > <Control Id="textBoxPassword" Type="Edit" Height="15" Width="177" X="180" > Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" TabSkip="no" /> > <Publish Property="WEBAPPPOOL_PASSWORD" Value="[WEBAPPPOOL_PASSWORD]" > Order="9">1</Publish> > > It was the custom action " CA_WebAppPoolPassword.SetProperty " that was > displaying the property in the MSI log file. > > Took it out and now the password is not being displayed in plain letters... > > Steve > > > -----Original Message----- > From: Phil Wilson [mailto:phil.wil...@mvps.org] > Sent: May-03-13 2:27 PM > To: 'General discussion for Windows Installer XML toolset.' > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log > file > > The way it works in MSI isn't really mysterious. Basically the property > name needs to be public (and that means it must be all uppercase). If WiX > does its thing properly then you can open the generated MSI file with an > editor such as Orca, look in the Properties table, and in the Property > table there'll be a SecureCustomProperties property and your property name > will be in that list. > > This works. If it didn't work then Microsoft would be all over it as a > security bug. > > Generally speaking, people get account passwords from a MSI dialog and > store it in a property such as MYPASSWORD, and then pass it to a custom > action that uses it. > > However, you're using managed code custom actions, and it seems from the > log that the (DTF?) code just does its own logging into the MSI log without > caring whether there's a password in there. So it may be a DTF thing, not > sure, and if it is then HideTarget etc won't help at all. The short answer > is that if the DTF code is logging a connection string that typically > contains a password, then it probably shouldn't. > > Phil > > -----Original Message----- > From: Jeremiahf [mailto:jeremi...@gmail.com] > Sent: Thursday, May 02, 2013 4:17 PM > To: General discussion for Windows Installer XML toolset. > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log > file > > Hi Steve, > > My requirements are strictly to use command line. Crazy? Maybe. I have to > say I have seen this topic all over blogs. Seems like there is always a > way, you just have to figure out how.... > > > On Thu, May 2, 2013 at 5:43 PM, Steven Ogilvie > <steven.ogil...@titus.com>wrote: > > > Hmm... I commented out my custom action that sets the property: > > <!--<CustomAction Id="CA_WebAppPoolPassword.SetProperty" HideTarget="yes" > > Property="CA_WebAppPoolPassword." > > Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/>--> > > > > And ran the install, everything worked and my Web App Pool + Web site > > launched without errors (would have failed if I didn't have a password > > for the Web App Pool) > > > > However I do publish the property during the UI: > > <Publish Property="WEBAPPPOOL_PASSWORD" Value="[WEBAPPPOOL_PASSWORD]" > > Order="9">1</Publish> (my web site info dialog page during install) > > > > I checked my MSI log file and there wasn't any viewable strings for > > the WebAppPool_Password it was all: WEBAPPPOOL_PASSWORD property. Its > > value is '**********' > > > > Publish your password within the UI area and see if that works... > > (also commenting out your custom action to set the property > > > > Steve > > > > -----Original Message----- > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > Sent: May-02-13 6:29 PM > > To: General discussion for Windows Installer XML toolset. > > Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log file > > > > Sure thing... > > > > Action start 17:26:56: CA_DBAction. > > Action ended 17:26:56: CA_DBAction. Return value 1. > > Action start 17:26:56: InstallFinalize. > > SFXCA: Extracting custom action to temporary directory: > > C:\WINDOWS\Installer\MSI1045.tmp-\ > > SFXCA: Binding to CLR version v2.0.50727 Calling custom action > > DatabaseCA!DatabaseCA.CustomActions.DatabaseCA > > Begin DatabaseCA > > Connecton String: Data Source=source;Packet > > Size=4096;Uid=sqluser;Pwd=mypassword > > > > I as well have a custom action and HideTarget does nothing. > > > > > > On Thu, May 2, 2013 at 4:53 PM, Chad Petersen > > <chad.peter...@harlandfs.com>wrote: > > > > > If possible paste in a snippet of your log file around where the > > > password is seen. I tried for a long time to hide passwords using > > > the > > same method. > > > But it was some built-in custom actions that were logging my > > > passwords rather than code I'd written myself. > > > > > > <Property Id="ConfigureIIsExec" Hidden="yes"/> <Property > > > Id="ExecuteSqlStrings" Hidden="yes"/> > > > > > > These were two entries that I made to make those extensions hide the > > > data passed to them, such as my password. > > > > > > -----Original Message----- > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > Sent: Thursday, May 02, 2013 2:38 PM > > > To: General discussion for Windows Installer XML toolset. > > > Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log file > > > > > > I have tried that and no luck. My MSI is installed via command line. > > > > > > I've even tried to give the property Id a value in case I missed > > > something and still doesn't work. > > > > > > <Property Id="PASSWORD" Value="password" Hidden="yes" Secure="yes" > > > /> > > > > > > My test system is running Server 2003 R2 SP 2 windows installer > > > version > > > 4.5 6001.22159 > > > > > > I've upgraded from WIX 3.6 TO 3.7 in case it was a bug as I have > > > found in hundreds of blogs online but every time I see that a fix > > > was submitted, I can't tell what version it was submitted in. (sorry > > > for the run on > > > sentence.) > > > > > > J > > > > > > > > > On Thu, May 2, 2013 at 4:24 PM, Steven Ogilvie > > > <steven.ogil...@titus.com > > > >wrote: > > > > > > > I declare the property: > > > > <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" Secure="yes"/> > > > > This is how I use my password controls: > > > > <Control Id="textBoxPassword" Type="Edit" Height="15" Width="177" > > X="180" > > > > Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" TabSkip="no" > > > > /> > > > > > > > > Logfile: > > > > MSI (c) (70:1C) [14:50:59:778]: PROPERTY CHANGE: Adding > > > > WEBAPPPOOL_PASSWORD property. Its value is '**********' > > > > > > > > > > > > -----Original Message----- > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > Sent: May-02-13 5:08 PM > > > > To: wix-users@lists.sourceforge.net > > > > Subject: [WiX-users] Hide/blank out Passwords in MSI log file > > > > > > > > Has anyone had luck with this? > > > > > > > > > > > > > > > > I have tried using Hidden, HideTarget and I still see the > > > > password in my logs. Is this still a bug in windows installer? > > > > > > > > > > > > > > > > Thanks in advance, > > > > > > > > ------------------------------------------------------------------ > > > > -- > > > > -- > > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > > > Lite It's a free troubleshooting tool designed for production Get > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > Download for free and get started troubleshooting in minutes. > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > ------------------------------------------------------------------ > > > > -- > > > > -- > > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > > > Lite It's a free troubleshooting tool designed for production Get > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > Download for free and get started troubleshooting in minutes. > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > -- > > > "They may forget what you said but they will never forget how you > > > made them feel." -- Anonymous > > > > > > -------------------------------------------------------------------- > > > -- > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > > Lite It's a free troubleshooting tool designed for production Get > > > down to code-level detail for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > -------------------------------------------------------------------- > > > -- > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > > Lite It's a free troubleshooting tool designed for production Get > > > down to code-level detail for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > -- > > "They may forget what you said but they will never forget how you made > > them feel." -- Anonymous > > > > ---------------------------------------------------------------------- > > -------- Get 100% visibility into Java/.NET code with AppDynamics Lite > > It's a free troubleshooting tool designed for production Get down to > > code-level detail for bottlenecks, with <2% overhead. > > Download for free and get started troubleshooting in minutes. > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > _______________________________________________ > > WiX-users mailing list > > WiX-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > ---------------------------------------------------------------------- > > -------- Get 100% visibility into Java/.NET code with AppDynamics Lite > > It's a free troubleshooting tool designed for production Get down to > > code-level detail for bottlenecks, with <2% overhead. > > Download for free and get started troubleshooting in minutes. > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > _______________________________________________ > > WiX-users mailing list > > WiX-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > -- > > ---------------------------------------------------------------------------- > -- > Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free > troubleshooting tool designed for production Get down to code-level detail > for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap2 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free > troubleshooting tool designed for production Get down to code-level detail > for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap2 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite > It's a free troubleshooting tool designed for production > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap2 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > -- "They may forget what you said but they will never forget how you made them feel." -- Anonymous ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
