Your right Phil, it is a custom action that is creating the connection string, as per the log below, luckily our connection string is encrypted... For me, I took out the custom action to set the property and that solved my issue... (I am using a Publish element in the dialog the sets the property for Web App Pool password..
Sorry J, I don't think you will be able to get rid of it... -----Original Message----- From: Phil Wilson [mailto:phil.wil...@mvps.org] Sent: May-03-13 7:20 PM To: 'General discussion for Windows Installer XML toolset.' Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file I'm repeating myself to attempt to make this clear. This appears to be the part of the log that you are worried about: ===================================================== SFXCA: Extracting custom action to temporary directory: C:\WINDOWS\Installer\MSI1045.tmp-\ SFXCA: Binding to CLR version v2.0.50727 Calling custom action DatabaseCA!DatabaseCA.CustomActions.DatabaseCA Begin DatabaseCA Connecton String: Data Source=source;Packet Size=4096;Uid=sqluser;Pwd=mypassword ====================== This is NOT coming from Windows Installer. The SFXCA (which I believe is DTF) custom action is logging the connection string that contains the password. Any discussion of HideTarget is irrelevant as this is not Windows Installer logging data, it is the custom action code. Phil -----Original Message----- From: Jeremiahf [mailto:jeremi...@gmail.com] Sent: Friday, May 03, 2013 3:54 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file Steven, "Tried adding: HideTarget="yes" that didn't help" Indeed! I'm even tried to remove logging from the custom action and I still see the password... I've even checked MsiHiddenProperties and see that PASSWORD is listed along with CA_DBAction... Not in SecureCustomProperties... I added secure="yes" and now it is there.. Execute the installer with logging and it is still unsecure in plain text in the log. It must be between the MSI installer and the SQL connection that is being made. Thoughts? J On Fri, May 3, 2013 at 1:48 PM, Steven Ogilvie <steven.ogil...@titus.com>wrote: > I was not using managed code custom actions... > > I was doing: > <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" Secure="yes"/> > > <CustomAction Id="CA_WebAppPoolPassword.SetProperty" > Property="CA_WebAppPoolPassword." > Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/> > Tried adding: HideTarget="yes" that didn't help > <InstallExecuteSequence> > <Custom Action="CA_WebAppPoolPassword.SetProperty" > After="CA_DataBasePassword.SetProperty">NOT Installed</Custom> > > This property was in a custom dialog: > <Control Id="labelPassword" Type="Text" Height="15" Width="152" X="17" > Y="152" Text="Web App Pool user password:" Transparent="yes" NoPrefix="yes" > /> > <Control Id="textBoxPassword" Type="Edit" Height="15" Width="177" X="180" > Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" TabSkip="no" /> > <Publish Property="WEBAPPPOOL_PASSWORD" Value="[WEBAPPPOOL_PASSWORD]" > Order="9">1</Publish> > > It was the custom action " CA_WebAppPoolPassword.SetProperty " that > was displaying the property in the MSI log file. > > Took it out and now the password is not being displayed in plain letters... > > Steve > > > -----Original Message----- > From: Phil Wilson [mailto:phil.wil...@mvps.org] > Sent: May-03-13 2:27 PM > To: 'General discussion for Windows Installer XML toolset.' > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI > log file > > The way it works in MSI isn't really mysterious. Basically the > property name needs to be public (and that means it must be all > uppercase). If WiX does its thing properly then you can open the > generated MSI file with an editor such as Orca, look in the Properties > table, and in the Property table there'll be a SecureCustomProperties > property and your property name will be in that list. > > This works. If it didn't work then Microsoft would be all over it as a > security bug. > > Generally speaking, people get account passwords from a MSI dialog and > store it in a property such as MYPASSWORD, and then pass it to a > custom action that uses it. > > However, you're using managed code custom actions, and it seems from > the log that the (DTF?) code just does its own logging into the MSI > log without caring whether there's a password in there. So it may be a > DTF thing, not sure, and if it is then HideTarget etc won't help at > all. The short answer is that if the DTF code is logging a connection > string that typically contains a password, then it probably shouldn't. > > Phil > > -----Original Message----- > From: Jeremiahf [mailto:jeremi...@gmail.com] > Sent: Thursday, May 02, 2013 4:17 PM > To: General discussion for Windows Installer XML toolset. > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI > log file > > Hi Steve, > > My requirements are strictly to use command line. Crazy? Maybe. I have > to say I have seen this topic all over blogs. Seems like there is > always a way, you just have to figure out how.... > > > On Thu, May 2, 2013 at 5:43 PM, Steven Ogilvie > <steven.ogil...@titus.com>wrote: > > > Hmm... I commented out my custom action that sets the property: > > <!--<CustomAction Id="CA_WebAppPoolPassword.SetProperty" HideTarget="yes" > > Property="CA_WebAppPoolPassword." > > Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/>--> > > > > And ran the install, everything worked and my Web App Pool + Web > > site launched without errors (would have failed if I didn't have a > > password for the Web App Pool) > > > > However I do publish the property during the UI: > > <Publish Property="WEBAPPPOOL_PASSWORD" Value="[WEBAPPPOOL_PASSWORD]" > > Order="9">1</Publish> (my web site info dialog page during install) > > > > I checked my MSI log file and there wasn't any viewable strings for > > the WebAppPool_Password it was all: WEBAPPPOOL_PASSWORD property. > > Its value is '**********' > > > > Publish your password within the UI area and see if that works... > > (also commenting out your custom action to set the property > > > > Steve > > > > -----Original Message----- > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > Sent: May-02-13 6:29 PM > > To: General discussion for Windows Installer XML toolset. > > Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log file > > > > Sure thing... > > > > Action start 17:26:56: CA_DBAction. > > Action ended 17:26:56: CA_DBAction. Return value 1. > > Action start 17:26:56: InstallFinalize. > > SFXCA: Extracting custom action to temporary directory: > > C:\WINDOWS\Installer\MSI1045.tmp-\ > > SFXCA: Binding to CLR version v2.0.50727 Calling custom action > > DatabaseCA!DatabaseCA.CustomActions.DatabaseCA > > Begin DatabaseCA > > Connecton String: Data Source=source;Packet > > Size=4096;Uid=sqluser;Pwd=mypassword > > > > I as well have a custom action and HideTarget does nothing. > > > > > > On Thu, May 2, 2013 at 4:53 PM, Chad Petersen > > <chad.peter...@harlandfs.com>wrote: > > > > > If possible paste in a snippet of your log file around where the > > > password is seen. I tried for a long time to hide passwords using > > > the > > same method. > > > But it was some built-in custom actions that were logging my > > > passwords rather than code I'd written myself. > > > > > > <Property Id="ConfigureIIsExec" Hidden="yes"/> <Property > > > Id="ExecuteSqlStrings" Hidden="yes"/> > > > > > > These were two entries that I made to make those extensions hide > > > the data passed to them, such as my password. > > > > > > -----Original Message----- > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > Sent: Thursday, May 02, 2013 2:38 PM > > > To: General discussion for Windows Installer XML toolset. > > > Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log file > > > > > > I have tried that and no luck. My MSI is installed via command line. > > > > > > I've even tried to give the property Id a value in case I missed > > > something and still doesn't work. > > > > > > <Property Id="PASSWORD" Value="password" Hidden="yes" Secure="yes" > > > /> > > > > > > My test system is running Server 2003 R2 SP 2 windows installer > > > version > > > 4.5 6001.22159 > > > > > > I've upgraded from WIX 3.6 TO 3.7 in case it was a bug as I have > > > found in hundreds of blogs online but every time I see that a fix > > > was submitted, I can't tell what version it was submitted in. > > > (sorry for the run on > > > sentence.) > > > > > > J > > > > > > > > > On Thu, May 2, 2013 at 4:24 PM, Steven Ogilvie > > > <steven.ogil...@titus.com > > > >wrote: > > > > > > > I declare the property: > > > > <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" Secure="yes"/> > > > > This is how I use my password controls: > > > > <Control Id="textBoxPassword" Type="Edit" Height="15" Width="177" > > X="180" > > > > Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" TabSkip="no" > > > > /> > > > > > > > > Logfile: > > > > MSI (c) (70:1C) [14:50:59:778]: PROPERTY CHANGE: Adding > > > > WEBAPPPOOL_PASSWORD property. Its value is '**********' > > > > > > > > > > > > -----Original Message----- > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > Sent: May-02-13 5:08 PM > > > > To: wix-users@lists.sourceforge.net > > > > Subject: [WiX-users] Hide/blank out Passwords in MSI log file > > > > > > > > Has anyone had luck with this? > > > > > > > > > > > > > > > > I have tried using Hidden, HideTarget and I still see the > > > > password in my logs. Is this still a bug in windows installer? > > > > > > > > > > > > > > > > Thanks in advance, > > > > > > > > ---------------------------------------------------------------- > > > > -- > > > > -- > > > > -- > > > > -------- Get 100% visibility into Java/.NET code with > > > > AppDynamics Lite It's a free troubleshooting tool designed for > > > > production Get down to code-level detail for bottlenecks, with > > > > <2% overhead. > > > > Download for free and get started troubleshooting in minutes. > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > ---------------------------------------------------------------- > > > > -- > > > > -- > > > > -- > > > > -------- Get 100% visibility into Java/.NET code with > > > > AppDynamics Lite It's a free troubleshooting tool designed for > > > > production Get down to code-level detail for bottlenecks, with > > > > <2% overhead. > > > > Download for free and get started troubleshooting in minutes. > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > -- > > > "They may forget what you said but they will never forget how you > > > made them feel." -- Anonymous > > > > > > ------------------------------------------------------------------ > > > -- > > > -- > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > > Lite It's a free troubleshooting tool designed for production Get > > > down to code-level detail for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > ------------------------------------------------------------------ > > > -- > > > -- > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > > Lite It's a free troubleshooting tool designed for production Get > > > down to code-level detail for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > -- > > "They may forget what you said but they will never forget how you > > made them feel." -- Anonymous > > > > -------------------------------------------------------------------- > > -- > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > Lite It's a free troubleshooting tool designed for production Get > > down to code-level detail for bottlenecks, with <2% overhead. > > Download for free and get started troubleshooting in minutes. > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > _______________________________________________ > > WiX-users mailing list > > WiX-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > -------------------------------------------------------------------- > > -- > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > Lite It's a free troubleshooting tool designed for production Get > > down to code-level detail for bottlenecks, with <2% overhead. > > Download for free and get started troubleshooting in minutes. > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > _______________________________________________ > > WiX-users mailing list > > WiX-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > -- > > ---------------------------------------------------------------------- > ------ > -- > Get 100% visibility into Java/.NET code with AppDynamics Lite It's a > free troubleshooting tool designed for production Get down to > code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap2 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > ---------------------------------------------------------------------- > -------- Get 100% visibility into Java/.NET code with AppDynamics Lite > It's a free troubleshooting tool designed for production Get down to > code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap2 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > > > ---------------------------------------------------------------------- > -------- Get 100% visibility into Java/.NET code with AppDynamics Lite > It's a free troubleshooting tool designed for production Get down to > code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap2 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > -- "They may forget what you said but they will never forget how you made them feel." -- Anonymous ---------------------------------------------------------------------------- -- Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
