Hi Rob, I'm pretty certain it is the installer logging what the custom action is doing. I ran the installer in verbose mode and noticed the password and server parameters were not being displayed in plain text. MSI (c) (A8:F8) [09:58:01:363]: Command Line: USERNAME=sa PASSWORD=********** SERVER=********** Then when my custom action is called it is logging sql connection string in plain text. Begin DatabaseCA Connecton String: Data Source=source;Packet Size=4096;Uid=sqluser;Pwd= mypassword
J On Sat, May 4, 2013 at 1:49 AM, Rob Mensching <r...@robmensching.com> wrote: > Is the message showing the password actually being logged by the custom > action itself? > > > On Fri, May 3, 2013 at 3:53 PM, Jeremiahf <jeremi...@gmail.com> wrote: > > > Steven, > > > > "Tried adding: HideTarget="yes" that didn't help" Indeed! > > > > I'm even tried to remove logging from the custom action and I still see > the > > password... > > I've even checked MsiHiddenProperties and see that PASSWORD is listed > along > > with CA_DBAction... Not in SecureCustomProperties... I added secure="yes" > > and now it is there.. Execute the installer with logging and it is still > > unsecure in plain text in the log. It must be between the MSI installer > and > > the SQL connection that is being made. Thoughts? > > > > J > > > > > > On Fri, May 3, 2013 at 1:48 PM, Steven Ogilvie <steven.ogil...@titus.com > > >wrote: > > > > > I was not using managed code custom actions... > > > > > > I was doing: > > > <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" Secure="yes"/> > > > > > > <CustomAction Id="CA_WebAppPoolPassword.SetProperty" > > > Property="CA_WebAppPoolPassword." > > > Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/> > > > Tried adding: HideTarget="yes" that didn't help > > > <InstallExecuteSequence> > > > <Custom Action="CA_WebAppPoolPassword.SetProperty" > > > After="CA_DataBasePassword.SetProperty">NOT Installed</Custom> > > > > > > This property was in a custom dialog: > > > <Control Id="labelPassword" Type="Text" Height="15" Width="152" X="17" > > > Y="152" Text="Web App Pool user password:" Transparent="yes" > > NoPrefix="yes" > > > /> > > > <Control Id="textBoxPassword" Type="Edit" Height="15" Width="177" > X="180" > > > Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" TabSkip="no" /> > > > <Publish Property="WEBAPPPOOL_PASSWORD" Value="[WEBAPPPOOL_PASSWORD]" > > > Order="9">1</Publish> > > > > > > It was the custom action " CA_WebAppPoolPassword.SetProperty " that was > > > displaying the property in the MSI log file. > > > > > > Took it out and now the password is not being displayed in plain > > letters... > > > > > > Steve > > > > > > > > > -----Original Message----- > > > From: Phil Wilson [mailto:phil.wil...@mvps.org] > > > Sent: May-03-13 2:27 PM > > > To: 'General discussion for Windows Installer XML toolset.' > > > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log > > > file > > > > > > The way it works in MSI isn't really mysterious. Basically the property > > > name needs to be public (and that means it must be all uppercase). If > WiX > > > does its thing properly then you can open the generated MSI file with > an > > > editor such as Orca, look in the Properties table, and in the Property > > > table there'll be a SecureCustomProperties property and your property > > name > > > will be in that list. > > > > > > This works. If it didn't work then Microsoft would be all over it as a > > > security bug. > > > > > > Generally speaking, people get account passwords from a MSI dialog and > > > store it in a property such as MYPASSWORD, and then pass it to a custom > > > action that uses it. > > > > > > However, you're using managed code custom actions, and it seems from > the > > > log that the (DTF?) code just does its own logging into the MSI log > > without > > > caring whether there's a password in there. So it may be a DTF thing, > not > > > sure, and if it is then HideTarget etc won't help at all. The short > > answer > > > is that if the DTF code is logging a connection string that typically > > > contains a password, then it probably shouldn't. > > > > > > Phil > > > > > > -----Original Message----- > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > Sent: Thursday, May 02, 2013 4:17 PM > > > To: General discussion for Windows Installer XML toolset. > > > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log > > > file > > > > > > Hi Steve, > > > > > > My requirements are strictly to use command line. Crazy? Maybe. I have > to > > > say I have seen this topic all over blogs. Seems like there is always a > > > way, you just have to figure out how.... > > > > > > > > > On Thu, May 2, 2013 at 5:43 PM, Steven Ogilvie > > > <steven.ogil...@titus.com>wrote: > > > > > > > Hmm... I commented out my custom action that sets the property: > > > > <!--<CustomAction Id="CA_WebAppPoolPassword.SetProperty" > > HideTarget="yes" > > > > Property="CA_WebAppPoolPassword." > > > > Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/>--> > > > > > > > > And ran the install, everything worked and my Web App Pool + Web site > > > > launched without errors (would have failed if I didn't have a > password > > > > for the Web App Pool) > > > > > > > > However I do publish the property during the UI: > > > > <Publish Property="WEBAPPPOOL_PASSWORD" Value="[WEBAPPPOOL_PASSWORD]" > > > > Order="9">1</Publish> (my web site info dialog page during install) > > > > > > > > I checked my MSI log file and there wasn't any viewable strings for > > > > the WebAppPool_Password it was all: WEBAPPPOOL_PASSWORD property. Its > > > > value is '**********' > > > > > > > > Publish your password within the UI area and see if that works... > > > > (also commenting out your custom action to set the property > > > > > > > > Steve > > > > > > > > -----Original Message----- > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > Sent: May-02-13 6:29 PM > > > > To: General discussion for Windows Installer XML toolset. > > > > Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log file > > > > > > > > Sure thing... > > > > > > > > Action start 17:26:56: CA_DBAction. > > > > Action ended 17:26:56: CA_DBAction. Return value 1. > > > > Action start 17:26:56: InstallFinalize. > > > > SFXCA: Extracting custom action to temporary directory: > > > > C:\WINDOWS\Installer\MSI1045.tmp-\ > > > > SFXCA: Binding to CLR version v2.0.50727 Calling custom action > > > > DatabaseCA!DatabaseCA.CustomActions.DatabaseCA > > > > Begin DatabaseCA > > > > Connecton String: Data Source=source;Packet > > > > Size=4096;Uid=sqluser;Pwd=mypassword > > > > > > > > I as well have a custom action and HideTarget does nothing. > > > > > > > > > > > > On Thu, May 2, 2013 at 4:53 PM, Chad Petersen > > > > <chad.peter...@harlandfs.com>wrote: > > > > > > > > > If possible paste in a snippet of your log file around where the > > > > > password is seen. I tried for a long time to hide passwords using > > > > > the > > > > same method. > > > > > But it was some built-in custom actions that were logging my > > > > > passwords rather than code I'd written myself. > > > > > > > > > > <Property Id="ConfigureIIsExec" Hidden="yes"/> <Property > > > > > Id="ExecuteSqlStrings" Hidden="yes"/> > > > > > > > > > > These were two entries that I made to make those extensions hide > the > > > > > data passed to them, such as my password. > > > > > > > > > > -----Original Message----- > > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > > Sent: Thursday, May 02, 2013 2:38 PM > > > > > To: General discussion for Windows Installer XML toolset. > > > > > Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log file > > > > > > > > > > I have tried that and no luck. My MSI is installed via command > line. > > > > > > > > > > I've even tried to give the property Id a value in case I missed > > > > > something and still doesn't work. > > > > > > > > > > <Property Id="PASSWORD" Value="password" Hidden="yes" Secure="yes" > > > > > /> > > > > > > > > > > My test system is running Server 2003 R2 SP 2 windows installer > > > > > version > > > > > 4.5 6001.22159 > > > > > > > > > > I've upgraded from WIX 3.6 TO 3.7 in case it was a bug as I have > > > > > found in hundreds of blogs online but every time I see that a fix > > > > > was submitted, I can't tell what version it was submitted in. > (sorry > > > > > for the run on > > > > > sentence.) > > > > > > > > > > J > > > > > > > > > > > > > > > On Thu, May 2, 2013 at 4:24 PM, Steven Ogilvie > > > > > <steven.ogil...@titus.com > > > > > >wrote: > > > > > > > > > > > I declare the property: > > > > > > <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" Secure="yes"/> > > > > > > This is how I use my password controls: > > > > > > <Control Id="textBoxPassword" Type="Edit" Height="15" Width="177" > > > > X="180" > > > > > > Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" > TabSkip="no" > > > > > > /> > > > > > > > > > > > > Logfile: > > > > > > MSI (c) (70:1C) [14:50:59:778]: PROPERTY CHANGE: Adding > > > > > > WEBAPPPOOL_PASSWORD property. Its value is '**********' > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Jeremiahf [mailto:jeremi...@gmail.com] > > > > > > Sent: May-02-13 5:08 PM > > > > > > To: wix-users@lists.sourceforge.net > > > > > > Subject: [WiX-users] Hide/blank out Passwords in MSI log file > > > > > > > > > > > > Has anyone had luck with this? > > > > > > > > > > > > > > > > > > > > > > > > I have tried using Hidden, HideTarget and I still see the > > > > > > password in my logs. Is this still a bug in windows installer? > > > > > > > > > > > > > > > > > > > > > > > > Thanks in advance, > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > > > -- > > > > > > -- > > > > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > > > > > Lite It's a free troubleshooting tool designed for production Get > > > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > > > Download for free and get started troubleshooting in minutes. > > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > > _______________________________________________ > > > > > > WiX-users mailing list > > > > > > WiX-users@lists.sourceforge.net > > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > > > -- > > > > > > -- > > > > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > > > > > Lite It's a free troubleshooting tool designed for production Get > > > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > > > Download for free and get started troubleshooting in minutes. > > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > > _______________________________________________ > > > > > > WiX-users mailing list > > > > > > WiX-users@lists.sourceforge.net > > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > "They may forget what you said but they will never forget how you > > > > > made them feel." -- Anonymous > > > > > > > > > > > -------------------------------------------------------------------- > > > > > -- > > > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > > > > Lite It's a free troubleshooting tool designed for production Get > > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > > Download for free and get started troubleshooting in minutes. > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > _______________________________________________ > > > > > WiX-users mailing list > > > > > WiX-users@lists.sourceforge.net > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------- > > > > > -- > > > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > > > > > Lite It's a free troubleshooting tool designed for production Get > > > > > down to code-level detail for bottlenecks, with <2% overhead. > > > > > Download for free and get started troubleshooting in minutes. > > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > > _______________________________________________ > > > > > WiX-users mailing list > > > > > WiX-users@lists.sourceforge.net > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > > > > -- > > > > "They may forget what you said but they will never forget how you > made > > > > them feel." -- Anonymous > > > > > > > > > ---------------------------------------------------------------------- > > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > Lite > > > > It's a free troubleshooting tool designed for production Get down to > > > > code-level detail for bottlenecks, with <2% overhead. > > > > Download for free and get started troubleshooting in minutes. > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > ---------------------------------------------------------------------- > > > > -------- Get 100% visibility into Java/.NET code with AppDynamics > Lite > > > > It's a free troubleshooting tool designed for production Get down to > > > > code-level detail for bottlenecks, with <2% overhead. > > > > Download for free and get started troubleshooting in minutes. > > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > -- > > > > > > > > > ---------------------------------------------------------------------------- > > > -- > > > Get 100% visibility into Java/.NET code with AppDynamics Lite It's a > free > > > troubleshooting tool designed for production Get down to code-level > > detail > > > for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Get 100% visibility into Java/.NET code with AppDynamics Lite It's a > free > > > troubleshooting tool designed for production Get down to code-level > > detail > > > for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Get 100% visibility into Java/.NET code with AppDynamics Lite > > > It's a free troubleshooting tool designed for production > > > Get down to code-level detail for bottlenecks, with <2% overhead. > > > Download for free and get started troubleshooting in minutes. > > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > -- > > "They may forget what you said but they will never forget how you made > them > > feel." -- Anonymous > > > > > ------------------------------------------------------------------------------ > > Get 100% visibility into Java/.NET code with AppDynamics Lite > > It's a free troubleshooting tool designed for production > > Get down to code-level detail for bottlenecks, with <2% overhead. > > Download for free and get started troubleshooting in minutes. > > http://p.sf.net/sfu/appdyn_d2d_ap2 > > _______________________________________________ > > WiX-users mailing list > > WiX-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite > It's a free troubleshooting tool designed for production > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap2 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > -- "They may forget what you said but they will never forget how you made them feel." -- Anonymous ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
