Thursday, January 31, 2013

PE Boot PROTECTION Machine Policies (Windows)


http://msdn.microsoft.com/en-us/library/windows/desktop/aa372395(v=vs.85).aspx

Machine Policies (Windows)

User Policies (Windows)

The following user policies can be configured underHKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\InstallerValue nameValue data typesDescriptionAlwaysInstallElevatedREG_DWORDIf this value is set to "1" and the corresponding computer value is also set, the installer always installs with elevated privileges.Otherwise, the installer uses elevated privileges to install managed applications and uses the current user's privilege level for nonmanaged applications.DisableMediaREG_DWORDIf the DisableMedia policy is set to "1", users and administrators running a maintenance installation of one product are prevented from using the Browse Dialog to browse media sources, such as CD-ROM, for the sources of other installable products. Browsing for other products is prevented regardless of whether the installation is with elevated privileges. It is still possible for the user to reinstall the product from media if the user has a correctly labeled media source.DisableRollbackREG_DWORDIf this value is set to "1", the installer will not store rollback files during installation, disabling installation rollback. By default, rollback is enabled. Administrators are advised to not use this policy unless it is absolutely essential.SearchOrderREG_SZOrder in which the installer searches the three different types of sources:"n"– network"m"– media (CD-ROM or DVD)"u"– URL (Uniform Resource Locator)For example, a value of "nmu" instructs the installer to search network sources first, media sources second, and URL sources last. Leaving out a letter removes the corresponding volume type from the search. Default order in absence of this value is network first, then media followed by URL.TransformsAtSource policyREG_DWORDIf this value exists and is set to "1"; the installer searches for transform files in the root of any network sources in the sourcelist for the product. By default, transforms are stored in the Application Data folder of a user's profile.   


Machine Policies (Windows)


The following machine policies can be configured under:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\InstallerPolicyValue data typeDescriptionAlwaysInstallElevatedREG_DWORDIf this policy value is set to 1 and the corresponding user value is also set, the installer always installs with elevated privileges.Otherwise, the installer uses elevated privileges to install managed applications and uses the current user's privilege level for unmanaged applications.AllowLockdownBrowseREG_DWORDIf this policy value is set to 1, non-administrative users can browse for new sources while running an installation at elevated privileges. The default is that only administrators can browse for sources during an elevated installation. Setting this policy also enables non-administrative users to run programs at LocalSystem privileges during an elevated installation.AllowLockdownMediaREG_DWORDIf this policy value is set to 1, non-administrative users can use media sources, such as a CD-ROM, while running an installation at elevated privileges. The default is that only administrators can use media sources during an elevated installation. Setting this policy also enables non-administrative users to run programs at LocalSystem privileges during an elevated installation.AllowLockdownPatchREG_DWORDIf this per-machine system policy value is not set, only administrators can patch existing products that were installed at elevated privileges. If this policy value is set to 1, non-administrative users can, in some cases, apply patches to products while running an installation using elevated privileges. With the policy set, the patch can install minor upgrades while running an installation using elevated privileges; the patch cannot install major upgrades. Setting this policy also enables non-administrative users to run programs at LocalSystem privileges during an elevated installation.DebugREG_DWORDIf this policy value exists and is set to 1, the installer writes common debugging messages to the debugger using the OutputDebugString function. If this value exists and is set to 2, the installer writes all valid debugging messages to the debugger using the OutputDebugString function.This policy is for debugging purposes only and may not be supported in future versions of Windows Installer.DisableAutomaticApplicationShutdownREG_DWORDIf this policy value exists and is set to 1, Windows Installer does not interact with Restart Manager but will use theFilesInUse Dialog functionality.Windows Installer 3.1 and earlier:  Not supported.DisableBrowseREG_DWORDIf this policy value exists and is set to 1, users are prevented from browsing to locate installer sources. The Use feature from combo box for direct input is locked and the Browse button is disabled. For more information about source browsing, see Source Resiliency.DisableFlyWeightPatchingREG_DWORDIf this per-machine system policy value is set to 1, allPatch Optimization options are turned off during the installation.Windows Installer 2.0:  Not supported.DisableLUAPatchingREG_DWORDIf this per-machine system policy value is set to 1, the installer prevents non-administrators from using least-privileged account (LUA) patching to any application installed on the computer. When this value is not set or 0, non-administrators can apply LUA patches to LUA-enabled application.DisableMSIREG_DWORDIf this policy value is set to 0, is absent, or any number other than 1 or 2, the effect on the Windows Installer depends on the operating system. On Windows Server 2003, Windows Installer is enabled for managed applications and disabled for unmanaged application installs. On Windows XP the Windows Installer is enabled for all applications.If this policy value is set to 0, Windows Installer is enabled for all applications. All install operations are allowed.If this policy value is set to 1, Windows Installer is disabled for unmanaged applications but is still enabled for managed applications. Non-elevated per-user installations are blocked. Per-user elevated and per-machine installs are allowed.If this policy value is set to 2, Windows Installer is always disabled for all applications. No installs are allowed including repairs, reinstalls, or on-demand installations.DisablePatchREG_DWORDIf this policy value is set to 1 the installer does not apply patches. This policy can be used to provide security in environments where patching must be restricted.DisablePatchUninstallREG_DWORDIf this policy value is set to 1, patches cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove patches that are no longer applicable to a product.Windows Installer 2.0:  Not supported.DisableRollbackREG_DWORDIf this policy value is set to 1, the installer does not store rollback files during installation, disabling installation rollback. By default, rollback is enabled. Administrators are advised not to use this policy unless it is absolutely essential.DisableSharedComponentREG_DWORDIf this per-machine system policy is set to 1, no package on the system gets the shared component functionality enabled by the msidbComponentAttributesSharedattribute in the Component table.DisableUserInstallsREG_DWORDIf this policy value is not set, the installer searches the registry for products in the following order: managed products that are registered as per-user, unmanaged products that are registered as per-user, and finally products that are registered as per-machine.If this policy value is set to 1, the installer ignores all products that are registered as per-user and only searches for products that are registered as per-machine. An attempt to perform a per-user installation causes the installer to display an error message and stops the installation.EnforceUpgradeComponentRulesREG_DWORDSet this policy value to 1 to apply upgrade component rules during small updates and minor upgrades of all products on the computer.Windows Installer 2.0:  Not supported.EnableAdminTSRemoteREG_DWORDSetting this policy enables administrators to perform installations from a client session of a server running the Terminal Server role service.EnableUserControlREG_DWORDIf this policy value is set to 1, then the installer can pass allpublic properties to the server side during a managed installation using elevated privileges. Setting this policy has the same effect as setting the EnableUserControlproperty.LimitSystemRestoreCheckpointingREG_DWORDThis policy turns off the creation of checkpoints by Windows Installer.If the policy value is set to 0 or absent, Windows Installer does normal checkpointing for install or uninstall.If the policy value is set to 1, Windows Installer creates no checkpoints.LoggingREG_SZThis policy value is used only if logging has not been enabled by the "/L" command-line option or MsiEnableLog. If a policy is set in this case, a log file is created in the temp directory with the random name: MSI*.LOG. Specify the logging mode by setting the policy value to a string of characters. Use the same characters to specify logging mode policy as used by the "/L" command-line option. For more information, seeCommand Line Options. Note that you cannot use "+" and "*" for the policy.MaxPatchCacheSizeREG_DWORDIf this policy value is set to a value greater than 0, Windows Installer saves old versions of patched files in a cache. Set the value to the maximum percentage of disk space that can be used for the file cache. For example, a value of 15 and sets the maximum to 15%. Set to 0 to save no files. When this policy is not set, the default is 10%.MsiDisableEmbeddedUIREG_DWORDTo disable embedded UI handlers on the computer, set this policy value to 1.Windows Installer 4.0 and earlier:  Not supported.SafeForScriptingREG_DWORDIf this policy value is set to 1, users are not prompted when scripts use installer automation within a Web page. This may be useful for Web-based tools but can allow silent installations of applications without user knowledge or consent.TransformsSecure policyREG_DWORDSetting the TransformsSecure policy value to 1 informs the installer that transforms are to be cached locally on the user's computer in a location where the user does not have write access.DisableLoggingFromPackageREG_DWORDSet this policy value to 1 to disable the logging specified for the package by the MsiLogging property for all users of the computer.Windows Installer 3.1 and earlier:  Not supported.WinHttpAutoLogonLevelREG_SZThe automatic logon (auto-logon) policy determines when it is acceptable to include the default credentials in a request to the server.Windows 8 and Windows Server 2012:  This policy requires Windows Installer running on the Windows 8 or Windows Server 2012 and is unavailable on all earlier versions of Windows. 

http://msdn.microsoft.com/en-us/library/windows/desktop/aa372868(v=vs.85).aspx



Windows Installer adheres to Windows Resource Protection (WRP) when installing essential system files, folders, and registry information in Windows Server 2008 and later and Windows Vista and later.WRP in Windows Server 2008 and Windows Vista replaces Windows File Protection (WFP) in Windows Server 2003, Windows XP, and Windows 2000. Windows Installer developers should note the following changes in how the installer handles protected resources in Windows Server 2008 and later and Windows Vista and later:When running on Windows Server 2008 and later or Windows Vista and later, the Windows Installer skips the installation of any file that is protected by WRP, the installer enters a warning in the log file, and continues with the remainder of the installation without an error. In Windows Server 2003, Windows XP, and Windows 2000, when the Windows Installer encountered a WFP-protected file, the installer would request that WFP install the file.WRP on Windows Server 2008 and later or Windows Vista and later can protect registry keys in addition to files. If the Windows Installer encounters a WRP-protected registry key, the installer skips the installation of that registry key, the installer enters a warning in the log file, and continues with the remainder of the installation without an error.Note that if a Windows Installer component contains a file or registry key that is protected by WRP, this resource must be used as the KeyPath for the component. In this case, Windows Installer does not install, update, or remove the component. You should not include any protected resources in an installation package. Instead, you should use the supported resource replacement mechanisms for Windows Resource Protection.For more information about WRP, see Windows Resource Protection and information that is provided on Microsoft Technet.

WFP for Windows Server 2003 and Windows XP/2000

Windows Installer adheres to Windows File Protection (WFP) when installing essential system files on Windows Server 2003, Windows XP and Windows 2000. If a protected system file is modified by an unattended installation of an application, WFP restores the file to the verified file version.Windows Installer never attempts to install or replace a protected file. When the InstallFiles action or any other action scheduled before InstallFiles attempts to install a file protected on Windows Server 2003, Windows XP or Windows 2000, the installer calls WFP with a request to install or replace the protected file. The installer requests the file installation from WFP immediately after executing the InstallFiles action. WFP installs or replaces the file on the user's system with a cached version of the protected file. Note that this does not guarantee that the version of the file installed from the cache is the version required by the application. After WFP has installed the file, the installer determines whether this version matches the version in the package. If the file version in the package is greater than the installed version, the installer informs the user that it cannot update the system and that an update of the operating system may be required for the application.If any action sequenced after InstallFiles attempts to install or replace a protected file not already installed on the system, the installer cannot call WFP to install the file. In this case, the installer informs the user that it cannot update the system and that an update of the operating system may be required for the application.The installer also checks with WFP when removing files and never attempts to remove protected system files.

Component Key Files Protected by WFP

Note that if a Windows Installer component contains a WFP file, this file must be specified as the key path for the component.When the installer attempts to install a component's key file on Windows Server 2003, Windows XP or Windows 2000, it first calls WFP to determine if the key file is protected. When the key file of a component is protected by WFP, and that key file is already installed, the installer updates the component only if the version of the key file in the package is greater than the installed version. If the installation package specifies that a component be installed, and the key file of the component is not currently installed, then regardless of whether the key file is protected the installer installs the component. Once any component having a key file protected by WFP is installed, it is permanently installed, and the installer never removes or replaces the component.

Installation of Assemblies by WFP

WFP for assemblies differs from WFP for system files.WFP protects Windows Server 2003, Windows XP and Windows 2000 system files by detecting attempts to replace protected system files. This protection is triggered after WFP receives a directory change notification for a file in a protected directory. When WFP receives this notification, it determines which file has changed. If the file is protected, WFP looks up the file signature in a static catalog file to determine if the new file is the correct version. If the file version is not correct, the system replaces the file with the correct version from either the cache or distribution media.In contrast, WFP of assemblies is dynamic. WFP is extended to files as they are added to the shared side-by-side assembly cache. If an assembly becomes corrupted, WFP will request that the installer replace the file. Windows Installer may or may not be able to replace the file depending on whether the source package is accessible. If the source package is inaccessible, WFP will put up a dialog box stating that it is unable to restore the file.Note that unmanaged shared side-by-side assemblies, installed in %windir%\winsxs, are protected by WFP. Unmanaged private assemblies, installed in the application directory, are not protected by WFP. Managed global assemblies installed in the application directory or %windir%\assembly\gac are not protected by WFP.

Related topics

Windows Resource Protection


out of 13 rated this helpful - Rate this topicReplacement of protected resources is supported through the following mechanisms.Permission for full access to modify WRP-protected resources on Windows Vista and Windows Server 2008 is restricted to TrustedInstaller with the Windows Modules Installer service using the following mechanisms:Windows Service Packs installed by TrustedInstaller.Hotfixes installed by TrustedInstaller.Operating system upgrades installed by TrustedInstaller.Windows Update installed by TrustedInstaller.Applications and installers attempting to replace a WRP-protected resource by means other than these specified methods are denied access to change the resource and generate an access denied error message.For well-known installers attempting to replace WRP-protected resources, the access denied error and error message may be suppressed. In this case, the operation returns successfully, the error and error message are suppressed, but no changes are applied to the WRP-protected resource. The error may be suppressed for a well-known installer only when all of the following criteria are satisfied:This is a legacy application. The application does not include a manifest with a requestedExecutionlevel that identifies the application as designed for Windows Vista or Windows Server 2008.The access denied error is caused only by the attempt to modify a WRP-protected resource.An Administrator is installing the application.For information about using the Windows Installer with WRP, see Using Windows Installer and Windows Resource Protection in the Windows Installer SDK.Windows Server 2003 and Windows XP:  Replacement of WFP-protected system files is supported only through the following mechanisms:Windows Service Pack installation using Update.exeHotfixes installed using Hotfix.exeOperating system upgrades using Winnt32.exeWindows UpdateReplacing protected files by means other than these specified methods results in the original files being restored by WFP.  Send comments about this topic to Microsoft


9 out of 17 rated this helpful - Rate this topicPermission for full access to modify WRP-protected resources is restricted to TrustedInstaller. WRP-protected resources can be changed only using the Supported Resource Replacement Mechanisms with the Windows Modules Installer service.WRP protects files with the following extensions that are installed by Windows Server 2008 or Windows Vista: .dll, .exe, .ocx, and .sys.WRP protects critical files that are installed by Windows Server 2008 or Windows Vista with the following extensions: .acm, .ade, .adp, .app, .asa, .asp, .aspx, .ax, .bas, .bat, .bin, .cer, .chm, .clb, .cmd, .cnt, .cnv, .com, .cpl, .cpx, .crt, .csh, .dll, .drv, .dtd, .exe, .fxp, .grp, .h1s, .hlp, .hta, .ime, .inf, .ins, .isp, .its, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .man, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msi, .msp, .mst, .mui, .nls, .ocx, .ops, .pal, .pcd, .pif, .prf, .prg, .pst, .reg, .scf, .scr, .sct, .shb, .shs, .sys, .tlb, .tsp, .url, .vb, .vbe, .vbs, .vsmacros, .vss, .vst, .vsw, .ws, .wsc, .wsf, .wsh, .xsd, and .xsl.WRP protects critical folders. A folder containing only WRP-protected files may be locked so that only the Windows trusted installer is able to create files or subfolders in the folder. A folder may be partially locked to enable Administrators to create files and subfolders in the folder.WRP protects essential registry keys installed by Windows Server 2008 and Windows Vista. If a key is protected by WRP, all its subkeys and values can be protected.WRP copies files that are needed to restart Windows in the cache directory located at %Windir%\winsxs\Backup. Critical files that are not needed to restart Windows are not copied to the cache directory. The size of the cache directory and the list of files copied to cache cannot be modified.Windows Server 2003 and Windows XP:  Windows File Protection (WFP) preceded WRP.WFP protects files that are installed by Windows with the following extensions: .dll, .exe, .ocx, and .sys. In addition, the TrueType fonts Micross.ttf, Tahoma.ttf, and Tahomabd.ttf are also protected.At the end of the Windows installation, WFP runs a scan of all protected files to ensure they have not been modified by applications installed through unattended installation. WFP also copies verified versions of these system files to the cache directory. When an application attempts to replace a protected file, WFP can restore the original file from the cache directory.The default value is %systemroot%\system32\dllcache. To specify a different location for the cache, create the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDllCacheDirThis must be a local path. Using a network path creates a single shared network source for cache files, provided all clients using the share are running the same service packs and hotfixes.The default size of the cache is unlimited. To change the size of the cache, use the following registry setting: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCQuotaIf the value is SFC_QUOTA_ALL_FILES, all system files will be cached in the cache directory.Due to disk space considerations, it may not be desirable to maintain cached versions of all system files in the cache directory. Depending on the size of the cache, WFP will store verified file versions in the cache directory on the system hard drive. WFP will add files to the cache until the size of the cache directory reaches the specified limit.When an application attempts to replace a protected file that is not in the cache, WFP attempts to restore the original file from the installation source, prompting the user if necessary.  Send comments about this topic to Microsoft

FP registry values are not supported as of Windows Vista.]WFP uses several registry values for customization settings. The WFP registry values are located in the following registry key:HKEY_LOCAL_MACHINE    SOFTWARE       Microsoft          Windows NT             CurrentVersion                WinlogonThe following are the WFP registry values.SFCDllCacheDirLocation of the cache. This must be a local path. The default value is %systemroot%\system32\dllcache.SFCQuotaQuota options. This registry value can be one of the following values.ValueMeaningSFC_QUOTA_ALL_FILESSize of the DLL cache is unlimited. This is the default.Other valuesSize of the DLL cache, in files. SFCScanScan options. This registry value can be one of the following values.ValueMeaningSFC_SCAN_NORMALDo not scan protected files at boot. This is the default.SFC_SCAN_ALWAYSScan protected files at every boot.SFC_SCAN_ONCEScan protected files at the next boot.
http://support.microsoft.com/kb/832017

No comments:

Post a Comment