Windows Tips & Tricks UPDATE, November 10, 2003, —brought to you by the Windows & .NET Magazine Network and the Windows 2000 FAQ site
http://www.windows2000faq.com


This Issue Sponsored By

St. Bernard's iPrism - Download Five Free Tools!
http://www.stbernard.com/src/iptools6.asp

VeriSign - The Value of Trust
http://www.verisign.com/cgi-bin/go.cgi?a=n20390149020045000


1. Commentary

2. FAQs

  • Q. What's the Windows Installer rollback functionality?
  • Q. How can I use Group Policy to disable the Windows Installer rollback functionality?
  • Q. How can I use the registry to disable the Windows Installer rollback functionality?
  • Q. When does Windows Installer use elevated privileges?
  • Q. How can I configure all Windows Installer installations to run with elevated privileges?
  • Q. How can I force Group Policy to refresh on a Windows Server 2003 or Windows XP machine?
  • Q. How can I modify Group Policy's refresh interval?

3. Announcements

  • Order Windows & .NET Magazine and the Article Archive CD at One Low Rate!
  • We Need Your Feedback

4. Event

  • Check Out 4 New Upcoming Web Seminars

5. Contact Us

  • See this section for a list of ways to contact us.

Sponsor: St. Bernard's iPrism - Download Five Free Tools!

Discover the appliance advantage and improve the way you filter with St. Bernard's iPrism(R) Web filter. One box is all you need for a total Web filtering solution. Using an appliance for Web filtering is now considered the smart choice. With the iPrism appliance, there is no additional hardware or software to purchase; everything, including built-in reporting, is in the box. Find out today why companies are switching to iPrism, the only true appliance available. Switch to iPrism now from any qualified Web filter and with any 3–year subscription, you'll receive an additional year free. Download your 5 FREE Tools today!
http://www.stbernard.com/src/iptools6.asp


1. Commentary
by John Savill, FAQ Editor, jsavill@winnetmag.com

This week, I describe the Windows Installer rollback functionality and how to disable it by using Group Policy and the registry. I tell you when Windows Installer uses elevated privileges and how to configure all Windows Installer installations to use elevated privileges. I also explain how to force Group Policy to refresh on a Windows Server 2003 or Windows XP machine and how to modify the Group Policy refresh rate.


Sponsor: VeriSign - The Value of Trust

FREE E-COMMERCE SECURITY GUIDE
Is your e-business built on a strong, secure foundation? Find out with VeriSign's FREE White Paper, "Building an E-Commerce Trust Infrastructure." Learn how to authenticate your site to customers, secure your web servers with 128-Bit SSL encryption, and accept secure payments online. Click here:
http://www.verisign.com/cgi-bin/go.cgi?a=n20390149020045000


2. FAQs

Q. What's the Windows Installer rollback functionality?

A. When you install a Windows Installer (.msi) file, a script in the file specifies the actions that Windows Installer will perform. As each action is performed, the process that calls the .msi file into action updates a rollback script and, if files are to be deleted, backs up those files. Then, if the installation fails, Windows Installer can use the rollback script to undo any actions that have been performed and use the file backups to restore any deleted files. After the installation completes successfully or is rolled back, Windows Installer deletes the file backups because they're no longer needed.

You can define custom actions to be performed during a .msi file installation. For example, you can

  • launch an executable during installation from the user's machine
  • call special functions from a DLL
  • call functions written in a scripted language (such as JScript or VBScript)
  • perform nested installations

Windows Installer doesn't roll back these custom actions by default. Rather, the author of the Windows Installer file is responsible for ensuring that custom actions are rolled back. By default, no additional action is needed to roll back an installation that fails.

The files that Windows Installer temporarily backs up are stored in the \%systemdrive%\config.msi file in a system/hidden state. However, be aware that users can access these files and perhaps gain information about your system that you might otherwise prefer to restrict.

Q. How can I use Group Policy to disable the Windows Installer rollback functionality?

A. Depending on the actions that the Windows Installer (.msi) file performs, the space required to store temporary rollback information about the installation, as described in the FAQ "What's the Windows Installer rollback functionality?," might be very large. If the installation is interrupted, these temporary files remain on the system, and a user could access them to gain information about your computer. Keep in mind that if you apply a Group Policy Object (GPO) to disable the rollback functionality and an installation fails, your computer could be left in a compromised state.

To use Group Policy to prevent Windows Installer from creating the rollback information, perform the following steps:

  1. Open the relevant GPO. For example, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the organizational unit (OU) or domain, select Properties, select the Group Policy tab, select the GPO, then click Edit.
  2. Expand Computer Configuration, Administrative Templates, Windows Components, Windows Installer.
  3. Double-click "Prohibit rollback."
  4. Select Enabled, as shown in this figure.
  5. Click OK.

You can also configure this setting on a per-use basis by navigating to User Configuration, Administrative Templates, Windows Components, Windows Installer in Step 2 above. When you enable the setting in either area, it overrides any Disabled setting.

Q. How can I use the registry to disable the Windows Installer rollback functionality?

A. To use the registry to prevent Windows Installer from creating the rollback information described in the FAQ "What's the Windows Installer rollback functionality?," perform the following steps:

  1. Start a registry editor (e.g., regedit.exe).
  2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer registry subkey to make the change for all users on that machine, or navigate to the HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer registry subkey to make the change for the current user.
  3. From the Edit menu, select New, DWORD Value.
  4. Enter the name DisableRollback, then press Enter.
  5. Double-click the new value, set it to 1, then click OK.
  6. Close the registry editor.
  7. Log off and log on for the change to take effect.

Q. When does Windows Installer use elevated privileges?

A. You can use a tool such as Group Policy to perform a managed installation of a Windows Installer (.msi) file or you can manually install a Windows Installer file. Some applications that you install with a .msi file require elevated privileges to access file system areas or registry keys. When you use a tool such as Group Policy to install a .msi file that deploys an application to a user's system, the application runs with elevated privileges (e.g., system permissions) that bypass the user's limited permissions. However, when a user uses a .msi file to install an application manually, the installation is limited by that user's current privilege level, which might cause some installations to fail.

You can configure a system to run all Windows Installer installations, including manual installations, with elevated privileges. However, doing so carries the risk that a skilled user could use the elevated privileges to access areas of the system that would otherwise be protected. For information on how to configure all Windows Installer installations to use elevated privileges, see the FAQ "How can I configure all Windows Installer installations to run with elevated privileges?" below.

If you enable a Group Policy Object (GPO) to let all installations run with elevated privileges, be aware that if you install an application on a per-machine basis (i.e., all users on that machine can use it), any repair operations performed for that application will run with elevated privileges, even if you remove the GPO. If, however, you install an application on a per-user basis, then remove the GPO, any attempts to repair that application might fail because the elevated privileges no longer apply.

Q. How can I configure all Windows Installer installations to run with elevated privileges?

A. To run all Windows Installer installations with elevated privileges, perform the following steps:

  1. Open the relevant Group Policy Object (GPO). For example, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the organizational unit (OU) or domain, select Properties, select the Group Policy tab, select the GPO, then click Edit.
  2. Expand Computer Configuration, Administrative Templates, Windows Components, Windows Installer.
  3. Double-click "Always install with elevated privileges."
  4. Set to Enabled, then click OK.
  5. Expand User Configuration, Administrative Templates, Windows Components, Windows Installer.
  6. Double-click "Always install with elevated privileges."
  7. Set to Enabled, then click OK (you must enable this GPO under both the User Configuration and Computer Configuration sections for it to take effect), as shown in this figure.

You can also use the registry to enable all Windows Installer installations to run with elevated privileges by performing the following steps:

  1. Start a registry editor (e.g., regedit.exe).
  2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer registry subkey.
  3. From the Edit menu, select New, DWORD Value.
  4. Enter the name AlwaysInstallElevated, then press Enter.
  5. Double-click the new value, set it to 1, then click OK.
  6. Navigate to the HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer registry subkey.
  7. From the Edit menu, select New, DWORD Value.
  8. Enter the name AlwaysInstallElevated, then press Enter.
  9. Double-click the new value, set it to 1, then click OK.
  10. Close the registry editor.

Q. How can I force Group Policy to refresh on a Windows Server 2003 or Windows XP machine?

A. To manually force Group Policy to refresh under Windows 2000, you use the command

secedit /refreshpolicy

Microsoft has replaced this command in Windows 2003 and XP with the command

gpupdate

You can run this command without any switches to update both machine and user policies. When you run Gpupdate on Windows 2003, the machine will display the following text:

  Refreshing Policy...

  User Policy Refresh has completed.
  Computer Policy Refresh has completed.

  To check for errors in policy processing, review the event log.

The last line doesn't appear on XP machines. To update only the user command components, type

gpupdate /target:user

To load only the computer command components, type

gpupdate /target:computer

The optional switches that you can use with the Gpupdate command are

  • /Force. This switch loads all policy settings rather than just those that have changed.
  • /Wait:
  • /Logoff. This switch causes the user to log off after Group Policy refreshes.
  • /Boot. This switch causes a reboot after Group Policy refreshes.
  • /Sync. This switch synchronously (i.e., in the background) applies the next boot or user logon policy (the system will prompt you to log off or reboot, depending on the /target setting).

Q. How can I modify Group Policy's refresh interval?

A. By default, Group Policy refreshes every 90 minutes for typical machines and users and every 5 minutes for domain controllers (DCs). To change these intervals, perform the following steps:

  1. Open the relevant Group Policy Object (GPO). For example, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the organizational unit (OU) or domain, select Properties, select the Group Policy tab, select the GPO, then click Edit.
  2. Expand Computer Configuration, Administrative Templates, System, Group Policy.
  3. Double-click "Group Policy refresh interval for computers," then select Enabled. Enter the new refresh rate and the maximum random time to wait for the refresh (to avoid all machines updating at the same time), then click OK.
  4. If required, double-click "Group Policy refresh interval for domain controllers," then select Enabled, as shown in this figure. Enter the new refresh rate, which should be significantly less than the average computer policy refresh rate, and the maximum random time to wait for the refresh (to avoid all machines updating at the same time), then click OK.
  5. Expand User Configuration, Administrative Templates, System, Group Policy.
  6. Double-click "Group Policy refresh interval for users."
  7. Again, select Enabled, set the necessary values, then click OK.
  8. Close the Group Policy Editor (GPE).

You don't have to configure both the user and computer value--you can modify just one of them. You shouldn't set these values too low: Every update requires processing and adds to the network traffic, and short refresh rates can quickly cause larger network problems. For example, setting the update frequency to 0 would result in Group Policy attempting a refresh every 7 seconds, which probably isn't good for anyone.

3. Announcements
(from Windows & .NET Magazine and its partners)

  • Order Windows & .NET Magazine and the Article Archive CD at One Low Rate!

  • What's better than Windows & .NET Magazine? Try Windows & .NET Magazine and the Windows & .NET Magazine Article Archive CD at one super low rate. Read Windows & .NET Magazine in the office. Take the Article Archive CD with you on the road. Subscribe now!
    http://www.winnetmag.com/rd.cfm?code=wcep203xcc

  • We Need Your Feedback

  • In order to improve our security-related content in our Microsoft Security Watch newsletter, we need your opinion about what issues are of greatest importance to you and your organization. It only takes a few minutes to respond and complete the survey at
    http://www.winnetmag.com/securitywatch

    Hot Release: Aelita Software (Advertisement)
    Free IDC white paper on Active Directory deployments
    How does your company compare to the rest of the industry in its deployment of Active Directory? In this white paper, analyst Al Gillen from IDC shows why enterprises are moving to Active Directory, and how they are progressing with their deployments. Request your free IDC white paper today.
    http://www.aelita.com/100603tips

    4. Event
    (brought to you by Windows & .NET Magazine)

  • Check Out 4 New Upcoming Web Seminars

  • Sign up today for these upcoming Web seminars: Access Control for the Web (NEW!), Assess IM Risks on Your Network, Five Keys to Choosing the Right Patch Management Solution, and The Secret Costs of Spam ... What You Don't Know Can Hurt You. Don't miss these free events!
    http://www.winnetmag.com/seminars

    Sponsored Link

  • Argent

  • Comparison Paper: The Argent Guardian Easily Beats Out MOM
    http://ad.doubleclick.net/clk;6480843;8214395;q?http://www.argent.com/products/download_whitepaper.cgi?product=mom&&Source=WNTTextLink

    5. Contact Us
    Here's how to reach us with your comments and questions:

    This weekly email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
    http://www.winnetmag.com/sub.cfm?code=wswi201x1z

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email