Tuesday 19 August 2008

Active Setup: Questions and Concerns

The Microsoft Active Setup feature is a start-up process within Windows XP (all service packs) and later OS's that automatically runs a specified process when a user logs in. This process usually is required to ensure that all relevant registry keys are configured for each user who logs onto that machine. This is required to complete an application installation process that due to the specific nature of the application may require individual, user-by-user configuration. In addition, Active Setup can be used as part of enterprise login procedures or to ensure that certain processes and configuration routines have successfully completed.

The Microsoft Active Setup feature employs the following registry keys to ensure that each local machine setting exactly matches the user components;

HKLM\Software\Microsoft\Active Setup\Installed Components\%APPNAME% and HKCU\Software\Microsoft\Active Setup\Installed Components\%APPNAME%

If the machine and the user portion of the registry do not match, then the designated process is run. Note: this process is run under the user security privileges so you need to ensure that process initiated by Active Setup does not require administrator rights to the local machine component of the registry or restricted areas on the local file-system.

Active Setup is commonly used when the application in question does not include advertised entry points (AEP), shortcuts or other triggers to complete the user based installation process.

I have few problems with Active Setup;

- Can you ensure that the user-based installation process completed successfully
- How does this affect enterprise level conflict management?
- Will all users have the correct privileges to run the local process
- Do I have full control of the process, once initiated in the user environment
- Is there any real/pragmatic dependency checking to ensure that Active Setup process initiates correctly?
- How are custom actions handled in the local cached MSI?


Loads of questions here, and I will try have a few thoughts on these issues over the next few weeks. That said, I would really appreciate any comments on this topic. Anymore concerns regarding Active Setup?


Here are some noted dangers to using Active Setup :
Active Setup can be a serious candidate (in security speak: an attach vector) for virus infections, malware and other "bad" things that make you work harder, sleep less, and generally suffer more.

There have been a number of security updates to the Microsoft Active Setup controls (which to be fair are now a little dated) but include;

MS00-042:
Microsoft has released a patch that eliminates a security vulnerability in an ActiveX control that ships with Microsoft® Internet Explorer. The vulnerability could be used to overwrite files on the computer of a user who visited a malicious web site operator's site.
http://www.microsoft.com/technet/security/bulletin/MS00-042.mspx


K-057: Microsoft "Active Setup Download" Vulnerability
The Microsoft Active Setup Control has an internal flaw which allows the downloading of a trusted ".cab" file to any disk location.
http://www.ciac.org/ciac/bulletins/k-057.shtml



References:
Wikipedia Citation
http://en.wikipedia.org/wiki/Active_Setup

App Deploy's Overview
http://www.appdeploy.com/articles/activesetup.asp

The Altiris Juice MSI Healing Article
http://juice.altiris.com/article/2514/a-guide-to-msi-healing#comment-8491

Etlen Engineering
http://www.etlengineering.com/installer/activesetup.txt

No comments: