msiexec.exe

Discussion in 'ProcessGuard' started by wayne_b, Dec 11, 2004.

Thread Status:
Not open for further replies.
  1. wayne_b

    wayne_b Registered Member

    Joined:
    May 29, 2004
    Posts:
    56
    After visiting dslreports.com Security Forum and reading this thread;
    Break Xp Sp2 Popup Blocker: kick it in the ... !

    'msiexec.exe' should not be granted "Always perform this action" I don't give trusting permission to 'msiexec.exe' and was stopped dead in its tracks though a friend of mine does and was exposed to the test :( mentioned above. Am I correct here; that msiexec.exe should not be given full un-alerted access?

    It's this type of protection that makes PG gold!!

    -wayne
     
  2. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    My recommendation is that you "Permit Once" MSIEXEC.exe on a case-by-case basis.

    One problem I have run into is that when I do a MS Office update on the MS update sight, msiexec.exe is started just to make the available update check. Then it does not automatically exit and has to be killed manually. So I deny it when it is requested during the scan and that keeps me from having to kill it later. If the scan reports an update available, I then rescan and permit it to install the update.
     
  3. wayne_b

    wayne_b Registered Member

    Joined:
    May 29, 2004
    Posts:
    56
    That is what I do on my machine but wasn't for sure if it is something I should recommend to others.

    Are you saying that it remains active after, office update scan even if PG is granted permission to allow it to run once during the scan?

    To test this;
    I gone to office update scan and allowed msiexec.exe to run, then gone to the site mentioned above, PG Alerted me to msiexec.exe allowing me to deny it.

    It would appear that it doesn't stay active. To validate this, I kept the Office update scan browser open and granted permission to msiexec.exe, keeping the browser open I gone to the test site above through another IE browser window, again PG alerted me.

    I would say that it is safe granting permission to msiexec.exe during office update scan.

    -wayne
     
  4. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    On my XP-SP2 system, msiexec.exe stays in memory after the scan is complete on Office 2003. I have to use Task Manager and kill/close it manually. This only seems to occur when it is used on Windows Office update and when there is no update found to install. If an update is installed, then msiexec is shut down at the end of the installation.
     
  5. wayne_b

    wayne_b Registered Member

    Joined:
    May 29, 2004
    Posts:
    56
    Ok, I understand now,

    During the scan, again I opened another IE browser window and gone to the test site, with msiexec.exe in the 'Task Manager' PG still prompted for an action on the test site. From what I see, it is safe to say PG ONLY grants msiexec.exe permission of the selected action it was ment to perform.

    I still would not "Always perform this action" with msiexec.exe, I would like to know what it is up to ;)

    -wayne
     
    Last edited: Dec 12, 2004
  6. Tracccker178

    Tracccker178 Registered Member

    Joined:
    May 16, 2005
    Posts:
    34
    It sounds to me that microsoft didnt put the right reg. entry in the registry.
    RUNONCE and exit. You can allso program that to check install and exit. The reason
    that MS has it that way is to check and see if you have legal copies of Applications
    in your computer while you are updating. SP2 is a legal way of MS to keep track
    of all pirated programs and send a report to the vendors of those pirated applications.
    (In my opinion I think thats the way it works but I could be wrongo_O)
    Has any one ever looked to see if other things were setup in the process
    of updating.o_O You might want to look in your Temp. Internet Files folder
    to see how many setup logs there are. One in particular is ASP.NET Setup
    Log while you were Updating Framework 1.1. You may have an unknown
    account on your computer that can only be seen in safe mode when you
    check your security for the permissions allowed on your computer. Microsoft
    dosent call them pirated they are known as hostile applications in a legal machine and are reported as such (HOSTILE). This may be a little off of the discussion but if you think about it a process that stays on when it should be
    off needs looking in to (other things may be going on in the background
    that you dont know about). Installers are nice tools to hide little snipets
    of code in that call on other things that can work in the background. Updaters
    are another form of installers because they perform a dual purpose.
     
    Last edited: Jun 6, 2005
  7. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I don't understand where the msiexec.exe comes into the test.

    I use maxthon browser and set deny always for iexplore.exe (in PG). I tried the test and nothing happened, well I got am internet explorer script error. Then I set permit always for iexplore and tried the test again. I got the popups but there was no mention of msiexec.exe on my PG alerts tab.
     
Thread Status:
Not open for further replies.