ISWIX, LLC View Christopher Painter's profile on LinkedIn profile for Christopher Painter at Stack Overflow, Q&A for professional and enthusiast programmers

May 01, 2008

Welcome Back SeBackupPrivilege

Back in October 2006 I reported about an undocumented security change in MSI 4.0/Vista that prevented Deferred NoImpersonate CA's from having the same security rights as they had previously had on downstream operating systems. The story was picked up by Microsoft's Vista Compatibility blog and justified as an attempt to tighten OS security. Maarten van de Bospoort of the MSFT AppCompat team said that it was `design decision made by the installer folks.`

The argument was naturally pointless since any elevated process ( including MSI CA's themselves or bootstrappers ) could easily tweak the registry and restart the MSI service to get around the restriction. As an aside, my discovery was also cited by Microsoft MVP Stefen Kruger.

Tonight I read on the Windows Installer team blog that after 1 1/2 years, Microsoft is finally correcting this issue an restoring SeBackupPrivilege.

No comments: