Security Inclusion List for VSTO solutions on Windows XP

Question

We developed MS Word, Excel and PowerPoint VSTO 3 addins using Visual Studio 2008. Office versions 2007/2010.

We don't user ClickOnce.

To supress the Verify publisher prompt(Microsoft Office Customization Installer) we used the Office replication/propagation mechanism.

Recently we modified our installer to using Security Inclusion List API inside the custom action.

This works for Vista and Windows 7 installations, but we're beginning to get complaints from our Windows XP users. They get that "Are you sure you want to install this customization?" prompt.

I did some investigation and discovered that the inclusion entries are created under

HKEY_USERS\.DEFAULT\Software\Microsoft\VSTO\Security\Inclusion.

So, I launched a Procmon, started Microsoft Word, but couldn't find any process that was accessing the inclusion entries in that location.

Anyone has any idea about Security Inclusion mechanics under Windows XP?

Thanks,

Michael

Answer 1

Hi Michael,

Thanks for posting in the MSDN Forum.

What's "Procmon" mean?

Have a good day,

Tom

---

Tom Xu [MSFT]
MSDN Community Support | Feedback to us

Answer 2

Hi Tom

ProcMon is a Process Monitor

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

It logs all the filesystem and registry access calls.

I ran the tool on both Windows 7 and windows XP systems to see what process/thread read the info from

HKEY_USERS\.DEFAULT\Software\Microsoft\VSTO\Security\Inclusion.

But doesn't look like that registry location is accessed by any process.

After running my installer I can see 3 separate entries are created in that location for each of my VSTO addins (Word, Excel, PowerPoint)

On Win7 the Office applications load my addins all right, but on Windows XP I get "Are you sure you want to install this customization?" prompt.

I would hate to plug the code relying on Office replication/propagation mechanism back into my installer.

Thanks,

Michael

Answer 3

how are you adding inclusion list entry in your installer? show us relevant code.

Answer 4

 Hi Damian, here is the code snippet,:

public static ActionResult AddToInclusionList(Session session)
        {
            if (!session.GetMode(InstallRunMode.Rollback))
            {
                try
                {
                    SecurityPermission permission =
                        new SecurityPermission(PermissionState.Unrestricted);
                    permission.Demand();
                }
                catch (SecurityException)
                {
                    ErrorMessage(".....", session);
                    return ActionResult.Failure;
                }

                string applicationName;
                session.CustomActionData.TryGetValue("Application", out applicationName);

                Uri deploymentManifestLocation = null;
                if (Uri.TryCreate(GetManifestLocation(session),
                    UriKind.RelativeOrAbsolute, out deploymentManifestLocation) == false)
                {
                    ErrorMessage("The location of the deployment manifest is missing or invalid.", session);
                    return ActionResult.Failure;
                }

                //System.Windows.Forms.MessageBox.Show(deploymentManifestLocation.ToString());
                //System.Windows.Forms.MessageBox.Show(GetPublicKey(applicationName));
AddInSecurityEntry entry = new AddInSecurityEntry(deploymentManifestLocation, GetPublicKey(applicationName));
UserInclusionList.Add(entry);

                session.CustomActionData.Add("VSTOCustomAction_ManifestLocation" + applicationName, deploymentManifestLocation.ToString());
            }

            return ActionResult.Success;
        }

Thank you

Michael

                               

Answer 5

can you show us value of deploymentmanifestlocation, either frm registry itself or from your installer action (as you already have commented out messagebox.show)

Answer 6

I uncommented the line with the MessageBox, rebuilt the installer and ran it on a test system

here is the manifest location (which is correct)

file:///C:/Program Files/My Company Name/Product Name/Bin/addinname.vsto

Installing on Vista and Windows 7 is no problem. Only Windows XP triggers the Office Customization Installer prompt.

Thanks,

Michael

Answer 7

custom action seems to be ok. so problem is with msi that somehow executes custom action in profile that is not the same as current user (hence HKEY_USERS\.DEFAULT). Do you fix your MSI installer with customactionnoimpersonate flag?

Answer 8

Yes, I set the "Impersonate" attribute to "no" in Wix

That's what I'm trying to find out:

On Windows 7 and Vista I don't have security inclusion entries under HKEY_USER. They are done under HKEY_USERS\.DEFAULT

All addins (Word, Excel, PowerPoint) load without any additional prompts.

But the prompt pops up on Windows XP

Thanks,

Michael

Answer 9

disregarding OS version, i do not think that adding that entry under HKEY_USERS\.DEFAULT is a proper or supprted way to go. It might work on newer versions because they changed the way registry works. I do not have much knowledge about that, inclusion list entries that are execuyted from my MSI custom action are added under current user HKCU key.

Answer 10

I have no clue either. 

So, to summarize:

1 My installer uses Security Inclusion List API to add addin to the list

2 Entries are written to HKEY_USERS\.DEFAULT instead of HKCU

3 Office 2007/2010 apps load my addins without a hitch on Vista and Win7. But on Win XP my users see the Office Customization Installer prompt

I guess, I will have to fallback on the replication mechanism for Windows XP.

Thanks for your help Damian

Michael

Answer 11

I ended up modifying my Wix Installer to activate Office replication mechanism for Windows XP installations, via MSI installer "conditions" and a custom action. For Vista and Win7 I use Security Inclusion List API custom action.

Thank you DamianD for your help and feedback.

Michael