Grant-CComPermission and MSI Installer

7 views
Skip to first unread message

Seltzer, Hillel

unread,
Jun 29, 2023, 8:49:58 PM6/29/23
to carb...@googlegroups.com

Hello,

 

I am trying to use the Grant-CComPermission from Carbon version 2.13.0 to automate setup of a Windows 10 2021 2H system. 

The goal is to replace Dcomperm.exe set -da <group> permit

The command I am using is: Grant-CComPermission -Identity <group>  -Access -Default -Allow

 

After running this command, MS Installer seems to be broken.  Any attempt to install an MSI file afterward will result in an error stating “MSI windows installer service cannot be accessed”.

 

The only way to enable MSI installations to work is to use the Dcomperm.exe utility.

 

Is there some other setting that must be applied for Grant-CCom Permission to not cause the MS Installer service to fail?

 

Thanks.

-----

Hillel Seltzer

 

The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.

 

Aaron Jensen

unread,
Jun 30, 2023, 9:42:04 AM6/30/23
to Seltzer, Hillel, carb...@googlegroups.com
I’ve never seen this before. Unfortunately, we haven’t used `Grant -CComPermission` for years. 

On Jun 29, 2023, at 17:50, 'Seltzer, Hillel' via Carbon <carb...@googlegroups.com> wrote:


--
You received this message because you are subscribed to the Google Groups "Carbon" group.
To unsubscribe from this group and stop receiving emails from it, send an email to carbonps+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/carbonps/VE1P122MB0158BFDE8911F5E89D70FFB7872AA%40VE1P122MB0158.EURP122.PROD.OUTLOOK.COM.

Seltzer, Hillel

unread,
Jun 30, 2023, 10:12:57 AM6/30/23
to Aaron Jensen, carb...@googlegroups.com

Hello Aaron,

 

The goal here is to find a current replacement for DcomPerm.exe which is very old.  It is difficult to justify distributing a utility that has to be hunted down in resource kits for out of production OS versions.

 

I tested further and found that any operation done by Grant-CComPermission and the corresponding Carbon operations that write to COM permissions to rewrite the default access ACL, whether permitting, denying, or removing an entry for any user or group, breaks MS Installer.  The only fix is to use DcomPerm.exe to rewrite the default access ACL, whether permitting, denying, or removing an entry for any group or user, then allows MS Installer to run afterward.

 

Looks like Carbon somehow poisons the default access COM permission that MSI needs to use.

 

Thanks,

---Hillel

 

From: Aaron Jensen <a...@me.com>
Sent: Friday, June 30, 2023 9:42 AM
To: Seltzer, Hillel <Hillel....@philips.com>
Cc: carb...@googlegroups.com
Subject: Re: [Carbon] Grant-CComPermission and MSI Installer

 

You don't often get email from a...@me.com. Learn why this is important

Caution: This e-mail originated from outside of Philips, be careful for phishing.

Seltzer, Hillel

unread,
Jul 12, 2023, 5:15:31 PM7/12/23
to Aaron Jensen, carb...@googlegroups.com

Hello Aaron,

 

I figured out what I was doing wrong.  I was calling Grant-CComPermission with the tags for “-Access -Default -Allow”.  I assumed that if you specify “local”, then it is only local and not remote, if you specify “remote”, then it is not local, and the default is both local and remote if none are specified.

 

If I add the flags for both “-Local” and “-Remote”, then it works properly.

 

Thanks,

---Hillel

Reply all
Reply to author
Forward
0 new messages