Maintaining Windows Installer SecureRepairWhitelist through Powershell

Background

Here is a quick follow-up to a recent post, where we discussed options for getting rid of a pesky MS Windows Installer error “Product: Google Update Helper — Error 1260. Windows cannot open this program because it has been prevented by a
software restriction policy“.

Original Remediation

The redemptive process involved setting RemappedElevatedProxiesPolicy to 1.

 

Re-Install/Install Microsoft Hotfixes

Let us go ahead and install the “problematic” Microsoft hot-fixes that we studiously avoided last time.

  1. Security Update for Windows Server 2003 ( KB3072630 ) [ released on 2015-July -15 ]
    https://www.microsoft.com/en-us/download/details.aspx?id=47959

 

Opt-Out Affected Programs

Forward

Another option is to opt-out selected applications.

 

Code Analysis

  1. Launch Registry
  2. Transverse to
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
  3. Add / Update new key named SecureRepairPolicy to 2
  4. Add the MSI’s product code for each application that you will like skip

 

Configuration File and Code

Configuration File


<?xml version="1.0"?>
<?xml-stylesheet type='text/xsl' href='style.xsl'?>
<!--Product Key List-->
<ProductKeys>
 <!--Google Update Helper 1.3.26.9-->
 <Product GUID="Google Update Helper 1.3.26.9">
  <Vendor>Google Inc.</Vendor> 
  <ProductName>Google Update Helper 1.3.26.9</ProductName>
  <ProductGUID>{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}</ProductGUID>
  <CodeSegment info3="another attribute">
	<![CDATA[this is untouched code and can contain special characters /\@<>]]>
  </CodeSegment>
 </Product>
</ProductKeys>

Powershell Script

The Powershell script has been been uploaded to https://github.com/DanielAdeniji/SecureRepairWhitelist.

Summary

I have yet to sufficiently test out this code.

In fact, it has been only been minimally tested on two machines running MS Windows 2003.

We fixed our problem using the option described earlier.

In retrospect, the approach Microsoft offered as a workaround is likely a better option as it balances MSFT offering of a stronger system with the needs of individual Vendors and Applications.

 

Addendum

2015-Sept-26

  1. Added some bug fixes
  2. Last Google Chrome update gave us an actual opportunity to see bug recurrence and thus actually test code
  3. Removed code from posting and posted to GitHub

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s