Workaround for Deploying Badly Authored MSI Installs

Novell Cool Solutions: Trench
By Glenn Alward

Digg This - Slashdot This

Updated: 8 Mar 2005

There's a problem being discussed here in the Novell Support Forums.

Badly authored MSI installs give error 1603 on a locked down workstation/user (User is only member of the 'Users' group) (See also this discussion).

SOLUTION: By triggering the install through the pre-distribution script with msiexec, and by adding a failure check (NAL doesn't check the errorlevel), these malicious MSIs can still be deployed to locked down users. Setting the desktop interaction for the nalntsrv on, gives the visual feedback through the progress bar.


%SOURCE_PATH%=UNC-DNS path to sourcedir
cmdow.exe=freeware tool for hiding cmd boxes
Made NALNTSERVICE interact with desktop for MSI progressbar
System TEMP=User TEMP
cmd.exe for the script engine
%TREE%=Predefined System Environment var

@cmdow @ /hid
%Systemroot%\system32\msiexec.exe /i %SOURCE_PATH%\.MSI /qb!
IF NOT %ERRORLEVEL%==0 echo Error! >"%TEMP%\%*;DN%"

@cmdow @ /hid
IF Exist "%TEMP%\%*;DN%" Reg.exe delete HKLM\Software\Netware\NAL\1.0
\Distribute\%TREE%\%*;App:GUID% /f
del /f /q "%TEMP%\%*;DN%"

Note: I had to make a split, because the reg entry for the app is made after the distribution (script).

Additional Explanation

You must use UNC paths for the SOURCE_PATH, as distribution scripts run in the system\workstation context and as such do not have access to the usermappings. This also implies that the Workstations must have RF rights on the snapshot dirs.

You can use another location for the 'link' dir, which in the example is %TEMP%, as long as the dir is the same for user & system context and both hav change rights there. An option could be C:\NALCache, you don't have to sync the tempdirs with this option.

If you have any questions you may contact Peter at p_t_r@hotmail.com

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© Micro Focus