May 29 2020 09:54 AM - edited Jun 03 2020 10:14 AM
Sometimes older applications access the registry in ways that originally worked OK, but do not work under MSIX, and source code modification is not possible.
This is a proposal for adding a remediation for the failure by using a new Package Support Framework fixup that intercepts certain registry calls and modifies the call parameters to allow the application to function.
I am proposing to write and contribute this new fixup to the PSF myself, as outlined in this posting. Feedback is requested.
The name of fixup element is "RegLegacyFixups". An example of the relevant config.json file processes section for the fixup is shown here:
...
"fixups": [
{
"dll": "RegLegacyFixups.dll",
"config": [
{
"type": "ModifyKeyAccess",
"remediation": [
{
"hive": "HKCU",
"patterns: [
"^Software\\\\Vendor.*"
],
"access":"Full2RW"
} ,
{
"hive": "HKLM",
"patterns: [
"^SOFTWARE\\\\Vendor.*"
],
"access":"RW2R"
}
]
}
]
}
]
...
dll |
The value of "dll" is the name of the dll. As per other fixups, it is permissible to reference the name excluding the bitness. Thus, nominally you may enter the value " RegLegacyFixup.dll" which will cause the PsfRuntime to attempt to inject either "RegLegacyFixups32.dll" or "RegLegacyFixups64.dll" as appropriate. |
config |
Array of remediations |
type |
Remediation type. The values supported are expected to expand over time, but at present only the value "ModifyKeyAccess" is supported. At this time there is no support for a ModifyValueAccess remediation type, although it is under consideration. Remediation types to cause redirection are NOT under consideration as the PSF might not be able to perform such requests. |
ModifyKeyAccess |
Name of the remediation type. |
remediation |
Array of remediation controls. The syntax of a control is dependent on the type of remediation. |
For the ModifyKeyAccess type remediation, the control elements of the json are defined as:
hive |
The value is either the string "HKLM" or "HKCU", representing HKEY_LOCALMACHINE or HKEY_CURRENTUSER. Control over other registry hives (such as the Application hive) or mappings (such as HKCR) are not available at this time. |
patterns |
An array of regex string patterns. The name of the registry key request relative to the hive name is matched against these patterns. |
access |
Identifies the type of control request (samdesired) to be modified and how it is to be modified. Currently supported values for this field include: Full2RW - Modify any request for FULL_ACCESS to READ_WRITE Full2R - Modify any request for FULL_ACCESS to READ RW2R - Modify any request for READ_WRITE to READ |
Name: instead
Version: 1.5.15.26 (latest available).
Source: free download from www.instedit.com
About: MSI Editing tool used by IT Pros to fix simple MSI installer issues.
Issue:
The app opens it's registry keys located under HKCU by opening the key requesting "FULL_ACCESS" (aka "STANDARD_RIGHTS_ALL"), although it only requires "READ_WRITE". This can happen because developers sometimes copy/paste the sample code written in Microsoft documentation without fully thinking about what they really need.
The app functions correctly when installed natively on the latest Windows 10 builds when using the MSI installer. This is because there is no issue in giving the app full access to the vendor HKCU based key, and even if it deleted the key or sub-elements it would only harm this app.
Under MSIX on certain operating systems (1903 and below), these permissions upon opening a key that is part of the package is not supported, even when under HKCU. So currently the MSIX runtime responds to this request with ACCESS_DENIED which breaks the app as the developer never experienced that call failing and does not handle the failure.
Remediation:
With the PSF RegistryLegacyFixups added to the package and configured for a ModifyKeyAccess remediation of type Full2RW, this call to open the key with FULL_ACCESS will be modified to only request READ_WRITE, so the call will succeed. As long as the app never attempts deletion, any read or write operations using this key should work. Should the app actually try to delete a registry item/key that is part of the package, that call would then fail.
Not Included:
At this time, the fixup only addresses modification to the samRequested parameter of certain Registry Key operations. It does not impact registry item requests, nor does it address any redirection. These might be supported in the future as a different Remediation type.
Jun 17 2020 05:52 PM
@TIMOTHY MANGAN This functionality was included in Pull Request #145. It has now been accepted into the Develop branch. A few small changes in syntax and access types, you can check the readme.md on GitHub for final syntax.