MsiLockPermissionsEx Table

The MsiLockPermissionsEx Table can be used to secure services, files, registry keys, and created folders.

A package should not contain both the MsiLockPermissionsEx Table and the LockPermissions Table.

Windows Installer 4.5 or earlier:  Not supported. This table is recommended for packages intended for installation with Windows Installer 5.0 or later.

The MsiLockPermissionsEx Table has the following columns.

ColumnTypeKeyNullable
MsiLockPermissionsEx Text YN
LockObject Identifier NN
Table Text NN
SDDLText FormattedSDDLText NN
Condition Condition NY

 

Columns

MsiLockPermissionsEx

This is the primary key of this table.

LockObject

This column and the Table column together specify the file, directory, registry key, or service that is to be secured. The LockObject column is a foreign key that points to the primary key of the table specified by the Table column.

Table

This column and the LockObject column specify the file, directory, registry key, or service that is to be secured. In the Table column, enter File, Registry, CreateFolder, or ServiceInstall to specify a LockObject listed in the File Table, Registry Table, CreateFolder Table, or ServiceInstall Table.

SDDLText

Enter the SDDL string to indicate permissions to apply to selected object. The SDDL must be provided in Security Descriptor String Format.

Condition

This column contains a conditional expression used to determine whether to apply the specified permission. If the condition evaluates to FALSE, the permission is not applied. If the condition evaluates to TRUE, the permission is applied.

Remarks

See Securing Resources for more information about securing services, files, registry keys, and created folders.

Use the MsiLockPermissionsEx Table to secure objects for a user account that is being created during the installation. The user account must already exist when the installation secures the object. Create the user account before installing the file, registry key, folder or service being secured.

If a LockObject and Table pair in this table has more than one conditional expression that evaluates to true, the installation fails and Windows Installer returns an error message 1942.

If the FormattedSDDLText string in the SDDLText field cannot be resolved into a valid SDDL string, the installation fails and Windows Installer returns an error message 1943.

If the user does not have sufficient privileges to set the security descriptor specified by the SDDLText field on a file or folder, the installation fails and Windows Installer returns an error message 1926.

If the user does not have sufficient privileges to set the security descriptor specified by the SDDLText field on a registry key, the installation fails and Windows Installer returns an error message 1401.

If the user does not have sufficient privileges to set the security descriptor specified by the SDDLText field on a service, the installation fails and Windows Installer returns an error message 1944.

Validation

ICE104
ICE03
ICE06

 

 

Community Additions

ADD
Show:
© 2014 Microsoft