Home / server / Questions / 708866
In Process
alx9r
Asked: 2015-07-28 11:16:05 +0800 CST

Does AppEnforce.log really log the context used for installation incorrectly?

  • 772

I have a deployment type with the following attributes:

Technology: MSI
Installation behavior: Install for system
Logon requirement: Whether or not a user is logged on
Installation program visibility: Hidden

When msiexec is run by the the client, the following entry is shown in AppEnforce.log:

Executing Command line: "C:\WINDOWS\system32\msiexec.exe" /i "AppleApplicationSupport.msi" /qn with user context

This is strange since I've selected "Install for system".

Googling reveals some speculation that the logging is incorrect:

for what it's worth, ive noticed that the appenforce.log seems to always say its in the user context, even when it isnt.

I found some other similar comments, but did not find any definitive reference. This leaves me with the following questions:

Does AppEnforce.log really log the context as user even when it is executed as the system?

logging

1 Answers

  1. TL;DR: AppEnforce.log indeed logs the context incorrectly (at least for "Script Installer" technology).

    The Test

    I created a deployment type with the following attributes:

    Technology: Script Installer
Installation behavior: Install for system
Logon requirement: Whether or not a user is logged on
Installation program visibility: Hidden
Installation program: powershell .\Install-Application.ps1

    Install-Application.ps1 creates a log file called script-install-test-YYYY-MM-DD__HH-MM-SS.log. That script is at the end of this post.

    I then deployed that deployment type and watched AppEnforce.log and script-install-test-X.log.

    Results

    I found the following entry in AppEnforce.log:

    Executing Command line: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" .\Install-Application.ps1 with user context

    Within seconds after that, the script-install-test-X.log was written to folder script-install-test-SYSTEM. The SYSTEM suffix indicates that the script was run as SYSTEM.

    Conclusion

    For "script installer" technology, the context written to AppEnforce.log messages of the style

    Executing Command line: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" .\Install-Application.ps1 with user context

    may incorrectly be written as "user context" even when the command line is executed as system context.

    What about MSI Installer Technology?

    I did not perform the test for MSI Installer Technology. However, given that the context is sometimes wrong for Script Installer Technology, the context written to AppEnforce.log should probably be regarded as unreliable for all deployment types regardless of technology.

    Install-Application.ps1

    function Write-EnvToLog
{
    $appName = 'script-install-test'

    $logFolderPath = "c:\$appName-$([System.Environment]::UserName)"

    if ( -not (Test-Path $logFolderPath -PathType Container) )
    {
        New-Item -Path $logFolderPath -ItemType Directory | Out-Null
    }

    if ( -not (Test-Path $logFolderPath -PathType Container ) )
    {
        return
    }

    $logFileName = "$appName`__$((Get-Date).ToString("yyyy-MM-dd__HH-mm-ss")).txt"

    $fp = "$logFolderPath\$logFileName"

    Get-ChildItem Env: | Out-File $fp | Out-Null

    return $true
}

try
{
    if ( Write-EnvToLog ) { "Complete!" }
    [System.Environment]::Exit(0)
}
catch
{
    [System.Environment]::Exit(1000)
}
    • 3