The MsiLockPermissionsEx Table can be used to secure services, files, registry keys, and created folders.
A package should not contain both the MsiLockPermissionsEx Table and the LockPermissions Table.
Windows Installer 4.5 or earlier: Not supported. This table is recommended for packages intended for installation with Windows Installer 5.0 or later.
The MsiLockPermissionsEx Table has the following columns.
Column | Type | Key | Nullable |
---|---|---|---|
MsiLockPermissionsEx | Text | Y | N |
LockObject | Identifier | N | N |
Table | Text | N | N |
SDDLText | FormattedSDDLText | N | N |
Condition | Condition | N | Y |
Columns
- MsiLockPermissionsEx
This is the primary key of this table.
- LockObject
This column and the Table column together specify the file, directory, registry key, or service that is to be secured. The LockObject column is a foreign key that points to the primary key of the table specified by the Table column.
- Table
This column and the LockObject column specify the file, directory, registry key, or service that is to be secured. In the Table column, enter File, Registry, CreateFolder, or ServiceInstall to specify a LockObject listed in the File Table, Registry Table, CreateFolder Table, or ServiceInstall Table.
- SDDLText
Enter the SDDL string to indicate permissions to apply to selected object. The SDDL must be provided in Security Descriptor String Format.
- Condition
This column contains a conditional expression used to determine whether to apply the specified permission. If the condition evaluates to FALSE, the permission is not applied. If the condition evaluates to TRUE, the permission is applied.
Remarks
See Securing Resources for more information about securing services, files, registry keys, and created folders.
Use the MsiLockPermissionsEx Table to secure objects for a user account that is being created during the installation. The user account must already exist when the installation secures the object. Create the user account before installing the file, registry key, folder or service being secured.
If a LockObject and Table pair in this table has more than one conditional expression that evaluates to true, the installation fails and Windows Installer returns an error message 1942.
If the FormattedSDDLText string in the SDDLText field cannot be resolved into a valid SDDL string, the installation fails and Windows Installer returns an error message 1943.
If the user does not have sufficient privileges to set the security descriptor specified by the SDDLText field on a file or folder, the installation fails and Windows Installer returns an error message 1926.
If the user does not have sufficient privileges to set the security descriptor specified by the SDDLText field on a registry key, the installation fails and Windows Installer returns an error message 1401.
If the user does not have sufficient privileges to set the security descriptor specified by the SDDLText field on a service, the installation fails and Windows Installer returns an error message 1944.
Validation
Build date: 8/13/2009
© 2009 Microsoft Corporation. All rights reserved.