3

I am new to wix but I have to use it for a project. I need to disable the ability of the user to change his password. To do this I want to add/change a registry entry but this does not work:

<DirectoryRef Id="TARGETDIR">
    <Component Id="RegistryEntries" Guid="*">
        <RegistryKey Root="HKCU"
                     Key="Software\Microsoft\Windows\CurrentVersion\Policies\System"> 
            <RegistryValue Type="integer" Name="DisablePW" Value="1" KeyPath="yes"/>
            <RegistryValue Type="string" Value="Default Value"/>
        </RegistryKey>
    </Component>
</DirectoryRef>

Under Policies there is no System key yet so I assumed this would create one.

Stein Åsmul
  • 39,960
  • 25
  • 91
  • 164
sceiler
  • 1,145
  • 2
  • 20
  • 35

2 Answers2

1

You should never write to such a crucial and policy controlled Windows registry key.

My guess is the domain controller will revert these settings via group policy:

...by default, Microsoft Windows refreshes its policy settings every 90 minutes with a random 30 minutes offset

Things certainly could also be reset during a logon script, or some other management feature as well.

This is not a solution - your application needs redesign. Why on earth do you need to disable users ability to change password anyway? It is really bad practice to mess around with settings such as these. Anything under Software\Microsoft\Windows\CurrentVersion\Policies\ should not be messed with at all.

zx485
  • 28,498
  • 28
  • 50
  • 59
Stein Åsmul
  • 39,960
  • 25
  • 91
  • 164
  • Well I would not mind if wix could change the group policy instead. The background is easy: this is going to be an demo application which should run on a test machine which on the other hand will be used by a random amount of people. Therefore I need to restrict everything I can. What would happen if every user could use ctrl+alt+del and use task manager, change pw etc. to get out of the demo app? Yes, essentially my app is a big virus. – sceiler Sep 30 '14 at 22:40
  • It sounds like what you need is a locked-down machine setup. Try [**serverfault.com**](http://www.serverfault.com) for system administrator help. They can probably point you to **default scripts** that you can run to prepare a computer for demo use. There is bound to be more than password change that must be locked. – Stein Åsmul Sep 30 '14 at 22:45
  • Thank you for the advice. Unfortunately, this is not going to work because I myself am restricted to do it this way. Disregarding if I should or should not mess with registry of group policies; can you point me to my mistake with wix and adding/changing a value in registry? – sceiler Sep 30 '14 at 22:51
  • Apart from the issue of changing system policy behind the owner's back, the practical problem is that if this change gets noticed and changed by an admin your install is then broken, it will prompt for the install source and try to repair it back to your setting. At that point any reasonable admin is going to consider your product a virus or security breach more than an app. If the app needs changes to run, document them and tell users what to do. – PhilDW Oct 01 '14 at 15:19
  • Yes, not to mention what happens on uninstall: the whole value will be deleted if the component isn't set permanent or set to have a blank guid. – Stein Åsmul Oct 01 '14 at 15:39
  • I appreciate your input but there are enough legitimate reasons for these changes "behind users back". Just think of demo pc on display in stores. – sceiler Oct 04 '14 at 21:07
  • On my test pcs windows has never reverted this settings or reseted it back. In addition after uninstalling it through control panel everything is back to original. :) – sceiler Oct 04 '14 at 21:13
  • MSI is not the tool for this, you are better off using almost anything else - a VBScript, or other script (including logon script) or even a *.reg file to set the values. See [**this serverfault.com answer**](http://serverfault.com/questions/259585/msi-package-for-reg-deployment/276516#276516) for a long list of reasons why. And the values will not be reset unless group policy is enabled. We are just telling you what is unwise about your choices, if any variables change in your computer setup. You do not have a reliable setup there. – Stein Åsmul Oct 04 '14 at 21:21
  • yeah figured msi does not have this additional functionality I need. I wrote a C# program to rollback all modifications or removals done to the registry. Adding completely new registry entries will be done by Wix as they are deleted upon uninstall. – sceiler Nov 12 '14 at 17:11
0

Never forget to add the component id in between the Feature tags. If not it will not be included in the installer.

<Feature Id="DefaultFeature" Level="1">
         <ComponentRef Id="RegistryEntries"/>
</Feature>

PS.: IMHO and other answers here in SO Wix should only handle adding completely new registry values (which do not exist before installation) because upon uninstall they will be deleted. If you want to modify or remove registry entries make sure to use custom action (script, program, batch, .reg,...) to roll this changes back.

sceiler
  • 1,145
  • 2
  • 20
  • 35
  • **1)** Only set registry keys in **HKLM** that are **read-only** and apply to your whole application (typical examples: **license keys**, selected **installation directory**, shared **server names and port settings**, etc...) *OR* **2)** set the values in HKLM as template values that your application copies to HKCU on launch for each user. Write no values at all to HKCU using MSI. This is the best advice from years of deployment experience. – Stein Åsmul Nov 12 '14 at 18:32