…meie igapäevast IT’d anna meile igapäev…

2008-07-10

Silent installation to Windows Mobile 5 and 6: security question

Filed under: Nipid,Programmeerimine — Sander @ 09:52:00

PDAOne of the features of the Windows Mobile (PDA) application that I am developing is simple one-click update. User clicks the “Check update” button and everything is done by the application itself after that – it checks for a new version, downloads, installs, and restarts. Simple and straightforward stuff.

Except that I need to do some extra processing before and after the update. Back up the settings, back up files in case update fails for some reason and so on. Not overly complicated.

The installer comes as a Windows Mobile CAB file – and I use Wceload.exe to start the install. As I need the silent install, I used:

Process updater = Process.Start("Wceload", string.Concat("/silent /noui \"", procUpdate, "\""));
updater.WaitForExit(60000);

Keys /silent and /noui should hide the installer process completely from the user (read about Wceload command line parameters here).

And it worked just fine when I tested it. It worked on all Windows CE 2003, Windows Mobile 5 and 6. But then an outside tester had issues with the update on Windows Mobile 6 – it failed with a file missing after the cab installer had finished and was always rolled back. I couldn’t figure out what was wrong, so I asked PDA to be brought to me.

I plugged their PDA to my USB, started VS to debug the installer application – and everything worked without any problems. “Surely this was one-time glitch,” I was certain.

But another tester had the same issue – and this time I didn’t start the debugger right away – and there! I was able to reproduce the bug! Tried to debug the updater… and everything worked fine again.

So I did a cold reset to the PDA. And tried to run the CAB out of the installer application – and I was greeted with a question:

The program is from an unknown publisher. You should install it only if you trust its publisher. Do you want to continue?

If I answered “Yes”, then install went OK. But “No” gave me:

Installation was unsuccessful. The program cannot be installed because it is not digitally signed with a trusted certificate.

Trusted certificate?! Hmm… I tried creating my own certificate – I certainly trust myself – and signing everything with it – no dice. So I started to Google for information.

And I found out that starting from Windows Mobile 5, there is an additional security requirement for signed executables (“Mobile2Market”). I went to see the prices of “trusted certificates” and they are quite steep. I did not want to buy the certificate for something as small as this. So I looked at the alternatives – the first article mentioned SetSecurity.exe to disable the security question.

I hunted down SetSecurity.exe (as the home page is gone) and tried it. Nice small GUI app which worked as advertised. But it had no command-line options for silent execution nor did I want to bundle an external application with ours.

So, I had to find how SetSecurity.exe works. Thankfully I didn’t have to disassemble it – someone else had done it (last post). And… great MS security was just one registry key:

[HKEY_LOCAL_MACHINE\Security\Policies\Policies] 
"0000101a"=dword:00000000 <- On
"0000101a"=dword:00000001 <- Off 

You don’t even need to reboot the PDA, just set the value to 1 and no more security questions. Here is the C# code (note that it will not work on Compact Framework 1, as it had no registry access. Minimum CF 2.0 needed):

using Microsoft.Win32;

      /// <summary>
      /// Set security question flag in the registry
      /// Security\Policies\Policies
      /// 0000101a
      /// </summary>
      /// <param name="flagValue">
      /// 0 means security question on
      /// 1 means security question off
      /// </param>
      private static void SetSecurityFlag(int flagValue)
      {
          try
          {
              RegistryKey rKey = Registry.LocalMachine.OpenSubKey(@"Security\Policies\Policies", true);

              rKey.SetValue("0000101a", flagValue, RegistryValueKind.DWord);
              rKey.Close();
          }
          catch { /*silent exception, for Windows CE 2003 */ }
      }

Of course my application reads the registry key value before changing it and restores after the application update has been done.

int securityStatus = (int)rKey.GetValue("0000101a");

But why did everything work with Visual Studio? Because VS installs silently “developer certificates” to the root of PDA certificate store. And no issues when VS is running…

18 kommentaari »

  1. I’ve got a program that handles the installation and uninstallation of other programs, and it does so without any user interaction (i.e. “/silent /noui”). I received a new WM5 device to do some testing on and found that the program was mysteriously failing. After clicking around and seeing the ““The program is from an unknown publisher…” message, I came across your site.

    Flipping the registry bit worked like a charm. Thanks!

    kommentaar kirjutas Chris Karcher — 2008-07-31 @ 21:23:14 | Vasta

  2. Do you still have to include “/silent /noui” if you flip the key?

    I use Nokia Intellisync and it’s a bit hit and miss passing arguments to CAB file installs.

    Mark

    kommentaar kirjutas Mark McGookin — 2008-09-11 @ 13:12:35 | Vasta

  3. Yes, you still have to include “/silent /noui”. Flipping the registry key only removes the security question.

    kommentaar kirjutas dukelupus — 2008-09-18 @ 10:27:07 | Vasta

  4. Worth while saying that if you don’t also spesify /nodelete the cab file will be deleted from the installation source.

    kommentaar kirjutas danie — 2008-09-25 @ 14:09:20 | Vasta

  5. I’m curious if this would work on Windows Mobile 6? Did anyone tried to test this approach on WM6?

    kommentaar kirjutas Zhanibek — 2008-10-16 @ 01:27:46 | Vasta

  6. Like the post title says, “Windows Mobile 5 and 6”.

    kommentaar kirjutas dukelupus — 2008-10-16 @ 11:24:12 | Vasta

  7. This works for a dell axim x50 running WM5, but unfortunately doesnt work for a HP IPaq 214 running WM6. Yet again, micrsoft are forcing software engineers around the world to have to waste their lives trying to fix things broken in subsequent OS revisions.

    kommentaar kirjutas Barry — 2008-10-23 @ 16:06:19 | Vasta

  8. Barry, are you sure? I am using IPaq 214 and it works just fine there.

    kommentaar kirjutas dukelupus — 2008-10-23 @ 17:08:07 | Vasta

  9. Sure – on a factory configured axim x50/wm5, i download my exe, click it, and wm5 prompts me to confirm i want to run unsigned app. i click yes, and it runs. and all times after that, it runs without the prompt. i recompile my exe, download it and try run it again, surprise surprise it asks me to confirm. I then set the registry value

    HKLM\Security\Policies\Policies::0000101a=1

    Then recompile my app, download, run – and voila, no more unsigned app complaints.

    Try the same on the ipaq 214/wm6, and the registry setting has no effect. it still prompts me to confirm unsigned apps, the first time i try to run them. This is no good for me because i my app downloads exe updates to itself on the fly and needs to be able to spawn the new exe without user intervention. :-(

    kommentaar kirjutas Barry — 2008-10-23 @ 17:45:18 | Vasta

  10. Dukelupus – seems i made a mistake, the ‘security prompt’ policy is the same on WM6 as it is on WM5 – must be my code for updating the registry doesnt work on WM6. Thanks for pointing that out !

    kommentaar kirjutas Barry — 2008-10-23 @ 18:09:30 | Vasta

  11. Hi,

    thanks for the info. But, in order to switch this registry key to turn off the security question you would need to install the above code in your app. But won’t this security question pop up at least once before the code/installer has a chance to disable the message via the registry.

    confused?

    Thank…

    kommentaar kirjutas andy — 2008-11-20 @ 10:26:19 | Vasta

  12. Yes, it will – but I do think that is for the best, so at least first time there is a way for users to decide if they want or not to install the application. After that, when app is doing automatic updates, it is disabled – and updates work seamlessly.

    kommentaar kirjutas dukelupus — 2008-11-20 @ 12:35:29 | Vasta

  13. hi, thanks for getting back to me…

    kommentaar kirjutas andy — 2008-11-21 @ 15:57:08 | Vasta

  14. thanks man, you saved my life! …
    … well, maybe not my life but sure some
    days of troubles!

    kommentaar kirjutas chris — 2008-11-28 @ 12:30:46 | Vasta

  15. I’ve made a dll and exe file to install unsigned cab files on the default directory in silent mode, you can also disable the security question to install unsigned cabs and execute exe files.

    You can dowload the demo version on http://cssoft.freehosting.net/website2/default.html.

    kommentaar kirjutas Carlos — 2009-01-09 @ 19:18:27 | Vasta

  16. I found the setsecurity program from the web, but when I place it in my windows ce system, and it said ” Can’t find setsecurity (or one of its components) Make ure the path and filename are correct and that all the required libraies are available. ” Can anyone help me on this???

    kommentaar kirjutas Mike — 2009-10-08 @ 04:57:35 | Vasta

  17. what about .cab.pks files?

    kommentaar kirjutas gradin — 2011-05-07 @ 02:40:44 | Vasta

    • No idea, as I’ve never used them – but I suspect they work the same as the regular cabs.

      kommentaar kirjutas Sander — 2011-05-10 @ 19:05:38 | Vasta


RSS feed for comments on this post. TrackBack URI

Lisa kommentaar

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Muuda )

Twitter picture

You are commenting using your Twitter account. Log Out / Muuda )

Facebook photo

You are commenting using your Facebook account. Log Out / Muuda )

Google+ photo

You are commenting using your Google+ account. Log Out / Muuda )

Connecting to %s

Blog at WordPress.com.