-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"The Windows Installer Service could not be accessed." #1
Comments
From 1809 to 1903 MSFT changed something around the "msiServer" service. You can use a tool like TaskExplorer with enabled ETW Monitoring and use the "hold" option (snow flake icon on toolbar) to view all processes running as well as started and terminated. Anyhow, the fact that Start.exe does not even try to start "C:\Windows\system32\msiexec.exe /V", tells me that most likely a trigger for the service to be started has changed, or is missing entirely, and we need to find an other one. The way it seams to be supposed to work is that the SbieSvc.exe, from RunHandler2, invokes: What fails is the trigger for the first command. If I run the first command with the right pid and dosdevice it triggers the second one and causes the service to start briefly. Unfortunately not long enough to be usefull... A good point to start looking is Sandboxie\core\dll\scm.c as it's responsible for services and contains stuff related to MSIServer. EDIT: |
Fixed on build 5.40.1 |
Wow! You are amazingly good at this. I am so lost right now reading everything you've done. If I may ask, where did you find the leaked signing certificate? I am interested in playing with compiling Sandboxie from source and would like to sign it as you have. I'm also going to take a look through your changes to see if I can get a sense for how this project works. |
I don't think its great if it spreads too much, MSFT may at some point decide to do something against it. But its easy enough to find it was part of a very data leak that was quite prominent in the media. |
Yeah, that's fair. I am sure I can find it with a little hunting. I can understand your position.
Unfortunately, this hint encompasses many data leaks. 😂 |
I have found the signing certificate, but I am having issues with using it. Would you be willing to share instructions for making use of it? When I try to install a driver signed with it, I get the following error using
|
Try changing the system clock to something 2011 |
Okay I will. Why is this necessary though? Why can the Sandboxie installer work without without doing this? Also, does the installer add any certificates to the trust store? It seems that unless I add the code signing certificate as a root certificate authority, it does not work. |
No, I meant have the date changed while signing the file and may be drop /t http://timestamp.verisign.com/scripts/timestamp.dll from the command line of the sign tool. When the file is signed the right way it loads on any windows 10 I tried it on without any issues or additional tricks needed. |
And I'm not using pnputil, sandboxie has some own tool to install the driver and in my other projects the driver installation is also "manual" i.e. the tools are creating a service entry pointing to the sys file. Possibly pnputil has some additional checks which are not present in the windows kernel itself. |
I'm not using the timestamp command either. I'm using this.
|
don't sign the *.cat file, sign the SbieDrv.sys file directly |
Understood. Thank you. |
Hi, thanks for the fix. Unfortunately it does not seem to work when the installer tries to launch a second instance of msiec service. |
Well, this problem of launching a second instance of the msiexec service is also present in 1809, so it may be another different issue. |
Our asian friends, as always? 😂 |
@deflock Here's the MD5 of my pfx |
@DavidBerdik hmm, interesting... Mine starts with |
@deflock Well there are several leaked keys floating around on the internet. So we may all be using different ones, but it should not matter. |
The not starting a second instance issue is indeed a separate problem from it not starting at all, and it seams much more difficult to fix unfortunately. PS: mine is also the 95a91373d774f17f6eedf0850e365c87 one |
Its a pitty that github does not have any sort of private messaging to talk about these things. |
@deflock |
To expand on the second MSI issue a bit: This mechanism uses inter process communication to communicate an that is where it all fails. |
@DavidXanatos I dont have compile/sign setup yet. Not sure I've done it right, but my results: HT + MS cross-certificate file: https://www.virustotal.com/gui/file/ba6083f83f0ae34b2fd961b33e98870f20788b85b6e33baa14b783f27519e60e/detection MYCERT + MS cross-certificate file: https://www.virustotal.com/gui/file/027b9f2619f8d58f131eb940944a1508b26c14ab826fcfdd72cc6538c246dba8/detection |
your cert seams to work much better substantially less positives. |
|
ah the one with the md5 starting with ce27078.... so your last test was with the asian + the MS cert form the HT leak? does the asian has a thumbprint starting with 31e5380e1.... |
Yes
No, wrote it above already Just google for two words: this repo name and pfx, each in own quotes. UPD. When I found and downloaded asian archive Windows removed it as a threat. Then I downloaded it in linux and extracted the cert only 😁 |
found it 😁 but when I try to use the MS cert I get "Signtool Error: The provided cross certificate would not be present in the certificate chain." |
I've used linux's sign tool. Even more it seems it doesn't require to set date to 2011. |
HaHa!!! is there a windows port of it? |
Not sure it's linux only. Here it is: https://sourceforge.net/projects/osslsigncode/ |
thanks, it says it uses openssl and its opensource so imho with some effort it should compile on windows to... |
PS: ah great there is even a guide: https://github.com/mtrojnar/osslsigncode/blob/master/INSTALL.W32.md will try that tomorrow, having to change my clock each time is really annoying.... |
The source from which I got the certificate that I am using has a copy of the ce27078.... certificate with it. I did not think you could sign directly with it though. Is it possible to do so then?
What command are you using? I was having this same issue previously. Unfortunately, I do not have any recollection of how I solved it. I will try to go through my browsing history and hard drive to see if I can find how I did it.
Have you had a chance to try this? I currently do all my signing (not just for Sandboxie), using a dedicated VM. I do not like this "using a sledgehammer to crack a nut" approach. I would really like to use something more lightweight. |
Thanks for the info @DavidXanatos |
@fakuivan Are you using an old version of Sandboxie? I haven't had this issue in any releases for well over a year now, and that includes installing Acrobat DC inside Sandboxie. |
@DavidBerdik I'm using Sandboxie Classic v5.53.3 on a Windows Sandbox VM. |
You might want to file a new bug report, then. This one has been marked as resolved for quite a while, so it's unlikely that you will get any attention here. |
It appears that the "Windows Installer Service could not be accessed" error is still present in this release.
The good news is that now, we can fix it ourselves! That is, we can fix it ourselves if we understand the code. I've been reading through the code trying to get a sense of how it works, but have admittedly made little to no progress. Do you have any idea how to fix this? Or at least some pointers as to where I should be looking?
Reproducing the issue is very simple: try to run an MSI installer inside a sandbox, and you will get this error.
The text was updated successfully, but these errors were encountered: