Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-4042

Puppet Agent upgrade on Windows fails if there are HKLM permission issues

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Packaging, Windows
    • Labels:
    • Template:
    • Team:
      Night's Watch
    • Sprint:
      NW - 2021-10-06, NW - 2021-10-20
    • Method Found:
      Needs Assessment
    • Zendesk Ticket IDs:
      45403
    • Zendesk Ticket Count:
      1
    • QA Risk Assessment:
      Needs Assessment

      Description

      The puppet agent msi installer updates registry keys as per PA-3263. It searches for registry items and updates the value if it matches the nssm.exe. There is a scenario where this fails and causes the installation to fail. If the Admin user does not have permission to read one of these keys that are unrelated to puppet, the script will fail and the user will be unable to install the puppet agent.

      https://github.com/puppetlabs/puppet-agent/blob/6.24.0/resources/windows/wix/customactions.wxs.erb#L254

      The error we see is in the `Get-ChildItem` for several keys where there are special permissions limiting the access.

      Action start 10:39:22: RemoveLegacyNssmRegistryKey.
      MSI (s) (3C!60) [10:39:22:904]: PROPERTY CHANGE: Deleting WixQuietExec64CmdLine property. Its current value is '"[%WINDIR]\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -InputFormat None -NoProfile -ExecutionPolicy Bypass -Command "if (Test-Path -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components') { Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components' -Recurse | foreach { foreach ($prop in $_.Property) { if($_.GetValue($prop) -like '*service\nssm.exe*') { Remove-ItemProperty -Path $_.PSPath -Name $prop -ErrorAction Stop } } }; Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components' -Recurse | foreach { foreach ($prop in $_.Property) { if($_.GetValue($prop) -like '*puppet\bin\nssm.exe*') { Remove-ItemProperty -Path $_.PSPath -Name $prop -ErrorAction Stop } } } }"'.
      WixQuietExec64:  Entering WixQuietExec64 in C:\windows\Installer\MSIF890.tmp, version 3.10.2516.0
      WixQuietExec64:  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -InputFormat None -NoProfile -ExecutionPolicy Bypass -Command "if (Test-Path -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components') { Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components' -Recurse | foreach { foreach ($prop in $_.Property) { if($_.GetValue($prop) -like '*service\nssm.exe*') { Remove-ItemProperty -Path $_.PSPath -Name $prop -ErrorAction Stop } } }; Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components' -Recurse | foreach { foreach ($prop in $_.Property) { if($_.GetValue($prop) -like '*puppet\bin\nssm.exe*') { Remove-ItemProperty -Path $_.PSPath -Name $prop -ErrorAction Stop } } } }"
      WixQuietExec64:  Get-ChildItem : Requested registry access is not allowed.
      WixQuietExec64:  At line:1 char:113
      WixQuietExec64:  + ... ponents') { Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVe ...
      WixQuietExec64:  +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      WixQuietExec64:      + CategoryInfo          : PermissionDenied: (HKEY_LOCAL_MACH...ADA9BE7FB000B78:String) , SecurityEx 
      WixQuietExec64:     ception
      WixQuietExec64:      + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.GetChildItemCommand
      

      Please provide a process to skip this action, or allow for errors in it.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              claire.cadman Claire Cadman
              Reporter:
              jarret.lavallee Jarret Lavallee
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support