Elevate MSI files on the network share

Owned by Anonymous
Last updated: Oct 16, 2015 by Max Pinion (Deactivated)
3 min read

Issue

A wizard generated UNC or Network Share Path Elevation Policy elevates .exe files but not .msi files.

When launching an .msi file, the following command line is executed:

C:\Windows\System32\msiexec.exe /i "\\[path-to-network-share]\[file]"

Which means that the application is not elevated because the msiexec.exe file is not in the elevated Network Share directory.

Solutions

Solution 1

In order to enable elevation for msi files on the network share, a command line filter needs to be created and added to the Elevation Policy.

  1. In the Arellia Security Manager, click the Policies tab.
  2. In the file library in the left pane, navigate to Policies > Arellia Solutions > Application Control > Filters
  3. Right-click the My Filters folder and click New > Dynamic Filter > Commandline Filter.
     
  4. In the Create Item dialog box, create a Name and Description for the new command line filter. 

     
     
  5. In the right pane under Settings, from the Match Type menu choose Partial.
  6. In the Command line field, enter the network share path that needs to be elevated (such as "\\server\approved_software").
  7. Click Save.
  8. Navigate to the Elevation Policy and add the command line filter you just created to "Applications to Control." (For instructions on how to create an elevation policy and add a filter, go to Create a New Elevation Policy.)

Now MSI files in the network share will be elevated.

Solution 2

Alternatively you can create an application control policy that targets "msiexec.exe" and uses a Secondary file filter as an Include only. To create the secondary filter:

  1. In the Arellia Security Manager, click the Policies tab.
  2. In the file library in the left pane, navigate to Policies > Arellia Solutions > Application Control > Filters > File Filters
  3. Right-click the File Specifications folder and click New > File Specification Filter.
  4. In the Create Item dialog box, create a Name and Description for the new command line filter.

  5. In the right pane under File Specifications and next to File names, enter *.msi.
  6. Next to Path, enter the approved UNC path.
  7. Next to Attributes, select the check box for Include subdirectories.
  8. Navigate to Policies > Arellia Solutions > Application Control > Filters > Dynamic Filters.
  9. Right-click the Secondary File folder and click New > Secondary File Filter.
  10. In the Create Item dialog box, create a Name and Description for the new secondary file filter.
  11. Set the Filters to the new file specification filter created in step 3.

  12. Navigate to the Elevation Policy and add the secondary file filter you just created to "Applications to Control." (For instructions on how to create an elevation policy and add a filter, go to Create a New Elevation Policy.)

  13. Under Conditions (optional) next to Include only, choose the built-in Microsoft Installer File Filter.

Now MSI files in the network share will be elevated.

Elevate MSI Files