Saturday, December 18, 2004

Active Setup Registry Keys and their Purpose

I’ve been very busy lately, and I’m sorry about the blog being so quiet. I haven’t gotten around to completing the Custom Action DLL tutorial, but I’m pretty close. I need to find a server that would let me store some zip files. Any ideas?


Back in September, Aaron Stebner blogged about detecting what .NET 1.0 Service Pack is installed. One of the keys he mentions checking has the word "Active Setup" in it. Just what is that key for?


The Active Setup key in Local Machine is read when a user logs in to the system. Keys in the Local Machine registry hive are compared against keys in the Current User hive. If a key that exists in Local Machine does not exist in the Current User hive, the program the key points to is run. Effectively, this is one way to customize (or completely remove) an installation on a per-user basis, assuring that a program is executed exactly once per user.


There are several installations that use this key. Microsoft Net Meeting and Internet Explorer are a few examples. Lets say you update Internet Explorer to a new version – like IE 5 to IE 6 – and you have two active user profiles. When the computer is restarted and the user logs in, you see a dialog that shows IE is being configured. When the other user logs in, they see the same dialog. This is Active Setup at work! Net Meeting uses this mechanism to cleanup user profiles after Net Meeting is uninstalled. Sadly, virus and spyware packages also use this mechanism (changing the Local Machine key after each reboot), forcing the vigilant advanced user to check yet another key for items that run at startup. This is yet another reason to run as a restricted user!


The limitations of this mechanism are simple: The program that is run from Active Setup runs in the current user space. Therefore, to be completely safe, any Active Setup program should require read/write access of the most restricted user type – only modifying files and registry keys owned by an individual user. Additionally, this is run BEFORE the shell and other run keys.


There is no "official" documentation on these keys or this behavior, so the normal caveats apply to using this mechanism – it may not be present in newer versions of the OS or Service Packs.


Here is some detailed descriptions of the keys and their contents. A registry key called "HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components" has a bunch of subkeys under it that are GUIDs. Values contained under the GUID key that we are talking about are "Version" (string), and "StubPath" (Expand String).


Every time a user logs in, the contents of this key is compared against the SAME key in HKCU. If the HKCU key does not exist and/or the "version" value is less than that in HLKM, the appropriate "StubPath" command is run and the key copied to HKCU so it is not run again.


To see how this works for yourself, you can create a key in HKLM…Installed Components and call it "test". Then, add to it a String Value "StubPath" and set it to "notepad". Reboot. See that when you log in, notepad starts. Log in as a different user. See that notepad starts. Log in again with the first ID – notice notepad does not start – as now the "test" key has been copied into the HKCU branch after it ran the first time. Note that version is not necessary.


Since I am not sure what the other values of these keys mean and/or do, I’m going to end the discussion here. If anyone has more information on these keys, please add it to the comments for this post!

9 comments:

Anonymous said...

...the version string must be comma delimited:

1,0,0,0

looeee

Geoffrey said...

I can store those files for ya on one of my servers boneman. Drop me a line if you still need it :)

G-Man

Anonymous said...

Does active setup run before the RUN key is executed?

Anonymous said...

That's the best explanation about "Active Setup" I found... So thanks for that and if someone knows even more please post the source.

Anoop Cherian said...

Thanks for the blog. Your explanation is very good. I have a two queries.
1) How are uninstalls handled with active setup?
2) When I install the same component again after an uninstall, how is it handled in active setup?

Azadi said...

Here is the explanation for few keys of "Active Setup"
1. Version Key: Version key value plays a vital role. It is used to Install a new version of component to the user on first login. For example if u have "app1.0.exe" in active setup and want to upgrade it to "app2.0.exe" and want that every user have it, you have to modify the HKLM "Active setup's version" key to value 2. On first login of a user, OS check the HKCU with HKLM and as HKCU has lower version than HKLM it execute the "app2.0.exe" and modify the HKCU "Active Setup" keys.

2. Isinstalled key : Application specified by "StubPath" is run every time on login if the "Isinstalled" key value is set to 0, else it is not run.

3. Locale key: It is used to specify the language locale of the application.

4. ComponentId key : It is used to specify the Id(name) of the application.

Anonymous said...

For Version, I figured that if you used point "." (ex: "3.5.8"), it does not work.

You should use comma instead ",".

Anonymous said...

Thank you for the "IsInstalled" explanation.

Rohini Chandra said...

Hi Steven,

Thank you for the post.

I need help regarding a dialog that pops up after uninstalling NetMeeting. As I read and understand, the dialog is due to the following value in "StubPath" value -- "rundll32.exe advpack.dll,LaunchINFSection %17%\msnetmtg.inf,NetMtg.Remove.PerUser.NT"

I tried to change the command to the below to silently answer the dialog but it hasn't worked.

"rundll32.exe advpack.dll,LaunchINFSection %17%\msnetmtg.inf,NetMtg.Remove.PerUser.NT,,1" -- 1 for "Quiet and No UI" mode.

I am able to avoid the dialog by deleting "StubPath" but I would rather like to answer the dialog with "Yes" silently.

Could you please suggest a way to answer the dialog silently.

Thanks in advance
Rohini Chandra