Jump to content

This is a ready-only archive of the InstallSite Forum. You cannot post any new content here. / Dies ist ein Archiv des InstallSite Forums. Hier können keine neuen Beiträge veröffentlicht werden.

Did Microsoft break per-user minor upgrades with their recent kb291861

3 replies to this topic


  • Full Members
  • 43 posts

Posted 19 August 2014 - 17:38

After applying Microsoft’s latest fix for the windows installer (kb2918614/MS14-049), we started noticing that our minor upgrades for the per-user installation started prompting for the UAC to be completed. No UAC is prompted if we do a fresh install but if we do a minor upgrade using a new full msi with REINSTALL=ALL REINSTALLMODE=vomus, the upgrade hangs in the middle requiring UAC. This was not the case before we applied the windows update fix where both fresh and upgrade scenarios worked fine with no UAC.


Their fix is documented in the following links and they mentioned that the vulnerability they fixed is caused when the Windows Installer service improperly handles the repair of a previously installed application





Here are log entries before accepting the UAC request:


SOURCEDIR product ==> {F6B5B61D-8883-4494-A0A0-A437F173AA6A}

Determining source type

Source type from package 'application.msi': 8

SECREPAIR: Hash Database: C:\windows\Installer\SourceHash{F6B5B61D-8883-4494-A0A0-A437F173AA6A}

SECREPAIR: CryptAcquireContext succeeded

SECREPAIR: filename: application.msi Stored Hash Value:fjqR6m0/jCq5sAIj5WLUu06KFNqEkxuAJ0ZslZQpdYw= Current Hash:loNavG/BPRd9nn0ofrH8Q12W/TUq0rXJfb2KpozV3Qw=

Machine policy value 'AlwaysInstallElevated' is 0

User policy value 'AlwaysInstallElevated' is 0

MSI_LUA: Credential Request return = 0x0

MSI_LUA: Elevated credential consent provided. Install will run elevated



In other locations in the log, I confirmed that the windows installer is aware that this is a per-user non-managed installation package that doesn’t require any admin rights.


My guess is that the Microsoft fix for the repair issue  is to compare the Stored Hash Value of the old package with the new Hash value of the new package and if it is different, it would prompt for UAC.

But then how are we suppose to handle the minor upgrade cases where these values should always be different. (Both repairing the product or upgrading the product shares the same command REINSTALL=ALL REINSTALLMODE=vomus )


How are we supposed now to do minor upgrades without requiring UAC? Am I missing something fundamental here?




  • Full Members
  • 43 posts

Posted 20 August 2014 - 16:24

I tried to do it silently, here is the log produced:



MSI_LUA: Elevation prompt disabled for silent installs
Note: 1: 3
SECUREREPAIR: SecureRepair Failed. Error code: 3F8F434B8



I couldn't find any documentation for this  error code 3F8F434B8


Any Idea?

Edited by InstallDev, 20 August 2014 - 16:25.


  • Moderators
  • 1,447 posts

Posted 22 August 2014 - 00:20

The only problematic hotfix I have heard of recently is this one: http://answers.micro...e2-a78fe68766fd. Supposedly a fix can be found here (how to uninstall the hotfix): http://support.micro....com/kb/2982791

Edited by Glytzhkof, 22 August 2014 - 00:21.

-Stein Åsmul


  • Full Members
  • 43 posts

Posted 26 August 2014 - 16:26

Yes. Microsoft  didn’t officially declare any issues about this kb291861 hotfix yet. But I can see in the web that many others are reporting similiar and related errors for their installers that can only be resolved by removing this hotfix.