Why not just use the provided MSI as-is?

My customer requires that all software runs with the lowest possible permissions—no third-party software should run as SYSTEM. I was asked to explore what could be done about Xearch.

Xearch runs as a Windows service on client machines and reports to the Xensam SAM platform. This setup gives the customer a comprehensive overview of their software, helping reduce the risk of failing licensing audits. By managing software continuously throughout the year, they also lower operational costs.

Creating the MSI Transform

After opening the MSI in ORCA, begin by creating a new transform: click on Transform and then New Transform.

Menu showing creating a new transform

Adding the Required Tables

We need a few additional tables beyond what Xearch originally includes. Specifically, we’re adding CreateFolder and MsiLockPermissionsEx.

Start by selecting Tables, then Add Table.

Select CreateFolder and MsiLockPermissionsEx:


Updating the Tables

CreateFolder

To set permissions, the MSI must first create the folder. Add a row to the CreateFolder table:

Name Value
Directory_ INSTALLFOLDER
Component_ XeachExe_comp

MsiLockPermissionsEx

This is where the magic happens—we grant the NT SERVICE\XearchService account permissions to the installation folder. It’s crucial not to grant full control, as the binary may then alter permissions and break the folder. Instead, we assign Modify rights.

The SID S-1-5-80-1089344077-2353306179-4266717272-719476513-3025714595 corresponds to the NT SERVICE\XearchService account.

Screenshot of modification of the MsiLockPermissionsEx table

Name Value
MsiLockPermissionsEx SetFolderPerm
LockObject INSTALLFOLDER
Table CreateFolder
SDDLText O:SYG:SYD:AR(A;OICI;0x1301bf;;;S-1-5-80-1089344077-2353306179-4266717272-719476513-3025714595)(A;ID;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIIOID;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;0x1200a9;;;BU)(A;OICIIOID;GXGR;;;BU)(A;OICIIOID;GA;;;CO)(A;ID;0x1200a9;;;AC)(A;OICIIOID;GXGR;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)(A;OICIIOID;GXGR;;;S-1-15-2-2)
Condition

InstallExecuteSequence

Next, we modify the installation sequence to include the new folder creation and permission settings.

Adding rows to make CreateFolder to be run

Name Value
Action CreateFolder
Condition NOT REMOVE
Sequence 3700
Adding rows to make CreateFolder to be run
Name Value
Action MsiLockPermissionsEx
Condition NOT REMOVE
Sequence 3750

ServiceInstall

Lastly, ensure the service installs under NT SERVICE\XearchService instead of SYSTEM. Update the StartName accordingly.

Update the account the service is to be installed as

Generate the Transform

You should now see the modified tables listed on the left.

Modified tables

Generate the .mst transform file by going to TransformGenerate Transform.

Generate transform

Test the MSI and Transform

You can now install the MSI with the transform to verify functionality. If your files are in C:\temp, the following command should work (adjust paths if needed):

msiexec /qb+ /i C:\temp\xearch.msi TRANSFORMS=C:\temp\transform.mst

MSI Locked?

ORCA locks the MSI file, so remember to close ORCA before proceeding.

MSI locked by ORCA