The default and recommended option deploys WinSCP into C:\Program Files (x86)\WinSCP\ and therefore requires the installer to be run with administrative privileges. Further investigation revealed that in some systems that file could be found at C:\Program Files (x86)\WinSCP\DragExt64.dll, while in other systems the location was the local user %LOCALAPPDATA%\Programs\WinSCP folder – suggesting that the difference came from whether the user, during installation, chose “Install for all users (recommended)” or “Install for me only”, as demonstrated in the screenshot below: Since such DLL files are owned by the user (ownership by default inherited from the directory), but executed as SYSTEM, it was clear that this phenomenon created a potential vector for local privilege escalation, as simple as replacing the original DLL with a custom one, containing arbitrary code.įollowing up, it turned out that DragExt64.dll is an extension of WinSCP responsible for drag & drop support, distributed along with WinSCP. Please mind the CAPITAL letters in the switches, the installer is case sensitive!Ī "new" inf-file should look like below, for a no-frills standard scripted install w/o any OpenCandy-stuff.A couple of months ago, while analyzing one of our environments, we had noticed instances of the LogonUI.exe process – running as NT AUTHORITY/SYSTEM – loading a DLL file named DragExt64.dll from local user %LOCALAPPDATA%\Programs\WinSCP\ directories, e.g., C:\Users\bob\AppData\Local\Programs\WinSCP\DragExt64.dll. You might also want to create a new inf-file, according to KPrinz notes above. You might want to add an uninstall-command and also reboot before installing the new version. Update: Now it works for no apparent reason. In the meantime one could use the non-installer version to deploy the core files as they are with a simple batch scipt. Normal manual install seems to work flawlessly. I've notified the author and expect feedback soonish. I believe this to have something to do with the new Opencandy-stuff, please note I'm speculating though. I get a popup requesting me to chose an option. WinSCP v4.2.5 doesn't seem to allow for a silent install anymore. If not exist "%allusersprofile%\Desktop\WinSCP.lnk" goto end2 else goto deletelinkĭel /F /Q "%allusersprofile%\Desktop\WinSCP.lnk"ĭel /F /Q "%userprofile%\Desktop\WinSCP.lnk" "\\domain.local\dfs\MSI\robocopy" "\\domain.local\dfs\MSI\WinSCP v4.00beta" "%ProgramFiles%\WinSCP" winscp400.txt /R:1 /W:5 "\\domain.local\dfs\msi\WinSCP v4.00beta\winscp400setup.exe" /VERYSILENT /NORESTART /LOADINF="\\domain.local\dfs\msi\WinSCP v4.00beta\winscp400.txt" /NOICONS If exist "%ProgramFiles%\WinSCP\winscp400.txt" goto end1 else goto install The LOADINF-line points to the answer-file you created above. Supposedly the switch "/mergetasks="desktopicon\common", will create the icons in the all users desktop folder. If if finds the answer-file in the program files-folder, the script silently exit.įor some reason the silent install, installs a desktop icon on the logged on user's desktop instead of in the all users desktop-folder. Having had problems with installations that always run, despite WinSCP already having been intalled, the condition testing will avoid that. Next the GPO-script that installs the shebang. You can also run the installer manually with the "/SAVEINF=filename-parameter to reocord a custom answer file.Ĭomponents=main,shellext,pageant,puttygen You must have at least the main component. NoIcons= 0 means create icons on desktop, 1 means don't.Ĭomponents= What components to install. The answer-file breaks up into five categories:ĭir= Where the program should be installed. AFAIK there are no changes in the answerfile from v3.x. For simplicity's (future) sake call your answer-file something like "winscp400.txt" to distinguish it from earlier versions. Put it in the same folder as the winscp-installer on your admin share. I believe the installer itself is an NSIS, but am not sure. The WinSCP-installer supports using an answer-file. This is how I deploy WinSCP with a GPO over AD.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |