Installer?

[vefatica]

After updating TCMD last night, there was, in %TEMP%,

2017-03-10  20:07         497,304  Ins62B0.tmp

That file is actually an executable. It's digitally signed by "Caphyon SRL" and it seems to have an interest in the registry keys listed below (and not in any others). What's it all about?

These strings are in the file.

HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\DisplayName
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Install
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5\SP
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5\Install
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.0\Setup\InstallSuccess
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727\Install
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v1.1.4322\Install
HKLM\SOFTWARE\Microsoft\.NETFramework\policy\v1.0\3705
HKLM\SOFTWARE\Microsoft\DirectX\Version
HKLM\Software\Adobe\Acrobat Reader\11.0\InstallPath\
HKLM\Software\Adobe\Acrobat Reader\10.0\InstallPath\
HKLM\Software\Adobe\Acrobat Reader\9.0\InstallPath\
HKLM\Software\Adobe\Acrobat Reader\8.0\InstallPath\
HKLM\Software\Adobe\Acrobat Reader\7.0\InstallPath\
HKLM\Software\Adobe\Acrobat Reader\6.0\InstallPath\
HKLM\Software\Adobe\Acrobat Reader\5.0\InstallPath\
HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\CurrentVersion
HKLM\SOFTWARE\JavaSoft\Java Development Kit\CurrentVersion
HKLM\SOFTWARE\Microsoft\XNA\Framework\v4.0\NativeLibraryPath
HKLM\SOFTWARE\Microsoft\XNA\Framework\v3.1\NativeLibraryPath
HKLM\SOFTWARE\Microsoft\XNA\Framework\v3.0\NativeLibraryPath
HKLM\SOFTWARE\Microsoft\XNA\Framework\v2.0\NativeLibraryPath
HKLM\SOFTWARE\Microsoft\XNA\Framework\v1.0\NativeLibraryPath
HKLM\SOFTWARE\Microsoft\Office\16.0\Access\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\Access\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\Access\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\Access\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\Access\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\16.0\Excel\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\Excel\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\Excel\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\Excel\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\Excel\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\Groove\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\InfoPath\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\InfoPath\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\InfoPath\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\InfoPath\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\16.0\OneNote\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\OneNote\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\OneNote\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\OneNote\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\OneNote\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\16.0\Outlook\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\Outlook\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\Outlook\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\Outlook\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\Outlook\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\Groove\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\16.0\PowerPoint\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\PowerPoint\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\PowerPoint\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\PowerPoint\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\PowerPoint\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\16.0\Publisher\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\Publisher\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\Publisher\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\Publisher\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\Publisher\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\16.0\Word\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\Word\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\Word\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\Word\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\Word\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\Groove\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\130\SQLServer2016\CurrentVersion\Version
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\120\Tools\ClientSetup\CurrentVersion\CurrentVersion
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\110\Tools\ClientSetup\CurrentVersion\CurrentVersion
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\100\Tools\ClientSetup\CurrentVersion\CurrentVersion
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\90\Tools\ClientSetup\CurrentVersion\CurrentVersion
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server Compact Edition\v4.0\ENU\DesktopRuntimeVersion
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server Compact Edition\v3.5\ENU\DesktopRuntimeServicePackLevel
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server Compact Edition\v3.5\ENU\DesktopRuntimeVersion
HKLM\SOFTWARE\Microsoft\VSTO Runtime Setup\v4\Install
HKLM\Software\Microsoft\VSTO Runtime Setup\v9.0.21022\Install
HKLM\Software\Microsoft\vsto runtime Setup\v2.0.50727\Install
HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\16.0\SharePoint
HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\15.0\SharePoint
HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\14.0\SharePoint
HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\12.0\SharePoint
HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine\PowerShellVersion
HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\PowerShellVersion
HKLM\SOFTWARE\Microsoft\PowerShell\1\Install

 

[rconn]

I have no idea. I can't reproduce it here.

 

[vefatica]

I have no idea. I can't reproduce it here.

Do you care to look into it? I could sent the file.

 

[MaartenG]

After updating TCMD last night, there was, in %TEMP%,

2017-03-10  20:07         497,304  Ins62B0.tmp

That file is actually an executable. It's digitally signed by "Caphyon SRL" and it seems to have an interest in the registry keys listed below (and not in any others). What's it all about?

Actually: it's a DLL.
It's InstallerAnalytics.dll, used by the installer to get telemetrics about some software on your machine and the status of the installation process.
The MSI then can change it's behaviour, depending on the existence or absence of certain software (the ones you listed)

This DLL is a (hidden) part of the MSI that installs Take Command. It will not be installed on your system, but only "run" during installation.

[C:\Temp\TEST_TCMD\CompleteVersies\20.11.46\binary32]dir /km *.dll;*.exe
12-03-2017   8:55         211.104  aicustact.dll
12-03-2017   8:55       2.024.040  Everything.exe
12-03-2017   8:55         497.304  InstallerAnalytics.dll
12-03-2017   8:55          12.952  lzmaextractor.dll
12-03-2017   8:55         368.800  Prereq.dll
12-03-2017   8:55         395.416  ResourceCleaner.dll
12-03-2017   8:55         327.832  SoftwareDetector.dll
12-03-2017   8:55          17.568  viewer.exe
12-03-2017   8:55         380.056  xmlCfg.dll

 

[vefatica]

Thanks Maarten; good detective work! Can you make a guess about why it's interested in those registry keys?

 

[MaartenG]

The MSI installer can also install other software (like runtimes ) by including it in the MSI or by linking it. Or show you a message like: This program requires Office version .... if that isn't installed.
To know if it has to install (or remove) anything or show you a message like the one above, it has to check if that software is installed. It uses the registry keys you found to detect that.

As far as I can tell, Take Command doesn't use any of this. I think it's just Caphyon's default behaviour.

I would expect this also to be used to detect Windows versions (the current Take Command installations require Vista or up), but see no proof of that.

BTW: older versions of the installer software included a telemetrics component: system info etc was uploaded. That is no longer in the current installers. My initial thought was that this DLL was the replacement for that, but I didn't bother to research this any further (I bypass the installer)

 

[vefatica]

The installer often, but not always, leaves a mess here. How do you get the MSI file out of the downloaded distribution file? What happens to the pre-install options (shortcuts, BTM association, Everything) if you use the MSI file; are they just left as is?

 

[MaartenG]

That's a lot of questions :-)

How do you get the MSI file out of the downloaded distribution file?

tcmd.exe /extract . Creates a subdir with all the files in it, including the 64- and 32-bit MSI's.
You can't run those directly (although that can be bypassed quite easily. But you could easier run the installer)

What happens to the pre-install options (shortcuts, BTM association, Everything) if you use the MSI file

What do you mean by pre-install options? The state your system was in before running the installer?

The TCMD.exe installer does also extarct the files and checks if you are running a 32- or 64-bit Windows and then starts the matching MSI.
All the install dialog dialogs you see come from the MSI.

 

[vefatica]

OK, thanks. I thought perhaps those dialogs came from updater.exe or AI.

 

[MaartenG]

Everything is indeed a little messy. Let's say there is room for improvement..
Tricky part of that is that you can also have a separate Everything running. It needs "chirugical" detection methods to be able to do the right thing with Everything..

 

[vefatica]

Everything is indeed a little messy. Let's say there is room for improvement..
Tricky part of that is that you can also have a separate Everything running. It needs "chirugical" detection methods to be able to do the right thing with Everything..

I used to run Everything from its own installation. But installing or updating TCMD kept removing the Everything service if I chose "don't install Everything" (does it still do that?). Not having much use for it, I gave up on Everything about a year ago.

 

[w_krieger]

I use a loader for everything in the takecmd directory, and fetch everything through apppaths. It's the same way that windows has been loading 'wordpad' when you type 'write' at the prompt. The v program works the same way. Have not tried IDE yet!