Installer?

May 20, 2008
11,400
99
Syracuse, NY, USA
After updating TCMD last night, there was, in %TEMP%,
Code:
2017-03-10  20:07         497,304  Ins62B0.tmp
That file is actually an executable. It's digitally signed by "Caphyon SRL" and it seems to have an interest in the registry keys listed below (and not in any others). What's it all about?

These strings are in the file.
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\DisplayName
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Install
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5\SP
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5\Install
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.0\Setup\InstallSuccess
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727\Install
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v1.1.4322\Install
HKLM\SOFTWARE\Microsoft\.NETFramework\policy\v1.0\3705
HKLM\SOFTWARE\Microsoft\DirectX\Version
HKLM\Software\Adobe\Acrobat Reader\11.0\InstallPath\
HKLM\Software\Adobe\Acrobat Reader\10.0\InstallPath\
HKLM\Software\Adobe\Acrobat Reader\9.0\InstallPath\
HKLM\Software\Adobe\Acrobat Reader\8.0\InstallPath\
HKLM\Software\Adobe\Acrobat Reader\7.0\InstallPath\
HKLM\Software\Adobe\Acrobat Reader\6.0\InstallPath\
HKLM\Software\Adobe\Acrobat Reader\5.0\InstallPath\
HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\CurrentVersion
HKLM\SOFTWARE\JavaSoft\Java Development Kit\CurrentVersion
HKLM\SOFTWARE\Microsoft\XNA\Framework\v4.0\NativeLibraryPath
HKLM\SOFTWARE\Microsoft\XNA\Framework\v3.1\NativeLibraryPath
HKLM\SOFTWARE\Microsoft\XNA\Framework\v3.0\NativeLibraryPath
HKLM\SOFTWARE\Microsoft\XNA\Framework\v2.0\NativeLibraryPath
HKLM\SOFTWARE\Microsoft\XNA\Framework\v1.0\NativeLibraryPath
HKLM\SOFTWARE\Microsoft\Office\16.0\Access\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\Access\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\Access\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\Access\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\Access\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\16.0\Excel\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\Excel\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\Excel\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\Excel\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\Excel\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\Groove\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\InfoPath\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\InfoPath\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\InfoPath\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\InfoPath\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\16.0\OneNote\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\OneNote\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\OneNote\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\OneNote\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\OneNote\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\16.0\Outlook\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\Outlook\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\Outlook\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\Outlook\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\Outlook\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\Groove\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\16.0\PowerPoint\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\PowerPoint\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\PowerPoint\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\PowerPoint\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\PowerPoint\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\16.0\Publisher\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\Publisher\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\Publisher\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\Publisher\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\Publisher\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\16.0\Word\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\Word\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\14.0\Word\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\12.0\Word\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\11.0\Word\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Office\15.0\Groove\InstallRoot\Path
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\130\SQLServer2016\CurrentVersion\Version
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\120\Tools\ClientSetup\CurrentVersion\CurrentVersion
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\110\Tools\ClientSetup\CurrentVersion\CurrentVersion
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\100\Tools\ClientSetup\CurrentVersion\CurrentVersion
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\90\Tools\ClientSetup\CurrentVersion\CurrentVersion
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server Compact Edition\v4.0\ENU\DesktopRuntimeVersion
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server Compact Edition\v3.5\ENU\DesktopRuntimeServicePackLevel
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server Compact Edition\v3.5\ENU\DesktopRuntimeVersion
HKLM\SOFTWARE\Microsoft\VSTO Runtime Setup\v4\Install
HKLM\Software\Microsoft\VSTO Runtime Setup\v9.0.21022\Install
HKLM\Software\Microsoft\vsto runtime Setup\v2.0.50727\Install
HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\16.0\SharePoint
HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\15.0\SharePoint
HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\14.0\SharePoint
HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\12.0\SharePoint
HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine\PowerShellVersion
HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\PowerShellVersion
HKLM\SOFTWARE\Microsoft\PowerShell\1\Install
 
Aug 3, 2016
376
9
Netherlands
After updating TCMD last night, there was, in %TEMP%,
Code:
2017-03-10  20:07         497,304  Ins62B0.tmp
That file is actually an executable. It's digitally signed by "Caphyon SRL" and it seems to have an interest in the registry keys listed below (and not in any others). What's it all about?

Actually: it's a DLL.
It's InstallerAnalytics.dll, used by the installer to get telemetrics about some software on your machine and the status of the installation process.
The MSI then can change it's behaviour, depending on the existence or absence of certain software (the ones you listed)

This DLL is a (hidden) part of the MSI that installs Take Command. It will not be installed on your system, but only "run" during installation.

Code:
[C:\Temp\TEST_TCMD\CompleteVersies\20.11.46\binary32]dir /km *.dll;*.exe
12-03-2017   8:55         211.104  aicustact.dll
12-03-2017   8:55       2.024.040  Everything.exe
12-03-2017   8:55         497.304  InstallerAnalytics.dll
12-03-2017   8:55          12.952  lzmaextractor.dll
12-03-2017   8:55         368.800  Prereq.dll
12-03-2017   8:55         395.416  ResourceCleaner.dll
12-03-2017   8:55         327.832  SoftwareDetector.dll
12-03-2017   8:55          17.568  viewer.exe
12-03-2017   8:55         380.056  xmlCfg.dll
 
Last edited:
May 20, 2008
11,400
99
Syracuse, NY, USA
Thanks Maarten; good detective work! Can you make a guess about why it's interested in those registry keys?
 
Aug 3, 2016
376
9
Netherlands
The MSI installer can also install other software (like runtimes ) by including it in the MSI or by linking it. Or show you a message like: This program requires Office version .... if that isn't installed.
To know if it has to install (or remove) anything or show you a message like the one above, it has to check if that software is installed. It uses the registry keys you found to detect that.

As far as I can tell, Take Command doesn't use any of this. I think it's just Caphyon's default behaviour.

I would expect this also to be used to detect Windows versions (the current Take Command installations require Vista or up), but see no proof of that.

BTW: older versions of the installer software included a telemetrics component: system info etc was uploaded. That is no longer in the current installers. My initial thought was that this DLL was the replacement for that, but I didn't bother to research this any further (I bypass the installer)
 
May 20, 2008
11,400
99
Syracuse, NY, USA
The installer often, but not always, leaves a mess here. How do you get the MSI file out of the downloaded distribution file? What happens to the pre-install options (shortcuts, BTM association, Everything) if you use the MSI file; are they just left as is?
 
Aug 3, 2016
376
9
Netherlands
That's a lot of questions :-)

How do you get the MSI file out of the downloaded distribution file?
tcmd.exe /extract . Creates a subdir with all the files in it, including the 64- and 32-bit MSI's.
You can't run those directly (although that can be bypassed quite easily. But you could easier run the installer)
What happens to the pre-install options (shortcuts, BTM association, Everything) if you use the MSI file
What do you mean by pre-install options? The state your system was in before running the installer?

The TCMD.exe installer does also extarct the files and checks if you are running a 32- or 64-bit Windows and then starts the matching MSI.
All the install dialog dialogs you see come from the MSI.
 
Last edited:
Aug 3, 2016
376
9
Netherlands
Everything is indeed a little messy. Let's say there is room for improvement..
Tricky part of that is that you can also have a separate Everything running. It needs "chirugical" detection methods to be able to do the right thing with Everything..
 
May 20, 2008
11,400
99
Syracuse, NY, USA
Everything is indeed a little messy. Let's say there is room for improvement..
Tricky part of that is that you can also have a separate Everything running. It needs "chirugical" detection methods to be able to do the right thing with Everything..
I used to run Everything from its own installation. But installing or updating TCMD kept removing the Everything service if I chose "don't install Everything" (does it still do that?). Not having much use for it, I gave up on Everything about a year ago.
 
Nov 2, 2008
231
2
I use a loader for everything in the takecmd directory, and fetch everything through apppaths. It's the same way that windows has been loading 'wordpad' when you type 'write' at the prompt. The v program works the same way. Have not tried IDE yet!
 
Similar threads
Thread starter Title Forum Replies Date
L TCC V22 installer fails signature validation Support 0
vefatica Installer sets BTM associations wrongly Support 4
Charles Dye Is the "File Associations" installer dialog working? Support 4
A Installer /extract: extracts into current directory if target not exists Support 12
Alpengreis Installer: text is still truncated in german language Support 2
C b34 Installer leaves LOG in %LocalAppData%\Temp\ Support 1
fishman@panix.com Windows Installer failing again... Support 6
M Windows Installer bug? Support 4
Steve Pitts Typo in installer dialog Support 0
w_krieger Installer 20.0.21 on Win7 Support 19
vefatica Another installer thingy Support 1
vefatica Build 20 installer woes Support 14
fromano MSI Installer Support 4
fpefpe How to? Single installer? Support 5
vefatica Installer woes Support 3
Alpengreis Small things to change in installer and after installed Everything Support 0
D V19 fails to install on Win7-64bit, installer says: Support 2
D /extract: option for the installer Support 4
Alpengreis Installer problem with default handler Support 3
fishman@panix.com Another Problem with The Installer Support 1
vefatica Installer leaves a mess Support 13
Alpengreis A small cosmetic installer thing ... Support 0
Jay Sage Version 17 Installer Leaves Multiple Copies of ShrAlias Support 48
vefatica Build 45 & 46 installer glitch Support 2
rconn News Take Command 16.03.54 32-bit installer Support 0
rconn News Take Command 16.03.54 32-bit installer fix Support 0
vefatica New installer woes Support 0
S How to? Install from same installer copy after cancelling previously Support 6
S How to? Find installer downloaded by "option /u"? Support 11
H Latest installer Support 0
vefatica Installer crash Support 3
JohnQSmith Installer Support 14
Dan Glynhampton v15 installer question Support 2
H V15 installer difficult to use with JAWS screen reader Support 0
C Installer Concerns.... Support 1
JohnQSmith 15.00.21 beta Installer Support 1
fromano TCMD 15.0.20 Installer Support 2
JohnQSmith TCMD 15 beta installer Support 6
Ville Fixed Dangerous operation when cancelling the installer! Support 18
fromano Documentation Installer for TCMD 15 Beta Support 4
JohnQSmith Installer Support 5
K_Meinhard Documentation Another installer nit Support 1
vefatica v14 installer? Support 11
K_Meinhard Documentation Installer Support 6
vefatica More on the installer Support 5
vefatica New version of installer? Support 10
vefatica TYPE, Unicode, installer Support 10
nickles How to? Archive Installer Support 3
S Nasty new web action by installer Support 5
S Build 13.0.24 installer Support 8

Similar threads