Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Installing an MSI package from an anonymous file share on Operating Systems greater than Vista RTM can fail with the MSI error 1619 �The installation package could not be opened�


View products that this article applies to.

Symptoms

The failure being addressed occurs only with the following configuration. 

  • Clients machines are Vista SP1 and greater or Windows Server 2008 SP1 or greater.
  • The package is run under the context of the local system which can be achieved by using the psexec.exe available from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
  • The source Windows Server 2008 has the SMB 2.0 enabled which is the default setting.
  • The following policies have been implemented on the server with the anonymous share.
    • Network access: Restrict anonymous access to Named Pipes and Shares has been disabled.
    • Network access: Let everyone permissions apply to anonymous users is enabled.
    • Network access: Shares that can be accessed anonymously.
      The share that has the installation package is to added to this policy.

↑ Back to the top


Cause

The inability of installing from such share with anonymous permissions while using a local system account is expected behavior.  See Resolution section for alternative and best practice recommendations. 

↑ Back to the top


Resolution

It is recommended that shares with anonymous permissions be avoided.  Have such open permissions presents a serious security risk.  The use of the local system account does not allow for access to network resources.  It is recommended that a domain user account be used.  If these two changes are made the issue described in this article can be avoided.

If there are business requirements that override the security risks the following changes could be considered.

  • Disable SMB 2.0  on the Windows Server 2008 
    • Disadvantage � not recommended since it decreases security.
    • Advantages
      • Very easy to implement.
      • As long as the potential security risks are understood and other security levels are maintained this reduced security might be acceptable.
  • Add  \\servername\PIPE\srvsvc to the list of shares that can be accessed anonymously.
    • Disadvantage � not recommended since using anonymous access to any share is highly discouraged.  If the present schema already includes the use of shares with anonymous access this alternative simply adds another.
    • Advantage - Easy to implement.
  • As described earlier use an account with network access for the installation instead of the local system account, preferably a domain account.
    • Disadvantage � requires additional administrative steps, particularly in the peer-to-peer group.
    • Advantage - Considered best practice.  This will significantly increase security and is consistent with how other software distribution systems such as Microsoft SCCM work.

↑ Back to the top


Keywords: kbrapidpub, kbnomt, KB2022222

↑ Back to the top

Article Info
Article ID : 2022222
Revision : 2
Created on : 3/31/2010
Published on : 3/31/2010
Exists online : False
Views : 355