MSI Installer Error: Event 11708 with Windows Restricted Users


I am reporting a bug with the EFS Assistant application when being run under a user that does not have appropriate access to the c:\windows temp directory. Each time EFS Assistant is run, it will produce event 11708 errors in the event log. Microsoft says that a major code change will be needed in either MSIINSTALLER or EFS ASSISTANT. FYI...
Subject: RE: Microsoft Support Incident: SRZ081124000449 - SA/Win2k3/Sec/Event ID 11708
Thank you for your patience. I am writing in to update you regarding the 11708 event issue you opened.
We have researched and tested with in local reproduced environment. We were not able to find an effective way to stop the events being generated as this may involve big code changing either to MsiInstaller or EFS Assistant the application. We do think instead of granting the permission to normal users, we would rather suggest ignoring the events. Here are the findings we would like to share with you:

Further Information

  1. We did a thorough check of MSI log and WMI logs. Based on our analysis, the actions recorded in MSI log in our case were all triggered by the following WMI query(from wbemcore.log):
    Query Engine request: querying dyn provider with <select InstallLocation from Win32_Product>
    Query Engine actual: querying dyn provider with <select __RELPATH, InstallLocation from Win32_Product>
  2. We wrote a simple .vbs script with similar WMI script as above to do a software query. There are no real install/uninstall actions either like in our case. We ran it on our local repro machine as well as another machine with clean installed Windows XP SP3 (No EFS Assistant Tool Installed). As a result, we saw similar behavior in WMI log and MSI log.
    The test above further confirms that query into WMI namespace MSI provider-> Win32_Product Class will trigger a check in the installation database, including the installation packages.
  3. Then we did more researches in our internal database and found the explanation of this behavior:
    Queries into Win32_Product loads msiprov.dll (the msi provider for wmi) and then msi.dll. It performs the actual task to query the MSI database on the machine for all the installed packages.
    The process above also triggers a consistency check on packages installed, verifying and repairing the installation. When the MSI package has MST file in c:\windows\temp, if we run it under a normal user account, we might get the 11708 event message, as normal user normally doesn't have read permissions on temp folder.


The behavior is by designed. There is no way to get around it except:
  1. Change the behavior of MsiInstaller to not let it check the whole installation database based on the WMI query.
  2. Change the behavior of EFS Assistant to not make the WMI query.
    Either of the way will involve big code changes and probably lose the original purpose of doing the consistency check. So based on our analysis, since there is no real installation actions failed and no obvious business impact, I think we can safely ignore the events. (they are not even error/warning events)
    Please let me know what do you think and let me know if you have any questions. Again, thank you for your time and patience.