Daniel Doubrovkine bio photo

Daniel Doubrovkine

aka dB., CTO at artsy.net, fun at playplay.io, NYC

Email Twitter LinkedIn Github

I ran into the infamous “this installation is forbidden by system policy” error message this morning while trying to fix the MsiExt build on a new Windows 2003 64-bit build machine. The message is known to be extremely helpful. It basically says “Sorry, someone somewhere defined something that you will never find that prevents this MSI from executing. Good luck with that.”. In addition, it’s the result of an MsiOpenPackage call, not of any kind of execution per-se.

In those cases you have to think out of the box. This MSI is generated by the following unit test (this is the test that actually fails).

void MsiDatabaseUnitTests::testExecute()
    std::wstring filename = AppSecInc::File::GetTemporaryFileNameW();
    std::wcout << std::endl << L"Creating " << filename;
    MsiDatabase database;
    std::wcout << std::endl << L"Database handle " << std::hex << (MSIHANDLE) database;

    std::wstring path = File::GetModuleDirectoryW() + L"\\TestData_MsiUnitTests";
    database.Execute(L"INSERT INTO `Property` (`Property`, `Value`) VALUES ('ProductCode', '{GUID}')");

    MsiPackage package(filename);
    MsiInstall install(package);

    AppSecInc::Xml::XmlDocument xmlDoc;
    xmlDoc.LoadXml(install.GetViewData(L"SELECT `Value` FROM `Property` WHERE `Property`='ProductCode'"));
    std::wstring value = xmlDoc.GetNodeValue(L"/Table/Row/Data[@Column=\"Value\"]");
    std::wcout << std::endl << L"Data: " << value;
    CPPUNIT_ASSERT(value == L"{GUID}");


What could be possibly wrong here? After some wild guessing I found that Windows Installer on Windows 2003 x64 doesn’t like a GUID spelled {GUID}. Replacing that with an actual GUID fixes the problem.