It is possible to set security on a file, a folder or a registry key from a MSI file.

To do this on a folder, do the following:


Open the msi file with Orca etc.

Add the table LockPermissions if it doesnt exist.

If you want to set permission on a folder, do the following:


Go to the Directory table.

Create a new row, name the Directory eg. "LockFolders".

Leave Directory_Parent empty.

In DefaultDir specify "SourceDir".

Go to the Component table.

Specify the name from the first row in Directory as the name for Component, eg. "LockFolders".

In ComponentId specify a new GUID. You can generate it by running

In Directory_, specify the same name as in Component, eg. "LockFolders".

Attributes must be zero. Leave Condition and KeyPath empty.


Now go to the CreateFolder table, add it, if it doesnt exists.

Now add the directory or directories you want to set security on.

In Directory_ specify an internal name for the directory, eg. "FOLDER_CLIENT". The component are in every case the component name, eg. "LockFolders".


Now go back to the Directory table.

Add the entries that specified in CreateFolder, Directory must be a pointer to the Directory_ entry in CreateFolder, eg. "FOLDER_CLIENT".

The Directory_Parent must point the the parent directory that this folder must be a subdirectory to.

If it is a subdirectory to the target of the installation, you must specify "TARGETDIR" here.

In DefaultDir you must specify the actual name of the directory, eg. "Client".


Now, we have created an empty folder from MSI. Now we must set security on it:


Go to the LockPermissions table.

In LockObject specify the a pointer to the Directory_ entry in CreateFolder, eg. "FOLDER_CLIENT".

In Table specify "CreateFolder". In Domain dont specify anything unless it is a standard built-in group on the computer (not the domain). In that case you must specify "BUILTIN".


Lets specify "BUILTIN" in this example.

In User specify the user or group that you want to set the security for. Eg. "Administrators"

In Permission you must specify the security attribute that the user or group must be assigned to. Specify the decimal value for the security attribute.


Eg. if you want to set Full Control, the hexadecimal value is 10000000.

Converting this to a decimal value, gives you 268435456. So specify this value in Permission.

For further security attributes, see the SDK.


Now, you should always specify Full Control for the Administrators group in order to give that group the proper permissions.


Lets set Everyone=Read.

Add a new row, with the same name ("FOLDER_CLIENT") for the LockObject, since its the same folder.

The Table is still "CreateFolder". Leave the Domain blank since Everyone is a default group.

The User is "Everyone" and 2147483648 as the Permission value.


Save the MSI file and you are done.