Does AppEnforce.log really log the context used for installation incorrectly

loggingsccmsccm-2012-r2

I have a deployment type with the following attributes:

Technology: MSI
Installation behavior: Install for system
Logon requirement: Whether or not a user is logged on
Installation program visibility: Hidden

When msiexec is run by the the client, the following entry is shown in AppEnforce.log:

Executing Command line: "C:\WINDOWS\system32\msiexec.exe" /i "AppleApplicationSupport.msi" /qn with user context

This is strange since I've selected "Install for system".

Googling reveals some speculation that the logging is incorrect:

for what it's worth, ive noticed that the appenforce.log seems to always say its in the user context, even when it isnt.

I found some other similar comments, but did not find any definitive reference. This leaves me with the following questions:

Does AppEnforce.log really log the context as user even when it is executed as the system?

Best Answer

TL;DR: AppEnforce.log indeed logs the context incorrectly (at least for "Script Installer" technology).

The Test

I created a deployment type with the following attributes:

Technology: Script Installer
Installation behavior: Install for system
Logon requirement: Whether or not a user is logged on
Installation program visibility: Hidden
Installation program: powershell .\Install-Application.ps1

Install-Application.ps1 creates a log file called script-install-test-YYYY-MM-DD__HH-MM-SS.log. That script is at the end of this post.

I then deployed that deployment type and watched AppEnforce.log and script-install-test-X.log.

Results

I found the following entry in AppEnforce.log:

Executing Command line: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" .\Install-Application.ps1 with user context

Within seconds after that, the script-install-test-X.log was written to folder script-install-test-SYSTEM. The SYSTEM suffix indicates that the script was run as SYSTEM.

Conclusion

For "script installer" technology, the context written to AppEnforce.log messages of the style

Executing Command line: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" .\Install-Application.ps1 with user context

may incorrectly be written as "user context" even when the command line is executed as system context.

What about MSI Installer Technology?

I did not perform the test for MSI Installer Technology. However, given that the context is sometimes wrong for Script Installer Technology, the context written to AppEnforce.log should probably be regarded as unreliable for all deployment types regardless of technology.

Install-Application.ps1

function Write-EnvToLog
{
    $appName = 'script-install-test'

    $logFolderPath = "c:\$appName-$([System.Environment]::UserName)"

    if ( -not (Test-Path $logFolderPath -PathType Container) )
    {
        New-Item -Path $logFolderPath -ItemType Directory | Out-Null
    }

    if ( -not (Test-Path $logFolderPath -PathType Container ) )
    {
        return
    }

    $logFileName = "$appName`__$((Get-Date).ToString("yyyy-MM-dd__HH-mm-ss")).txt"

    $fp = "$logFolderPath\$logFileName"

    Get-ChildItem Env: | Out-File $fp | Out-Null

    return $true
}

try
{
    if ( Write-EnvToLog ) { "Complete!" }
    [System.Environment]::Exit(0)
}
catch
{
    [System.Environment]::Exit(1000)
}
Related Topic