The chronicals of Win32 App installations: The RunOnce key, Onedrive and Adminless

The chronicals of Win32 App installations: The RunOnce key, Onedrive and Adminless

This blog will be about some weird RunOnce behavior when installing applications.

This week, a customer asked me to push their Nuance Dragon speech software to some specific devices. I guess I am a nice person, so I immediately created a new Win32 App with some parameters.

To start testing, it’s always recommended to have a dedicated M365 test tenant for testing purposes with some test virtual machines. I enrolled a new virtual Windows 10 and waited until the application was installed. It took some time to download because the Intunwinapp was about 3,5 gb in total.

How to monitor the installation? First, you will need the app ID itself. This is very easy to find when you open the application properties or just monitor the disk performance, you’ll notice the app will be downloaded. The app itself is downloaded in the incoming/staging folder.

Now we have the app ID you can open the registry and take check out the status.

But after a while, the app was still not installed. Intune also reported the app with a failed install status.

Now it’s time to take a good look at some client-side logging. The first one you’ll need to open will be the IntuneManagementExtension.log. Which is located in:

c:\ProgramData\Microsoft\IntuneManagementExtension\Logs

<![LOG[[Win32App] Sending results to service. session RequestPayload: [{“AppId”:”76912b57-9074-4306-b015-fb104e854087“,”InternalVersion”:1,”UserId”:”d0f774ca-96e9-4143-88c2-b4709d018a55″,”DeviceId”:”5caff78c-babe-4894-a547-60e12c581e97″,”ExitCode”:1603,”

This log showed me the famous 1603 error.

You can open the registry if you like to check if the status is changed.  It has the same exit code as the intunemanagement log.

With 20 years or so worth of experience the first thing that came to mind was: reboot pending! The first place to look (I thought) would be the pendingfilerenameoperations registry key:

HKEY_LOCAL_MACHINE \System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

But there were no pending file rename operations… Now it’s time to take a look at the application log itself, you can configure the msiexec to log all of its actions to a specific file, so I did.

After clearing the Win32App in the registry, I restarted the Intune Management agent service. After a minute or 2 it starting downloading again, but this time with a proper log file.

Script Info: 11-11-2020 15:08:15: Checking for pending system reboot... 
Script Info: 11-11-2020 15:08:15: Checking registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 
Script Info: 11-11-2020 15:08:15: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary='C:\Windows\system32\cmd.exe /q /c del /q "C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe"' indicates pending OS reboot. 
Script Info: 11-11-2020 15:08:15: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary='C:\Windows\system32\cmd.exe /q /c del /q "C:\Program Files (x86)\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe"' indicates pending OS reboot. 
Script Warning: 11-11-2020 15:08:15: System reboot is pending 
Script Info: 11-11-2020 15:08:15: Cancelling installation because of pending reboot

So what could be the problem? The runonce key was not removed, not even after multiple reboots. Take a look at what Microsoft has to say about the RunOnce Key.

Can’t execute commands with RunOnce and RunOnceEx – Windows Client | Microsoft Docs

The difference between the run key and the runonce key is that applications listed under “RunOnce” key are only executed when a user logs in with administrator permissions, applications listed under the “Run” key are run when any user logs in.

So my first thought was to delete the key. I created a PowerShell script to remove the keys which were stuck and configured it in Intune.

reg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\runonce /f

Again I enrolled a new VM to be sure it worked like expected. And yes it did, the PowerShell script removed the registry key and the application was installed finally.

But I am not done yet, there must be a different way to remove the “RunOnce” keys instead of removing them? After spending some time on google, I tried to run the next command under a normal user.

c:\windows\system32\runonce.exe /explorer

But that didn’t work. Running the same command “Run as admin” (and providing the local admin credentials) worked. It’s the same as logging in as admin to process the runonce key.

Conclusion:

When deploying win32 apps,  you can run into unexpected installations errors so knowing how to troubleshoot app install failures is really necessary.  Implementing admin less and restricting cmd can get you into some weird situations. I hope this blog will help you troubleshoot these errors and please don’t forget about the RunOnce key.

Leave a Reply

Your email address will not be published. Required fields are marked *