In a Visual Studio solution (I'm using Visual Studio 2022), how can I configure a boostrapper to output a file named setup.exe?
I have a wixproj project that builds a bootstrapper that installs a couple of prerequisites and an MSI from another wixproj project. Everything is working as expected, except when I set the Output name on the bootstrapper project to setup my Visual Studio build fails with the following error:
light.exe(0,0): error LGHT0388: The file name 'setup.exe' creates an insecure bundle. Windows will load unnecessary compatibility shims into a bundle with that file name. These compatibility shims can be DLL hijacked allowing attackers to compromise your customers' computer. Choose a different bundle file name.
Done building project "Bootstrapper.wixproj" -- FAILED.
If I set Output name to anything else ([My Project] setup, for example), the build succeeds. I can rename the output file to setup.exe and it seems to behave the same as when I run it without renaming it.
I found nothing on SO mentioned LGHT0388 and on the web the only thing I found is a mailing list post from 2019 with no responses - [wix-users] LGHT0388: The file name 'Setup.exe' creates an insecure bundle.
You can't, by design. From http://lists.wixtoolset.org/pipermail/wix-users-wixtoolset.org/2019-April/007992.html:
Windows does "bad things" when a user tries to run a file named Setup.exe, just as the error message indicates. The shim loading process can cause the OS to probe for DLL's, and if it isn't current on windows updates... IE, if some malicious page caused your browser to download a DLL with the same file name as an OS DLL, the unpatched OS may load it from the downloads folder instead of the OS. WiX chose to be cautious, and not allow the shimming to happen, as we can't assert that the OS has the patches installed.