Log a protected temporary directory as such.

Projects/Src/InstFunc.pas

@@ -49,7 +49,9 @@ type
 
 function CheckForMutexes(const Mutexes: String): Boolean;
 procedure CreateMutexes(const Mutexes: String);
-function CreateTempDir(const LimitCurrentUserSidAccess: Boolean): String;
+function CreateTempDir(const LimitCurrentUserSidAccess: Boolean;
+  var Protected: Boolean): String; overload;
+function CreateTempDir(const LimitCurrentUserSidAccess: Boolean): String; overload;
 function DecrementSharedCount(const RegView: TRegView; const Filename: String): Boolean;
 procedure DelayDeleteFile(const DisableFsRedir: Boolean; const Filename: String;
   const MaxTries, FirstRetryDelayMS, SubsequentRetryDelayMS: Integer);
@@ -175,7 +177,7 @@ function ConvertStringSecurityDescriptorToSecurityDescriptorW(
   dummy: Pointer): BOOL; stdcall; external advapi32;
 
 function CreateSafeDirectory(const LimitCurrentUserSidAccess: Boolean; Path: String;
-  var ErrorCode: DWORD): Boolean;
+  var ErrorCode: DWORD; var Protected: Boolean): Boolean; overload;
 { Creates a protected directory if
   -it's a subdirectory of c:\WINDOWS\TEMP, or
   -it's on a local drive and LimitCurrentUserSidAccess is True (latter is true atm if elevated and not debugging)
@@ -192,7 +194,9 @@ begin
     not PathCharIsSlash(Drive[1]) and
     (GetDriveType(PChar(AddBackslash(Drive))) <> DRIVE_REMOTE);
 
-  if IsUnderWindowsTemp or IsLocalTempToProtect then begin
+  Protected := IsUnderWindowsTemp or IsLocalTempToProtect;
+
+  if Protected then begin
     var StringSecurityDescriptor :=
       // D: adds a Discretionary ACL ("DACL", i.e. access control via SIDs)
       // P: prevents DACL from being modified by inheritable ACEs
@@ -245,6 +249,13 @@ begin
   end;
 end;
 
+function CreateSafeDirectory(const LimitCurrentUserSidAccess: Boolean; Path: String;
+  var ErrorCode: DWORD): Boolean; overload;
+begin
+  var Protected: Boolean;
+  Result := CreateSafeDirectory(LimitCurrentUserSidAccess, Path, ErrorCode, Protected);
+end;
+
 function IntToBase32(Number: Longint): String;
 const
   Table: array[0..31] of Char = '0123456789ABCDEFGHIJKLMNOPQRSTUV';
@@ -319,7 +330,8 @@ begin
   until False; // continue until a new directory was created
 end;
 
-function CreateTempDir(const LimitCurrentUserSidAccess: Boolean): String;
+function CreateTempDir(const LimitCurrentUserSidAccess: Boolean;
+  var Protected: Boolean): String;
 { This is called by SetupLdr, Setup, and Uninstall. }
 var
   Dir: String;
@@ -327,7 +339,7 @@ var
 begin
   while True do begin
     Dir := GenerateUniqueName(False, GetTempDir, '.tmp');
-    if CreateSafeDirectory(LimitCurrentUserSidAccess, Dir, ErrorCode) then
+    if CreateSafeDirectory(LimitCurrentUserSidAccess, Dir, ErrorCode, Protected) then
       Break;
     if ErrorCode <> ERROR_ALREADY_EXISTS then
       raise Exception.Create(FmtSetupMessage(msgLastErrorMessage,
@@ -337,6 +349,12 @@ begin
   Result := Dir;
 end;
 
+function CreateTempDir(const LimitCurrentUserSidAccess: Boolean): String;
+begin
+  var Protected: Boolean;
+  Result := CreateTempDir(LimitCurrentUserSidAccess, Protected);
+end;
+
 function ReplaceSystemDirWithSysWow64(const Path: String): String;
 { If the user is running 64-bit Windows and Path begins with
   'x:\windows\system32' it replaces it with 'x:\windows\syswow64', like the

Projects/Src/Main.pas

@@ -266,7 +266,7 @@ function IsWindows11: Boolean;
 implementation
 
 uses
-  ShellAPI, ShlObj,
+  ShellAPI, ShlObj, StrUtils,
   Msgs, MsgIDs, Install, InstFunc, InstFnc2, RedirFunc, PathFunc,
   Compress, CompressZlib, bzlib, LZMADecomp, ArcFour, SetupEnt, SelLangForm,
   Wizard, DebugClient, VerInfo, Extract, FileClass, Logging, MD5, SHA1, ActiveX,
@@ -1450,21 +1450,19 @@ end;
 procedure CreateTempInstallDirAndExtract64BitHelper;
 { Initializes TempInstallDir and extracts the 64-bit helper into it if needed.
   This is called by Setup, Uninstall, and RegSvr. }
-var
-  Subdir, ResName, Filename: String;
-  ErrorCode: DWORD;
 begin
-  TempInstallDir := CreateTempDir(IsAdmin and not Debugging);
-  Log('Created temporary directory: ' + TempInstallDir);
+  var Protected: Boolean;
+  TempInstallDir := CreateTempDir(IsAdmin and not Debugging, Protected);
+  LogFmt('Created %stemporary directory: %s', [IfThen(Protected, 'protected ', ''), TempInstallDir]);
   if Debugging then
     DebugNotifyTempDir(TempInstallDir);
 
   { Create _isetup subdirectory to hold our internally-used files to ensure
     they won't use any DLLs the install creator might've dumped into
     TempInstallDir }
-  Subdir := AddBackslash(TempInstallDir) + '_isetup';
+  var Subdir := AddBackslash(TempInstallDir) + '_isetup';
   if not CreateDirectory(PChar(Subdir), nil) then begin
-    ErrorCode := GetLastError;
+    var ErrorCode := GetLastError;
     raise Exception.Create(FmtSetupMessage(msgLastErrorMessage,
       [FmtSetupMessage1(msgErrorCreatingDir, Subdir), IntToStr(ErrorCode),
        Win32ErrorString(ErrorCode)]));
@@ -1472,9 +1470,9 @@ begin
 
   { Extract 64-bit helper EXE, if one is available for the current processor
     architecture }
-  ResName := GetHelperResourceName;
+  var ResName := GetHelperResourceName;
   if ResName <> '' then begin
-    Filename := Subdir + '\_setup64.tmp';
+    var Filename := Subdir + '\_setup64.tmp';
     SaveResourceToTempFile(ResName, Filename);
     SetHelperExeFilename(Filename);
   end;