Internet Component Download Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Internet Component Download

Background Information
Authenticity and Integrity


This web page demonstrates Windows’ Internet Component Download, typically used to download and install ActiveX controls.


When visited with Internet Explorer, this web page will prompt to install (the contents of) the package MSICD.CAB using the setup script MSICD.INF contained within.

Caveat: Internet Component Download extracts the contents of downloaded cabinet files to unsafe temporary directories %TMP%\IXP[000-999].TMP\!
The resulting weaknesses are listed as CWE-377: Insecure Temporary File, CWE-378: Creation of Temporary File With Insecure Permissions and CWE-379: Creation of Temporary File in Directory with Incorrect Permissions in the CWE.
Typical attacks are listed as CAPEC-27: Leveraging Race Conditions via Symbolic Links and CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions in the CAPEC.

Note: installation requires administrative privileges and access rights!
Although the setup script MSICD.INF needs no administrative privileges and access rights for any of its actions, Internet Component Download requests them to copy the setup script contained within the downloaded package MSICD.CAB at the end of the installation into the directory "%SystemRoot%\Downloaded Program Files\" (precisely: the directory which pathname is stored in the last Registry entry of the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ActiveX Cache).

Note: on Windows Vista® and newer versions of Windows NT, the (to say the least) braindead security theatre named UAC interferes with Internet Component Download!
If Internet Explorer elevates the installation, then windows of processes started from the setup script(s) are not displayed!
Use the builtin Administrator account for web-based installations which require administrative privileges (at least if you want to see the windows of processes started from the setup script(s)).

Note: Internet Component Download uses Advanced INF Installer which does not execute %SystemRoot%\System32\RunOnce.exe at the end of the installation to read and execute command lines written to Registry entries in the Registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce and
Use RunPostSetupCommands or Setup Hooks sections instead.

Background Information

The operations of the setup script are logged to the file %SystemRoot%\SetupAPI.log (before Windows Vista) or %SystemRoot%\Inf\SetupAPI.App.log (since Windows Vista) respectively.
For additional information see the MSDN articles Setting SetupAPI Logging Levels and SetupAPI Logging Registry Settings.

The operations of Advanced INF Installer are (optionally) logged to the file which pathname is stored in the Registry entry


if this Registry entry exists.

Authenticity and Integrity

The (compressed) cabinet file MSICD.CAB is digitally signed using an X.509 certificate issued by WEB.DE TrustCenter E-Mail Certification Authority.
Serial number of the certificate
0x045C48BE = 73156798
Fingerprint of the certificate
MD5: fc ee 8c 63 1d 27 05 a6 84 4c 1a 3e 73 47 9a b0
SHA-1: ce 24 2d a2 6b d9 7c 64 1e 8d bc 6c 70 58 32 1f 99 ab 1a be
Download and install the CA and root X.509 certificates of WEB.DE to validate and verify the digital signature.

Note: unfortunately WEB.DE abandoned their trust center in 2018 and removed all pages and download links in 2019; fortunately the Wayback Machine archived the TrustCenter page, the CA and the root certificate.

Note: due to its counter signature alias timestamp the digital signature remains valid past the X.509 certificates expiration date!


If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

Copyright © 1995–2024 • Stefan Kanthak • <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>