Adobe Flash Player as msi-file

Howto get

The normal download page from Adobe for the flash player offers only installers as exe-files.

It is not possible to extract an MSI-file from the installer with a tool like 7zip, because the installer isn't internally based on msi, instead the msi (see below) is a wrapper around the exe.

Adobe does offer a web page with download links for msi-files, but they don't allow to publish the address of that page, or the download links to the files, or the files. Instead they demand that you register with them before they allow you to to deploy flash player to other computers (read their EULA).

Registration is free and requires only answering a few harmless questions. The registration is valid for one year, then you must register again. They will send you an email with a reminder before the registraion expires.

To register, go to the normal download page, look in the right column under 'Resources', and click on 'Distribute Flash Player'. Shortly after finishing the registration, their server will automatically send you an email with links to special admin webpages and direct download links to the msi-files.

Configure

In the MSI-files that you get, these properties are already set:
ALLUSERS=1
ARPNOMODIFY=1

They cause the software to be installed per machine, not per user, and they disable the button in "system control" > "add/remove programs" to modify that installation.

I recommend that you add:
ARPNOREMOVE=1
This forbids local removal of the software through add/remove programs in system control.
ARPCOMMENTS
Here I usually include a short message telling that this software has been automatically deployed from the server and hence cannot be modified locally.

Additionally I personally prefer to update the property
ProductName
This property is set to 'Adobe Flash Player 11 Plugin'. I always replace the '11' inside that string with the full version number, taken from property ProductVersion. Reason for this change: the GPO Editor of Windows Server uses the value of this property as default for the name for the software package. If you have the new and one or more old versions in one GPO, they are hard to distinguish when they all have the same name.

disable update-check

The installer can check if it is the current version.
That check would cause problems if some computer was sitting switched off for a while (e.g. during holiday), a new version has just come out, but you haven't yet updated the GPO to deliver that new version. If now that computer is switched on, it will uninstall the previously installed version, but then fail to install the last one.
Thus you should change this property:
ISCHECKFORPRODUCTUPDATES
This property comes set to 1. Change the value to 0 (zero).

If you don't have a tool like Orca to do that modification, you may download my AdobeFlash NoUpdateCheck.vbs and simply drag and drop a msi file onto that script file. This will change the property from 1 to 0. Works for both the ActiveX variant (for Internet Explorer) and for the Plugin variant (for Firefox and others).

disable automatic updates

Version 11.2 and later contains an automatic updater, that runs as service. Thus the user does not need to have admin rights for the updater to do its work. Simultaneously Adobe introduced filenames that contain the version number.

I expect this to cause problems in an environment with automatic software deployment. Thus you should disable the automatic updater.

Adobe writes in the admin guide that the msi installer does not activate this updater. But to be on the safe side, I disable it nevertheless, especially because it does create the file FlashPlayerUpdateService.exe, and the service "Adobe Flash Player Update Service".

Create a plain text file with name mms.cfg with these contents:
AutoUpdateDisable=1
SilentAutoUpdateEnable=0

These and more options are described in the Flash Player Administration Guide.

Place the file here:

  • 32-bit Windows: %WINDIR%\System32\Macromed\Flash
  • 64-bit Windows: %WINDIR%\SysWow64\Macromed\Flash

Starting with version 11.3, the installer contains both the 32 and the 64 bit version, and when running in 64-Bit Windows it will install both versions, which will both use the mms.cfg file from the directory SysWow64.

privacy options

You may want to add some more options to the file mms.cfg, for example the blog WeLiveSecurity recommends to add these options for privacy reasons:
LocalStorageLimit = 1
AssetCacheSize = 0
ThirdPartyStorage = 0
AssetCacheSize = 0
LegacyDomainMatching = 0
LocalFileLegacyAction = 0

This is from part two of a series of posts about Flash, the other parts are: 1, 3, 4, 5.

Enable testing

Screenshot of error message
      'Error 1722: There is a problem with this Windows Installer package.
      A program run as part of the setup did not finish as expected.
      Contact your support personell or package vendor.
      Action NewCustomAction1, location: ...\InstallAX.exe, com...'

Usually one should not deploy software without first testing it on one machine. That test should include install, uninstall and reinstall. I do this by adding the new version to a test-GPO, then removing it, then adding it again. If done like this, the uninstall step causes the machine to reinstall the previous version, because I haven't removed that yet from the GPO. This procedure works with all software except with Adobe Flash for ActiveX.

Trying to downgrade flash player for ActiveX to an older version triggers Windows Installer Error 1722 and the file FlashInstall.log says that it got error "0001 [E] 00001013" when trying to execute "InstallAX.exe -install -msi".

The reason is that the uninstaller purposefully leaves a registry entry behind, that prevents later installation of an earlier version. If you want to do that, you must remove the registry values 10 and 11 in the key HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions. One way to do this is to download flash-allow-reinstall.reg and double-click it. Or just remove the whole key using flash-allow-reinstall-new.reg.

What has changed

new in version 13.0

Adobe added a section to the admin guide titled "Manually Uninstalling Flash Player on Macintosh".

new in version 12.0

Adobe added some clarifications in the admin guide regarding the auto-updater.

new in version 11.9

The release notes for version 11.9 list no new features for Windows (except maybe "Safe Mode in Safari 6.1 and higher"), otherwise this received "only" normal bug fixes, no security issues. The version for MacOS got a new installer. All other new features are only for Android and iOS. In the Admin Guide for 11.9 I found only one change compared with 11.8: the section "DMG Installation for Macintosh" was replaced by two sections "PKG Installer for Macintosh" and "App installer for Macintosh".

new in version 11.8

Comparing the administration guides for versions 10.7 and 10.8, I found as the only difference two new options for the config file mms.cfg: DisableHardwareAcceleration and UseWAVPlayer.

new in version 11.7

According to the release notes of 11.7 the only new feature in the Windows variant is "Sandboxing enhancements".

new in version 11.6

There is only one difference in the contents between administration guides for versions 10.5 and 10.6:
An updated screenshot on page 40, replacing 'Macromedia' with 'Adobe'.

More Info

Read the Flash Player Administration Guide.

details about the automatic updater

Adobe doesn't tell many details about this. Here is what I found out so far:

  • exe-installer asks for permission to activate this feature, default is yes
  • msi-installer triggered by GPO also has default yes
  • Adobe says that msi-installer does not really activate the auto-updater
  • the updater is triggered from task scheduler in the account of the user who installed the flash player.
    XP: Control Panel > Scheduled Tasks > Adobe Flash Player Updater
    Vista & Win7: run taskschd.msc > Task Scheduler Library > Adobe Flash Player Updater
  • the updater program is in
    %SystemRoot%\(System)\Macromed\Flash\FlashPlayerUpdateService.exe
  • the updater runs as
    NT AUTHORITY\SYSTEM
  • the updater runs regardless of who is logged in, and regardless of if this user has admin rights.
  • I observed the updater only update the ActiveX, but not the Plugin version. It seems to do this when it runs a second time.
  • The updater tries updating each hour until it succeeds. But it starts checking only once after reboot. When it has run, it sets the date for the next check to 7 days in the future.
  • If you want the updater to run daily, add one line to mms.cfg:
    AutoUpdateInterval=1
    or set it to 0 (zero) to check for updates every time the player launches.
  • The exe-installer overwrites an existing file mms.cfg. The msi-installer does not do this.
  • If you are behind a proxy, you may need to use an internal update server and set the property SilentAutoUpdateServerDomain, see this posting.

other updates related to flash

Adobe Air is installed on many machines without either their users, nor the admins knowing. If comes for example as part of Creative Suite, some versions of Acrobat, and some software from other companies as well. Almost every time Adobe fixes bugs in flash player, they fix the same bugs in Adobe Air as well. Please check if you have Air installed, and either remove or update it!.

Macromedia Flash Player got automatically installed with Windows XP, but does not get updates any more. If you have it installed, remove it! Look for a the file c:\windows\system32\Macromed\Flash\Flash6.ocx

Windows 8

Don't deploy Flash-ActiveX to machines running Windows 8. It's included in Internet Explorer.


last modifications:

  • 2014-04-09: added what's new in versions 12.0 and 13.0, and info that msi installs do by default not auto-update.
  • 2013-10-07: added what's new in versions 10.8 and 10.9, and privacy options for the config file mms.cfg.
  • 2013-07-04: added notes about Adobe Air, Macromedia Flash, and Windows 8.
  • 2013-02-13: compared admin guides for version 10.5 and 10.6, no significant changes found.
  • 2012-10-01: bug in version 11.4.402.278
  • 2012-06-11: integrated essential info about automatic updater in description of configuration, leaving additional details in the appendix.
  • 2012-05-04: added infos about SilentAutoUpdateServerDomain and mms.cfg
  • 2012-03-07: added info about Error 1722 that can pop up when testing install-remove-reinstall.
  • 2012-02-17: added recommendations for changing ProductName and adding ARPCOMMENTS.