Boxstarter asking for my Windows password in a shady PowerShell prompt

[Aprillion]

I just installed Node 10 this weekend and the chockolatey boxstarter started to bother me with Please provide your password so that Boxstarter may automatically log you on. every time I log in.

There is no standard way to uninstall the tool (via Windows Settings or Control Panel), only complicated steps described on https://chocolatey.org/docs/uninstallation

While other malware can show a powershell prompt saying "I am Boxstarter, pleaze gief me your password:", I will assume the message comes from the legit installer because of a valid certificate and no antivirus complaints (yet)..

Could the Node installer please behave better? I.e. not ask me for password days after installation, via a shady prompt in powershell that it asked to be elevated to admin privileges, after an attempt to disable UAC?!?

[lirantal]

Hi @Aprillion,

With regards to your ask about the Node installer this probably isn't the best place to raise your concerns. However, I'm a bit confused whether you are reporting an issue with chockolatey or with Node.js itself but AFAIK the Node.js installer or binary will not prompt you for your password.

Perhaps @nodejs/platform-windows or @nodejs/build might know more.

[refack]

Refs: nodejs/node#22645
Refs: nodejs/node#23838
/CC @gep13 @yodurr @joaocgreis

I actually think this issue would be more relevant in nodejs/node and in https://github.com/chocolatey/boxstarter/issues/

P.S.

AFAIK the Node.js installer or binary will not prompt you for your password.

The boxstarter script might (legitimately) ask for your password in order to streamline the install process. IIUC they are reconsidering this behaviur chocolatey/boxstarter#338

[gep13]

@Aprillion can you confirm if the Chocolatey/Boxstarter execution completed successfully?

[Aprillion]

I was able to run choco command as well as node and npm, but I have no idea about boxstarter - I did not provide the password and I uninstalled Chocolatey afterwards. Not sure which Node features will not work because of that ¯_(ツ)_/¯

I reported it here because my security concerns were triggered by the Node installation - if my concerns will be addressed elsewhere, please feel free to close this issue as a duplicate. Thank you for the investigation.

[rvagg]

@Aprillion are you saying that you get a cmd window each time you log in to Windows asking for your credentials? And this isn't a one-off thing? Would you mind sharing a screenshot in here for us?

I was under the impression that it was a temporary use of choco just to get stuff done during install, having choco and/or boxstarter persist if you don't have it already on your system is probably not an appropriate thing for the Node installer to be doing.

[gep13]

@Aprillion In terms of what Chocolatey and Boxstarter are, I wrote some information in a different issue about this:

chocolatey/boxstarter#357 (comment)

@Aprillion my main question was whether the Boxstarter installation completed successfully, as per this example video where you can see it complete successfully:

https://www.youtube.com/watch?v=gwFpXXIJTvs&t=10s

Or whether you terminated the Boxstarter process while it was happening.

Once the NodeJS installation is complete, Chocolatey and Boxstarter will remain on your machine, however, uninstalling them will not have an impact on the other applications that were installed using them.

[Aprillion]

@rvagg sorry, did not make screenshots

@gep13 now you mention it, I remember I had to turn off the computer while it was hanging in the vctools stage - https://youtu.be/gwFpXXIJTvs?t=7m - so no, it did not complete successfully :(

Glad to hear this is not normal user experience, just an edge case of incomplete installation. In any case, I was surprised that I was receiving the boxstarter prompts on the next day, not from the Node itself about unfinished installation.

Do you recommend to uninstall and re-install Node in this situation or not needed?

[gep13]

Forcibly closing the Boxstarter process once it has started has the potential to leave your computer in an unknown state, and as a result, you may see symptoms like you are currently seeing. Things to check would be to do the following:

nodejs/node#23838 (comment)

Then, you may also find that UAC has been disabled on your machine. If this was something you had on before, you may want to re-enable it.

in terms of whether you want to re-install or not, that really depends on what you are doing. The Boxstarter/Chocolatey installation of the tools is something optional, if you require those capabilities. The applications that are attempting to be installed are listed here:

https://github.com/nodejs/node/blob/master/tools/msvs/install_tools/install_tools.txt

You may want to ensure that these tools completed their installation, and if not, run them again. I don't think it will be necessary to uninstall and re-install node itself.

[Aprillion]

thank you for the help.

nodejs/node#23838 seems like the best place for further discussions if needed, closing this one.