Re: Regedit Permissions



Giving a user full control to class does not allow the user to run any
program as the user still needs read/list/execute NTFS permissions to the
application folder/executable however it still is a good idea to try and
give users no more permissions than necessary to any access control list
though same permissions as power user is much preferable to making the user
a power user. What I would try next is to enable auditing of object access
for failure in Local Security Policy. Then audit the HKLM/software/classes
registry key by going to permissions - advanced/auditing. Add users for
failed for set value, create subkey, and delete which was a power user would
have in addition to what a normal user would. Then reboot the computer and
after the problem occurs for the user logon as an administrator and look in
the security log via Event Viewer for failed object access events for
registry keys under HKLM/software/classes that have a timestamp around when
the problem occurs for the user as those would be the ones to look at
further for lack of permissions. I would clear the security log first and
increase it's size from default quite a bit to maybe at least 2 MB.

SysInternals also has a free program called regmon that logs registry
activity but in the case where problems occur during a logon it may not be
as helpful as normal to try and track down access denied problems though you
can configure it for "log boot" under options though I have never tried that
option myself yet to see how well it works. If you try using regmon be sure
to take advantage of filter view to find/highlight entries you want to find
such as access denied because the log will almost certainly contain several
thousand entries. Regmon can not be run by a regular user but it could be
started via runas and administrator credentials after logging on as a
regular user. --- Steve

http://www.sysinternals.com/Utilities/Regmon.html --- regmon
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx?mfr=true
--- runas description


"Cindy" <Cindy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4F169756-438E-4C46-ABEF-A1768E6C6E47@xxxxxxxxxxxxxxxx
Yes, the permission is somewhere in HKLM/software/classes but not in the
application name sections. I know this because after I gave the
application
name keys full control POLAR failed. I gave the user full control to
HKLM/software/classes "root" and POLAR works.....How do I find the
specific
keys that POLAR is in need of more rights without going through every key?
I
changed all the POLAR related "classes keys" and did a couple of searches
but
no avail. If I give full control to Classes root does that mean the user
can
run any programs they want? Thanks for your help.

Cindy

"Steven L Umbach" wrote:

If you have not tried yet go to HKLM/software/application name and give
the
users full control permissions to that key or the same that power users
have
also looking in the advanced page where you would highlight power users
and
select edit. Double check each child registry key below it when done to
make
sure that change in permissions has propagated to them also. Reboot the
computer for good measure and see if that makes a difference. If that
does
not help look under HKLM/software/classes for keys that have the
application
name and do the same for permissions found there. Worse case scenario is
that you can create a new security template copying only the registry
permissions [highlight registry and select copy and then paste into same
in
new blank security template, then save template] from the compatws.inf
security template to a new security template and then importing that
security template into the computer via Local Security Policy by
highlighting security settings, right clicking and select import. You
can
use the mmc snapin for security templates to view, manage, and create
security templates. Doing such would give the user the same permissions
as
the power user to the registry without changing any folder/file
permissions
or adding the user to the power users group. --- Steve

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scedefaultpols.mspx?mfr=true
http://support.microsoft.com/kb/816297/EN-US/

"Cindy" <Cindy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DF7C773F-C6CA-41F7-B918-EFE291571C6A@xxxxxxxxxxxxxxxx
I have a third party software called Polar. I am installing this
application
with the user having power user rights to the desktop. Once I place
the
user
back into the User Group - removing them from the power user group,
and
log
back on to the workstation the Polar pops a Failed to update system
registery
error window. If I click on OK the application lets me in. What
rights
are
required to write to the registry? - power user at the least? The
providers
of the software gave me some registry keys to give the user more rights
but
their suggestion does not help....can any else ????

Thanks in advance

Cindy





.



Relevant Pages

  • Re: 0x80070005 / _Inventory: Installer returned 0x5 (5)
    ... |> Access Denied is a hard one to determine where the keys are failing - ... Navigate to the following key in the registry: ... and then click Permissions. ... |> For Administrator and System, select the Allow check boxes next to Full Control ...
    (microsoft.public.windowsupdate)
  • Re: 0x80070005 Installation Failure message
    ... I wonder why Microsoft ... it had different permissions than other ... Before you modify the registry, ... > one or more registry keys could not be deleted ...
    (microsoft.public.windowsupdate)
  • Re: Default permissions for OE inside registry key...
    ... Single users would not have those keys in the registry. ... > OE runs through the wizard to add a new news account. ... > so I need the permissions for the keys listed. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Why does the confiuration wizard run every time I start Word 2
    ... There was some minor errors after I ran the batch file, but a vista repair ... if they wanted to solve the issue it would be in a registry issue, ... I was fairly sure that it the problem was due to a permissions issue ... Trying to alter the permissions on some of these keys I also ...
    (microsoft.public.office.setup)
  • Re: Failed nidaq adaptor registration
    ... Administrative privileges may not have permissions to modify ... the registry under Vista. ... registry keys. ... Process Monitor is an advanced ...
    (comp.soft-sys.matlab)