Re: Registry permissions defaults

From: Doug Knox MS-MVP (dknox_at_mvps.org)
Date: 08/15/04 

Date: Sat, 14 Aug 2004 23:56:43 -0400

Many of the differences that you see may be the difference between Home and Pro. Home does not recognize user groups other than Administrators and Users, by default. Power Users, Backup Operators and other mid-level groups don't exist in XP Home.

As for Administrator permissions, in the Registry, many keys are read-only, even for the Administrator, and some don't even have Read permissions. But as a general rule, anything in HKLM\Software should allow the Administrator full access. There may be some exceptions, but none that come to mind right now. 

-- 
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
 
"cpnet" <cpnet@nospam.nospam> wrote in message news:uvZDVbngEHA.3476@tk2msftngp13.phx.gbl...
>I am trying to install Norton AV Pro on my father's Dell Inspiron 8200 w/ XP
> Pro sp1, and all critical updates applied.  I have an almost identical Dell
> Inspiron (different modem I think), and have used NAV Pro 2002 through 2004
> no problems.
> 
> On my father's computer, near the end of the install, I keep on getting an
> error which is essentially caused by the Symantec registry keys not having
> the correct permissions.  At first I was thinking this was a problem with
> the newest NAV install, but as I looked deeper, I'm not sure.  I looked at
> permissions for a number of registry keys, comparing both Inspiron's, as
> well as the registry in a Virtual PC XP Pro sp1 install that's on my
> Inspiron.  What I saw was odd.  On my dad's laptop, there are many more
> registry keys that only have Administrator and SYSTEM with assigned
> permissions, and many more keys where permissions apply to "this key only",
> and for Administrator, there is usually only 'read' rights.  On my XP, and
> my virtual XP, I see Power Users, Users, etc. with permissions - not just
> Administrators and SYSTEM.  I also see many more keys where permissions
> apply to the key and its children.  Administrators generally have the
> correct permissions (i.e. full control).
> 
> One interesting example is for some software that I authored, that's
> installed on the machines.  My install is a Windows Installer install that I
> built myself, and my install code does NOT explicitly set any permissions on
> the registry.  Anything that gets set is done by the OS with it's defaults.
> On my Dad's machine for "HKLM\Software\MyCompany", only "Administrators" and
> "SYSTEM" are assigned permissions.  The are only assigned "special
> permissions".  When I examine the permissions, I see that "SYSTEM" has 'full
> control' on "this key only".  "Administrators" have 'read' on 'this key
> only'.  This is compared to my own machine for the same key
> ("HKLM\Software\MyCompany") I see permissions for "Administrators", "Power
> Users", "Users", "SYSTEM", "CREATOR OWNER".  For all except,"CREATOR OWNER",
> their respective permissions apply to, "this key and subkeys".  The
> permissions for each of the users/groups seems appropriate - i.e
> Administrators have 'full control'.
> 
> What is going on here?
> 
> I also see something that is a concern...  On my Dad's machine,
> "HKLM\Software\Microsoft" only has permissions for "Everyone", and
> "Everyone" has plain "Full Control"!!!  Some of the subkeys are more locked
> down - but not all - this doesn't seem good.
> 
> I have scanned my dad's machine w/ Trend Micro's free HouseCall, the
> pre-scan that the NAV install does, and the free PestPatrol scan.  None have
> found any viruses or malware.  My father uses another PC for most of his
> web/e-mail access, so this laptop doesn't get a lot of exposure to threats.
> 
> Is there any way to fix this?
> 
> Thanks
> 
>

Relevant Pages

  • Re: Why does the confiuration wizard run every time I start Word 2
    ... There was some minor errors after I ran the batch file, but a vista repair ... I was fairly sure that it the problem was due to a permissions issue ... Trying to alter the permissions on some of these keys I also ... download and install SubInACL (download from ...
    (microsoft.public.office.setup)
  • Missing Configuration Tool in 2.0 Redist
    ... The .NET Configuration tool was ... is to install the complete SDK. ... ..NET 1.1 had very granular control of permissions. ... Power users and administrators. ...
    (microsoft.public.dotnet.security)
  • Re: Problems creating keys under the HKEY_LOCAL_MACHINE in Windows XP
    ... into effect when describing NTFS file permissions... ... The registry operates in much the same way that NTFS ... those root keys. ... ADMINISTRATORS and AUTHENTICATED USERS. ...
    (microsoft.public.vb.winapi)
  • SP2 access denied error
    ... I've tried this in the Windows Update community and, ... I'm having a problem with permissions for three HKCR keys ... SP2 did not install fully (although some updating was ... ADMINISTRATORS, OWNER/CREATOR, SYSTEM and USERS. ...
    (microsoft.public.windowsupdate)
  • Re: Problems creating keys under the HKEY_LOCAL_MACHINE in Windows XP
    ... you can call them, ask them which permissions are installed, ... Usually the System account has full access to everything. ... > is left up to the administrators to remove the Everyone group ... > those root keys. ...
    (microsoft.public.vb.winapi)