Re: Problems creating keys under the HKEY_LOCAL_MACHINE in Windows XP

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Jim Carlock (anonymous_at_127.0.0.1)
Date: 11/18/04 

Date: Thu, 18 Nov 2004 14:15:37 -0500

Hmm... when you set up the keys, do you make sure System
has full control? Usually that would be an inherited setting that
would be brought down from the root HKLM.

One way to know for sure, ask the people to look at the
permissions that are ON the particular key giving problems,
then look at any subkeys that you use. When they call, or if
you can call them, ask them which permissions are installed,
by having them run Regedit on XP or RegEdt32 on Win2k.

Tell them to look at the key and then click on Edit, Permissions.

Also, some clues as to what is causing the problem, could be
coming from the fact that they are running IIS on a particular
machine. IIS tends to add a Restricted Group into the list of
groups and it gets thrown around in a variety of places. I
haven't quite figured out the full details on how the hows or
whys so if you find any information on it, feel free to pass it
along.

Some other things that come into play, include the boot mode,
as things change in Safe Mode. See the following link for such
information:
http://support.microsoft.com/?kbid=290403

Some more information about the Users group on WinXP...
http://www.microsoft.com/resources/documentation/office/xp/all/reskit/en-us/admc02.mspx

I've seen the CREATOR group suggested in IIS documentation
recently.

Usually the System account has full access to everything. If you
assign the System account to your software, you might be able
to get around the problems. When you create the key, make
sure you create it by explicitly stating that it uses the System
account. That might fix all your problems, as System could very
well have FULL ACCESS to everything on the system.

However, if there is something in place that restricts anything,
like IIS setting up a RESTRICTED group... the restrictions
over-ride all other permissions. So even though someone is
set up as Admin, any restriction in place could very well prohibit
access. 

--
Jim Carlock
Post replies to newsgroup.
"mayayana" <mayaXXyana1a@mindYYspring.com> wrote in message 
news:692nd.4053$pK6.2265@newsread2.news.atl.earthlink.net...
     Thanks, but I meant that I don't understand
the default permission structure in general on
NT systems. (By NT I meant NT4/2000/XP.)
     I don't need advice about setting permissions
because I don't use NT/2000/XP, but I do need to
write code that works for people on those systems.
Usually things are fine, but occasionally I run into
people who don't understand their own settings
and I don't know enough to help them. For instance,
there was someone awhile back who complained
that he had to use my software with "run as" in
order to have it work. Yet all it was doing was reading
from HKLM.
--
_____________________________
mayayXXana1a@mindYYspring.com
For return email remove XX and YY.
_____________________________
Jim Carlock <anonymous@127.0.0.1> wrote in message
news:eUzqpYRzEHA.3376@TK2MSFTNGP12.phx.gbl...
> Well, to help you along with some of the concepts that
> are involved, the best way I know how to do this comes
> into effect when describing NTFS file permissions...
>
> It used to be that on Windows NT (Version 4, maybe 3.5
> too) when one did a fresh install of the Server product, there
> was a group called Everyone. Everyone was given access to
> the hard disk drive. :-) I don't know if that applied to the
> registry as well so someone else will have to comment on
> that. Note, the Nimbda Virus infects computers and opens
> a system up for others to gain access to, by putting the
> Everyone group Full Control and propagating that over all
> folders on all drives.
>
> Very bad bad thing. A default installation of Windows 2000
> server with no service packs does the same thing I believe. It
> is left up to the administrators to remove the Everyone group
> and tighten up security.
>
> I believe the Everyone Group is given Read-Only access to
> things... it's been a long time since I've done such an install.
> One of Win2Ks service packs might have fixed the Everyone
> problem. If not, the Microsoft Baseline Security Analyzer will
> take care of such things (I hope). I've always removed the
> Everyone Group from the root drive (right click on a drive in
> Explorer, click Properties, Security tab) before running the
> Baseline Analyzer.
>
> The registry operates in much the same way that NTFS
> permissions operate. Things are usually configured at the root,
> with a few exceptions, and then everything is inherited from
> those root keys.
>
> There are some special groups that get special permissions,
> in XP, and I think they might be inside NT as well but I don't
> know right off the top of my own head, such as CREATOR,
> RESTRICTED, USERS, POWER USERS,
> ADMINISTRATORS and AUTHENTICATED USERS.
>
> If there is only one person on the machine, you can pretty much
> remove all the groups and leave only the Administrators and
> System as having FULL CONTROL. I would suggest leaving
> things intact (and get rid of the Everybody account from having
> any permissions anywhere). Create a non-administrative account,
> and a power user account to test things.
>
> I'm just babbling about things and don't have all the answers, so
> if anyone sees anything that is should be expounded upon, please
> expound!
>
> --
> Jim Carlock
> Post replies to newsgroup.
>
> "mayayana" <mayaXXyana1a@mindYYspring.com> wrote in message
> news:D9Smd.3506$pK6.3495@newsread2.news.atl.earthlink.net...
>    Actually, I was asking because I use Win98 (no one
> has to be a lackey there!) and have little experience with
> XP directly. I've never quite figured out exactly what
> options non-administrators have. On one occasion I
> was helping a friend with his XP computer and found
> that as the non-original administrator I had to go through
> the bizarre step of giving myself permission to access all
> keys! So apparently an administrator is not always an
> administrator on XP.
>
>     My impression was that non-admins can read but not
> write to HKLM, but I don't  understand the overall design
> of Registry permissions in NT, so I was hoping
> that someone might explain it clearly.
> _____________________________
>
> mayayXXana1a@mindYYspring.com
> For return email remove XX and YY.
> _____________________________
> Jim Carlock <anonymous@localhost.com> wrote in message
> news:OmFT0yOzEHA.2568@TK2MSFTNGP10.phx.gbl...
> > We are lackeys at all times... :-)
> >
> > For instance, try to take ownership of every key in the
> > registry and let me know if you get it done successfully.
> >
> > Also, try to access every key in the registry by adding
> > a dummy group or a dummy account that will never be
> > used, by assigning that dummy group or individual as
> > having access to the root of HKLM and forcing
> > inheritance upon it.
> >
> > Make sure you mess with such things on a machine
> > that you know can be lost. ;-)
> >
> > Let me know if there are keys you cannot take
> > ownership of, or keys that cannot be assigned new
> > permissions.
> >
> > I haven't tried it in safe mode. So maybe safe-mode
> > will get it to work.
> >
> > Also, things get real complicated as far as permissions
> > and such when network engineers put denials into
> > effect.
> >
> > --
> > Jim Carlock
> > Post replies to newsgroup.
> >
> > "mayayana" <mayaXXyana1a@mindYYspring.com> wrote in message
> > news:8Unmd.1580$pK6.22@newsread2.news.atl.earthlink.net...
> >    He's talking about creating keys. Doesn't that require
> > full access? Are you saying that there's a more limited
> > permission available that still has the ability to create
> > keys?
> >   ( As I think about that, though, I suppose there wouldn't
> > be much point in logging on as a lackey if one still had
> > full power in HKLM.)
> > _____________________________
> >
> > mayayXXana1a@mindYYspring.com
> > For return email remove XX and YY.
> > _____________________________

Relevant Pages

  • Re: Problems creating keys under the HKEY_LOCAL_MACHINE in Windows XP
    ... into effect when describing NTFS file permissions... ... The registry operates in much the same way that NTFS ... those root keys. ... ADMINISTRATORS and AUTHENTICATED USERS. ...
    (microsoft.public.vb.winapi)
  • Re: Registry permissions defaults
    ... Home does not recognize user groups other than Administrators and Users, ... >I am trying to install Norton AV Pro on my father's Dell Inspiron 8200 w/ XP ... > error which is essentially caused by the Symantec registry keys not having ... > permissions for a number of registry keys, comparing both Inspiron's, as ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Automatic Update: Access is Denied
    ... The same boot menu shows up when one presses F8 prior to Windows loading in order to reach Safe Mode. ... The final problem was that Windows Update was disabled... ... According to many web posts this is a permissions problem. ... Remove the check marks named values and Data (only Keys ...
    (microsoft.public.windowsupdate)
  • Re: Automatic Update: Access is Denied
    ... The final problem was that Windows Update was disabled... ... According to many web posts this is a permissions problem. ... Maybe this would have worked if I had run it in safe mode, ... Remove the check marks named values and Data (only Keys ...
    (microsoft.public.windowsupdate)
  • Re: Problem installing Windows script 5.6
    ... Before attacking my registry permissions, I used a program to help ... find offending keys in HKCR like you did, ... When you say "none of my user accounts have access to these registry ... I was able to change all my offending keys' permissions to allow full ...
    (microsoft.public.windowsxp.help_and_support)