Re: Set Registry Remotely as non-administrator

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I disagree. I think that was the nicest way I could say, "Yes, but DON'T
EVER THINK THAT IS A GOOD IDEA TO DUMB DOWN SECURITY FOR SOMETHING LIKE
THAT. PERHAPS THERE IS ANOTHER WAY TO SOLVE YOUR SPECIFIC PROBLEM IF YOU'D
BE SO KIND AS TO SPECIFY THE PROBLEM VS. THE PROBLEM WITH THE SOLUTION"

But then, the original poster was asking a legit question, and doesn't
strike me as somebody who was just being lazy or judgmental.

Herb later answered the question like this:

"Yes. The registry is secure with ACLs (access controlled lists), commonly
called 'permissions', which are almost exactly analogous to NTFS file and
directory permissions.

BUT Registry ACL (permissions) are MUCH more difficult to modify without
making a system unusable on one extreme and very insecure on the other."

Let me just say that modifying the registry acls for this type of
requirement is the silliest thing I've heard of and is indicative of much
deeper security issues with your environment. The original poster obviously
senses something is not quite right and that's why they are asking.

To reiterate my original question: Why would you want to allow a
non-administrator the ability to modify your registry remotely?

Think about that for the briefest of moments, and you begin to understand
that I'm asking this for a reason. I was kind enough afterwards to ask what
the bigger issue was, prior to the solution and subsequent problem with the
solution was thought of so that somebody, even someone such as myself might
be able to offer a different direction that didn't require you to mangle
your security stance in the hopes of making a single application work in
your environment.

For the original poster: Consider elevation of privileges such as Runas
offers or that SMS tends to use. If you troll around on msdn you'll find
examples of software deployment and elevating your privileges to deploy
software. It strikes me that you have the same issue except that you have
to do so remotely. Technically, that would be even easier since you could
run it remotely as a domain admin, which by default has the elevated perms
to all the workstations. If it has to run locally on the machine in the
user context, then see my previous about msdn.

Drop me a note off-line if you prefer to continue the conversation or have
additional questions.

Al

"alan" <alan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:03277CBC-7918-47AB-B864-FEEE8EFBF256@xxxxxxxxxxxxxxxx
What a horrible response to a question.

I have the same problem. We have software that used to work fine before
all
the windows security started breaking our programs.

We have the same situation withour program. We are not specfically
allowing
a user to write to the registry but the program needs to because the
program
has its own security measures that need to be written and read there.

Is there a way to allow this for non-administrator users? or do we need to
expose our security by simply writing to files instead of the registry?

"Al Mulnick" wrote:

Just for my benefit, why would you want to allow a non-administrator to
read/write the registry on your machine?

Help me understand the problem you need to solve (that you have an answer
for already, I know) and maybe there are some other ways that people can
steer you. But allowing a non-administrator to write to the registry
seems a
strange way to blow your toes off. Potentially anyway.

Al
"guywmustang" <jahull@xxxxxxxxx> wrote in message
news:1173742978.033847.314060@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have something I'm trying to do and haven't yet found an answer on
the internet.

I'm trying to add the permission for a non-administrator to be able to
read & modify the registry on a remote computer. It works fine as
administrator (I'm communicating XP computer to XP computer), but when
the "accessing" computer runs as non-administrator, it won't let me
read any keys in HKEY_LOCAL_MACHINE or anywhere. I wrote a program
I'm using to try to read/write registry on the remote machine.

Is there any way to do this? Or does anyone know how to modify the
registry on a remote machine, whether through code or through
available program (especially as non-administrator).

Thanks






.

Relevant Pages

  • Re: Registry access question
    ... or ownership of registry entries though Dolphin either (as you might want to ... I will take another look, but at first glance, but the remote part of it is scary. ... When it turns to remote administration, I get nervous, both from the standpoint of security and reliability. ... But to invoke a structured programming analogy, what is the real danger? ...
    (comp.lang.smalltalk.dolphin)
  • [TOOL] RegistryBrowser Allows Remote Registry Access to HKEY_CURRENT_USER
    ... RegistryBrowser Allows Remote Registry Access to HKEY_CURRENT_USER ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... If your account and password are stolen, ...
    (Securiteam)
  • Setting Remote Registry as non-administrator
    ... connect to the registry on a remote machine. ... try to run the program as a non-administrator. ... Has anyone else dealt with setting registry remotely? ...
    (microsoft.public.vc.mfc)
  • Change security in the registry
    ... I need to change a security in the registry, in remote ... Chris. ...
    (microsoft.public.win2000.security)
  • RE: Extracting NT password hashes from registry export file
    ... Extracting NT password hashes from registry export file ... This list is provided by the SecurityFocus Security Intelligence Alert Service. ...
    (Pen-Test)