Regedit Permissions

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a third party software called Polar. I am installing this application
with the user having power user rights to the desktop. Once I place the user
back into the User Group - removing them from the power user group, and log
back on to the workstation the Polar pops a Failed to update system registery
error window. If I click on OK the application lets me in. What rights are
required to write to the registry? - power user at the least? The providers
of the software gave me some registry keys to give the user more rights but
their suggestion does not help....can any else ????

Thanks in advance

Cindy
 
If you have not tried yet go to HKLM/software/application name and give the
users full control permissions to that key or the same that power users have
also looking in the advanced page where you would highlight power users and
select edit. Double check each child registry key below it when done to make
sure that change in permissions has propagated to them also. Reboot the
computer for good measure and see if that makes a difference. If that does
not help look under HKLM/software/classes for keys that have the application
name and do the same for permissions found there. Worse case scenario is
that you can create a new security template copying only the registry
permissions [highlight registry and select copy and then paste into same in
new blank security template, then save template] from the compatws.inf
security template to a new security template and then importing that
security template into the computer via Local Security Policy by
highlighting security settings, right clicking and select import. You can
use the mmc snapin for security templates to view, manage, and create
security templates. Doing such would give the user the same permissions as
the power user to the registry without changing any folder/file permissions
or adding the user to the power users group. --- Steve

http://www.microsoft.com/resources/...oddocs/en-us/sag_scedefaultpols.mspx?mfr=true
http://support.microsoft.com/kb/816297/EN-US/
 
Why is it that the information from the software providers did not
help? Is it that it was it followed and it did not resolve the issue?
Each registry key has individual security settings, so what they
provided likely was the list of the right places where permissions
need adjustment in the registry.
 
Yes, the permission is somewhere in HKLM/software/classes but not in the
application name sections. I know this because after I gave the application
name keys full control POLAR failed. I gave the user full control to
HKLM/software/classes "root" and POLAR works.....How do I find the specific
keys that POLAR is in need of more rights without going through every key? I
changed all the POLAR related "classes keys" and did a couple of searches but
no avail. If I give full control to Classes root does that mean the user can
run any programs they want? Thanks for your help.

Cindy

Steven L Umbach said:
If you have not tried yet go to HKLM/software/application name and give the
users full control permissions to that key or the same that power users have
also looking in the advanced page where you would highlight power users and
select edit. Double check each child registry key below it when done to make
sure that change in permissions has propagated to them also. Reboot the
computer for good measure and see if that makes a difference. If that does
not help look under HKLM/software/classes for keys that have the application
name and do the same for permissions found there. Worse case scenario is
that you can create a new security template copying only the registry
permissions [highlight registry and select copy and then paste into same in
new blank security template, then save template] from the compatws.inf
security template to a new security template and then importing that
security template into the computer via Local Security Policy by
highlighting security settings, right clicking and select import. You can
use the mmc snapin for security templates to view, manage, and create
security templates. Doing such would give the user the same permissions as
the power user to the registry without changing any folder/file permissions
or adding the user to the power users group. --- Steve

http://www.microsoft.com/resources/...oddocs/en-us/sag_scedefaultpols.mspx?mfr=true
http://support.microsoft.com/kb/816297/EN-US/

Cindy said:
I have a third party software called Polar. I am installing this
application
with the user having power user rights to the desktop. Once I place the
user
back into the User Group - removing them from the power user group, and
log
back on to the workstation the Polar pops a Failed to update system
registery
error window. If I click on OK the application lets me in. What rights
are
required to write to the registry? - power user at the least? The
providers
of the software gave me some registry keys to give the user more rights
but
their suggestion does not help....can any else ????

Thanks in advance

Cindy
Click to expand...
Click to expand...
 
Giving a user full control to class does not allow the user to run any
program as the user still needs read/list/execute NTFS permissions to the
application folder/executable however it still is a good idea to try and
give users no more permissions than necessary to any access control list
though same permissions as power user is much preferable to making the user
a power user. What I would try next is to enable auditing of object access
for failure in Local Security Policy. Then audit the HKLM/software/classes
registry key by going to permissions - advanced/auditing. Add users for
failed for set value, create subkey, and delete which was a power user would
have in addition to what a normal user would. Then reboot the computer and
after the problem occurs for the user logon as an administrator and look in
the security log via Event Viewer for failed object access events for
registry keys under HKLM/software/classes that have a timestamp around when
the problem occurs for the user as those would be the ones to look at
further for lack of permissions. I would clear the security log first and
increase it's size from default quite a bit to maybe at least 2 MB.

SysInternals also has a free program called regmon that logs registry
activity but in the case where problems occur during a logon it may not be
as helpful as normal to try and track down access denied problems though you
can configure it for "log boot" under options though I have never tried that
option myself yet to see how well it works. If you try using regmon be sure
to take advantage of filter view to find/highlight entries you want to find
such as access denied because the log will almost certainly contain several
thousand entries. Regmon can not be run by a regular user but it could be
started via runas and administrator credentials after logging on as a
regular user. --- Steve

http://www.sysinternals.com/Utilities/Regmon.html --- regmon
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx?mfr=true
--- runas description


Cindy said:
Yes, the permission is somewhere in HKLM/software/classes but not in the
application name sections. I know this because after I gave the
application
name keys full control POLAR failed. I gave the user full control to
HKLM/software/classes "root" and POLAR works.....How do I find the
specific
keys that POLAR is in need of more rights without going through every key?
I
changed all the POLAR related "classes keys" and did a couple of searches
but
no avail. If I give full control to Classes root does that mean the user
can
run any programs they want? Thanks for your help.

Cindy

Steven L Umbach said:
If you have not tried yet go to HKLM/software/application name and give
the
users full control permissions to that key or the same that power users
have
also looking in the advanced page where you would highlight power users
and
select edit. Double check each child registry key below it when done to
make
sure that change in permissions has propagated to them also. Reboot the
computer for good measure and see if that makes a difference. If that
does
not help look under HKLM/software/classes for keys that have the
application
name and do the same for permissions found there. Worse case scenario is
that you can create a new security template copying only the registry
permissions [highlight registry and select copy and then paste into same
in
new blank security template, then save template] from the compatws.inf
security template to a new security template and then importing that
security template into the computer via Local Security Policy by
highlighting security settings, right clicking and select import. You
can
use the mmc snapin for security templates to view, manage, and create
security templates. Doing such would give the user the same permissions
as
the power user to the registry without changing any folder/file
permissions
or adding the user to the power users group. --- Steve

http://www.microsoft.com/resources/...oddocs/en-us/sag_scedefaultpols.mspx?mfr=true
http://support.microsoft.com/kb/816297/EN-US/

Cindy said:
I have a third party software called Polar. I am installing this
application
with the user having power user rights to the desktop. Once I place
the
user
back into the User Group - removing them from the power user group,
and
log
back on to the workstation the Polar pops a Failed to update system
registery
error window. If I click on OK the application lets me in. What
rights
are
required to write to the registry? - power user at the least? The
providers
of the software gave me some registry keys to give the user more rights
but
their suggestion does not help....can any else ????

Thanks in advance

Cindy
Click to expand...
Click to expand...
Click to expand...
 
Back
Top