Registry profile query

  • Thread starter Thread starter Frank Booth Snr
  • Start date Start date
F

Frank Booth Snr

Is it posssible for a restricted user to edit the registry without a
denial of access message? So far I have found it is only possible to
edit the registry as an administrator, and then only for the profile of
that administrator.
 
Dave said:
Yes, possible but registry permissions will need altered via regedt32.exe
Click to expand...
I've already tried that using regedt32, but still denied access as an
restricted user.
 
Frank said:
I've already tried that using regedt32, but still denied access as an
restricted user.
Click to expand...

Is this something that you want to do for a one time only? Or is it
something that you want to permanently change?

I would have to double check, but if you use the AT commmand at the
Command Prompt you can have the registry editor open with System Account
permissions and then do what ever you please with it. What you can do
is run this:

AT <time> /interactive cmd.exe

Set <time> a minute or so later and a new Command session will start
under the System Account. Then from there start the registry editor.
This might have been patched in a later Service Pack, I'm not sure and I
can't verify right now, but it's easy to try. The <time> should be the
24:00 (military) format. Probably you could open regedit.exe directly
with the same results.

For one time only another thing would be use the runas command:

runas /user:waynesdomain\myadminaccount regedt32.exe

http://www.windowsnetworking.com/kb...gramsasanotheruserinWindows2000WindowsXP.html
That should also be well documented on the Microsoft.com site.

To do permanent changes see here
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=fb1634cb&pss=rss_flashplayer_fb1634cb
and adapt the grant= value accordingly. Risky business, I have never
tried this but it should work. But it's going to open a HUGE security
hole in your machine!

John
 
John said:
Is this something that you want to do for a one time only? Or is it
something that you want to permanently change?

I would have to double check, but if you use the AT commmand at the
Command Prompt you can have the registry editor open with System Account
permissions and then do what ever you please with it. What you can do
is run this:

AT <time> /interactive cmd.exe

Set <time> a minute or so later and a new Command session will start
under the System Account. Then from there start the registry editor.
This might have been patched in a later Service Pack, I'm not sure and I
can't verify right now, but it's easy to try. The <time> should be the
24:00 (military) format. Probably you could open regedit.exe directly
with the same results.

For one time only another thing would be use the runas command:

runas /user:waynesdomain\myadminaccount regedt32.exe

http://www.windowsnetworking.com/kb...gramsasanotheruserinWindows2000WindowsXP.html

That should also be well documented on the Microsoft.com site.

To do permanent changes see here
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=fb1634cb&pss=rss_flashplayer_fb1634cb

and adapt the grant= value accordingly. Risky business, I have never
tried this but it should work. But it's going to open a HUGE security
hole in your machine!
Click to expand...
Never heard of the AT command other than its use in modem configuration.
All I am trying to do is hide the <Control Panel> from other users
logging on to the same computer. As an administrator I can edit the
registry using the key 'NoControlPanel' under
HKLU/Software/Microsoft/Windows/Current Version/Policies/Explorer, but
that's in my profile, and I don't want to hide CP in that case. If I try
to do this as for a restricted user (under their profile) I am denied
permission. If I try to alter permissions I a denied access unless I
logon as administrator.
 
Back
Top