i am trying to give the hkcr full permission like this
ErrStatus = g_oShell.Run (sAppsSource & SetAcl "CLASSES_ROOT" "/Registry /grant users /full", 0, True)
please let me know thanks
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
Can I first ask 'why?'
Answered 05/10/2005 by: brenthunter2005
Fifth Degree Brown Belt

Please log in to comment
0
I must say that I agree with Brent.

As a software packager, you should only be making the minimum number of changes to a machine in order to allow your software to run. I'm sure your clients would think twice about installing one of your packages if they thought you were doing the kind of thing you suggested above.

Try using a tool like Regmon to troubleshoot any NTFS permission issues.
Answered 05/10/2005 by: WiseUser
Fourth Degree Brown Belt

Please log in to comment
0
I agree. I can't contribute to such a drastic solution such as that. There is a reason why file & registry security exists and that's defeating the whole point of it.

Let us know why you want to open up HKCR and I'm sure we'll come up with a better solution for it.
Answered 05/10/2005 by: VikingLoki
Second Degree Brown Belt

Please log in to comment
0
Actually, if you're on Windows XP do not for the love of all holy unlock the root level of HKCR. You will, about 60% of the time, screw up the PC to the point that you will have to f-disk and start over. We ran into an ancient web application that needed read/write access to HKCR and we're running a locked down XP environment. No matter if we manually unlocked HKCR, or used the only tool we could find to do it, 6 times out of 10, the blighted machine would start throwing services errors. The most notable was that it butchered WMI services.
Answered 05/10/2005 by: Ipstenu
Senior Yellow Belt

Please log in to comment
0
". . . Danger, Will Robinson . . . Danger . . . "

Seriously, though, take to heart all of responses in this thread.

Even if you are lucky and you don't experience issues like described by Ipstenu, you will be creating a very large attack surface for spyware and malware on those workstations.


Craig --<>.
Answered 05/11/2005 by: craig16229
Third Degree Brown Belt

Please log in to comment
0
i did not open the hkcr thanks everyone
Answered 05/11/2005 by: linstead
Blue Belt

Please log in to comment
0
please let me know thanks

Hej Linstead,

I have had some applications, which needed to write into registry when you run the software. When you run a lock-down environment, I had to find a solution. So, by using

regini.exe, I have granted rights to the users for only those keys program wants to write into.
More information about regini.exe found in MS;

Regini Exe
Answered 05/13/2005 by: Priapus
Orange Belt

Please log in to comment
0
here's a novel idea... DON"T USE Regini.exe !! for permisions!! it's soooo last centry
use Secedit.exe. it's on the system allready by default.

it's FULLY SUPPORTD under XP-32/64 and 2003 systems as well as the older 2000 systems.
unlike regini.exe or xcacles.exe neather of witch play nice in anything newer then say... NT4.0 sp6.....

Also if u use secedit and/or GPO's to controll your applications permisions it's much easyer to manage.
however if you AD is not desinged to support Application level securty then you'll have to prity much rebuild and restructore it, as well as update how your hardware refresh cycle works... a big project to say the least. i have had the pleasure of doing that acupple of times now.

look at this
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_secedittopnode.mspx?mfr=true
and follow the links to:
Secedit commands
and
Security Templates
Answered 06/19/2006 by: Gekris
Senior Yellow Belt

Please log in to comment
Answer this question or Comment on this question for clarity