Permissions to HKEY_CLASSES_ROOT\CLSID
Hi,
I am trying to elivate permissions to HKEY_CLASSES_ROOT\CLSID registry folder. I tried with various tools like REGINI etc...but not successful. I know its not a best practise to open whole CLSID but my app needs permissions. Even LockPermissions didn't help. Is there any tool to do this?
Thanks
I am trying to elivate permissions to HKEY_CLASSES_ROOT\CLSID registry folder. I tried with various tools like REGINI etc...but not successful. I know its not a best practise to open whole CLSID but my app needs permissions. Even LockPermissions didn't help. Is there any tool to do this?
Thanks
0 Comments
[ + ] Show comments
Answers (7)
Please log in to answer
Posted by:
aogilmor
17 years ago
no. can't be done at that level. best i've found is run the app as an admin and try to capture all the subkeys under HKEY_CLASSES_ROOT\CLSID, and apply perms to those in LockPermissions
Posted by:
YRKUMAR
17 years ago
Aogilmor,
Thanks for the prompt response. I agree with you that we can't do such thing. Thats why I tried my best to catch the specific CLASSID so that I can gives permissions to that...No success so far.
After installing the app, I started WISE capture process and launched the shortcut, to catch which classes its looking for access.
One I got the class, I gave perms to that class. When I launched as user, again I got the error (from app) due to lack of perms.
I ran REGMON to see where exactly access being denied. I found its HKCR\CLSID --- ACCDENIED
Looks like app is looking for access to HKCR\CLSID (which is really strange).
Any idea what do I need to do here?
I tried to create a new registry table called:
registry1250 0 CLASSES_ROOT\CLSID\
and I gave to this reg key permissions in the LockPermissions table as below:
registry1250 Registry Everyone 268435456
But it didn't work. Thanks for your tips.
Thanks for the prompt response. I agree with you that we can't do such thing. Thats why I tried my best to catch the specific CLASSID so that I can gives permissions to that...No success so far.
After installing the app, I started WISE capture process and launched the shortcut, to catch which classes its looking for access.
One I got the class, I gave perms to that class. When I launched as user, again I got the error (from app) due to lack of perms.
I ran REGMON to see where exactly access being denied. I found its HKCR\CLSID --- ACCDENIED
Looks like app is looking for access to HKCR\CLSID (which is really strange).
Any idea what do I need to do here?
I tried to create a new registry table called:
registry1250 0 CLASSES_ROOT\CLSID\
and I gave to this reg key permissions in the LockPermissions table as below:
registry1250 Registry Everyone 268435456
But it didn't work. Thanks for your tips.
Posted by:
aogilmor
17 years ago
i agree it can be quite frustrating to work with those legacy apps, but sometimes it is possible to capture enough of the keys to let the app run successfully even if it deliberately frustrates you.
another technique I have used (similar to what you describe above) - take the log file from regmon, search for ACCDENIED and then copy and paste the keys into the registry table and the lockpermissions table (you can also use wise or your favorite WISE gui). Sometimes you have to do this several times (each time running the app on a fresh image) before it gets all the keys, but usually (IME) it can be done.
another technique I have used (similar to what you describe above) - take the log file from regmon, search for ACCDENIED and then copy and paste the keys into the registry table and the lockpermissions table (you can also use wise or your favorite WISE gui). Sometimes you have to do this several times (each time running the app on a fresh image) before it gets all the keys, but usually (IME) it can be done.
Posted by:
svein
17 years ago
Hello!
As the trouble is permissions - you are perhaps trying to add HKCR info in user context!?
Try this:
Add the keys to HKCU\Software\Classes
The HKCR consist of two types of entries.
From:
HKCU\Software\Classes
HKLM\Software\Classes
Users have editing rights to the HKCU\Software\Classes, so permissions are not the problem here!
As the trouble is permissions - you are perhaps trying to add HKCR info in user context!?
Try this:
Add the keys to HKCU\Software\Classes
The HKCR consist of two types of entries.
From:
HKCU\Software\Classes
HKLM\Software\Classes
Users have editing rights to the HKCU\Software\Classes, so permissions are not the problem here!
Posted by:
AB
17 years ago
We recently had an app that had this 'feature' of wanting to be able to write to the root of HKCR\CLSID
Try the following (sold as seen :)
Start, run, mmc
Add/Remove snapin - Security Templates
Highlight C:\Windows\security\templates
Right-click - New Template, give it a name and click OK
Browse within the console window C:\Windows\security\templates\MyTemplateName\Registry
Right-click - AddKey, browse to CLASSES_ROOT\CLSID and click OK
On the Database Security for CLASSES_ROOT\CLSID window select Advanced
You'll notice that 'Users' have 'read' access to 'This key and subkeys'
You can Add an additional entry for 'Users' giving them access rights to this key only - therefore only opening up the root of CLSID
Click Add, Users, OK
At the permissions settings window, tick 'Set Value' and 'Create Subkey' - from the drop-down box 'Apply onto' select 'This key only'
Click OK until you get back to the console window
Right-click on C:\Windows\security\templates\MyTemplateName and select 'Save'
Browse in Explorer to C:\Windows\security\templates\MyTemplateName.inf
Add the inf file to your MSI
Then use secedit.exe to implement the security settings in your inf file (Execute Deferred Custom Action)
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true
This may not work - environment, GP, your application may be stranger still...
Our app needed write access to HKCR\CLSID\subkeys - if you gave the subkeys Users:Full Control, the app deleted the subkeys and then tried to recreate them - but obviously couldn't
So this helped in our instance - and it's an old app that hardly anyone will ever request... that's life :)
Good luck...
Al
Try the following (sold as seen :)
Start, run, mmc
Add/Remove snapin - Security Templates
Highlight C:\Windows\security\templates
Right-click - New Template, give it a name and click OK
Browse within the console window C:\Windows\security\templates\MyTemplateName\Registry
Right-click - AddKey, browse to CLASSES_ROOT\CLSID and click OK
On the Database Security for CLASSES_ROOT\CLSID window select Advanced
You'll notice that 'Users' have 'read' access to 'This key and subkeys'
You can Add an additional entry for 'Users' giving them access rights to this key only - therefore only opening up the root of CLSID
Click Add, Users, OK
At the permissions settings window, tick 'Set Value' and 'Create Subkey' - from the drop-down box 'Apply onto' select 'This key only'
Click OK until you get back to the console window
Right-click on C:\Windows\security\templates\MyTemplateName and select 'Save'
Browse in Explorer to C:\Windows\security\templates\MyTemplateName.inf
Add the inf file to your MSI
Then use secedit.exe to implement the security settings in your inf file (Execute Deferred Custom Action)
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true
This may not work - environment, GP, your application may be stranger still...
Our app needed write access to HKCR\CLSID\subkeys - if you gave the subkeys Users:Full Control, the app deleted the subkeys and then tried to recreate them - but obviously couldn't
So this helped in our instance - and it's an old app that hardly anyone will ever request... that's life :)
Good luck...
Al
Posted by:
YRKUMAR
17 years ago
All,
Thanks for taking time and posting your responses.
I am going to try all the options you have guys have suggested.
There is one more tool that I didn't try with. REGGRANT. With this tool, we can give permissions to even Registry Hives. I am going to try that also. Let me see which will work for this case.
I will keep you guys posted on this soon.
Thanks again for your time.
Thanks for taking time and posting your responses.
I am going to try all the options you have guys have suggested.
There is one more tool that I didn't try with. REGGRANT. With this tool, we can give permissions to even Registry Hives. I am going to try that also. Let me see which will work for this case.
I will keep you guys posted on this soon.
Thanks again for your time.
Posted by:
fsubzwari
17 years ago
this is like the last resort but you can make a security template using SecEdit, a tool in windows... you can add any files/reg using this. It creates an .inf file in the C:\windows\security\templates folder. adding the file into the ism and call it thru a small script....
btw... you using Installshiled or Wise?
btw... you using Installshiled or Wise?
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.