I am using Wise Installation System 9 - Profesional Edition

What is the cleanest way to set the permissions for a given registry key?

Example: HKEY_LOCAL_MACHINE\SOFTWARE\xqueuemonitor\general

I need to grant "FULL CONTROL" permissions for a specific login/userid.

Any ideas?

Any help is greatly appreciated!!!
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

1
you can go to the component in which the registry key is present.
then go to registry data under that component, select the registry key you want to set the permissions on, right click on the registry key and click permissions. there you can add the domain and userid/login. then under that you can select what all permission you want to grant.
Answered 02/04/2004 by: bheers
Second Degree Blue Belt

Please log in to comment
1
The advice given in the parent post is 100% correct (for interest the information ends up in the LockPermission table).

Important extra information for the newbie is that the permission specified replaces the current permission, so if you want administrators to retain full control then this must also be explicitly stated.

Also note that the domain can be left blank for generic groups like "Users", "Administrators", "Power Users" etc
Answered 02/18/2004 by: mrtap
Senior Yellow Belt

Please log in to comment
1
you can also do it with a batch.
you need the regini.exe (Ressource Kit Windows).

First create a file like perms.ini
open it and write on it:
\Registry\Machine\Software\xqueuemonitor\general [X X X X]
\Registry\Machine <- don-t change it.
replace the X with:

1 - Administrators Full Access
2 - Administrators Read Access
3 - Administrators Read and Write Access
4 - Administrators Read, Write and Delete Access
5 - Creator Full Access
6 - Creator Read and Write Access
7 - World Full Access
8 - World Read Access
9 - World Read and Write Access
10 - World Read, Write and Delete Access
11 - Power Users Full Access
12 - Power Users Read and Write Access
13 - Power Users Read, Write and Delete Access
14 - System Operators Full Access
15 - System Operators Read and Write Access
16 - System Operators Read, Write and Delete Access
17 - System Full Access
18 - System Read and Write Access
19 - System Read Access
20 - Administrators Read, Write and Execute Access
21 - Interactive User Full Access
22 - Interactive User Read and Write Access
23 - Interactive User Read, Write and Delete Access

save your file and exucute this command line:

regini.exe perms.ini
Answered 02/19/2004 by: thales
Senior Yellow Belt

Please log in to comment
1
During an installation registry permissions are added when the keys are installed. Because Windows Installer does not let you control the order in which the registry keys are installed, you cannot set ACLs (Access Control Lists) at the folder level. Per Wise Support “If the order that the keys install place a sub key down first with out the permissions on it, when the parent key is written it does not overwrite the permissions of the child key. This can force the parent key to have a strict permission that the child key is not under.”

· In Wise Installer Editor, go to the Installation Expert View

· In the Installation Expert, click on the Registry Page

· In the bottom Features tab

· In the bottom right pane, select the registry key you want to set permissions and click the details button.

· On the Permissions tab click the Add button

· Leave the Domain Name blank.

· Enter the Users Group.

To insure that all user groups have needed permissions, this process must be done for each specific user group. “Administrators” “Power Users” and “Users”.

· Click OK to save the changes
Answered 02/25/2004 by: KentD
Purple Belt

Please log in to comment
1
Getting installations to make permission changes can be a bit dodgy because they force it on the OS and sometimes while they seem to work ok.....they actually dont always place the info so that the Security layer can read it.

One way I have found that works very well is to make an .inf file with the MMC Security Tab and then make a custom action that runs secedit.exe and installs the permissions.

This works for both file and registry permsissions and places them in the correct order and you can set permissions that will propagate correctly. It also works across domains if you are working in a DEV domain and push the package to a PROD domain.

This command line in a script will do it for you. Just replace the paths.

secedit.exe /configure /db "[Path to SDB created by secedit]" /cfg "[Path to inf file" /quiet

You can place this is a Wisescript and call it in the Execute Deferred section just before InstallFinalise.
Answered 03/02/2004 by: MSIMaker
Second Degree Black Belt

Please log in to comment
1
Regdacl from Heysoft is also a nice tool to use within a .bat file...
Answered 03/19/2004 by: Rhonamac
Yellow Belt

Please log in to comment
1
Get a free command-line utility called RegDacl (http://www.heysoft.de/nt/reg/ep-regd.htm) and then use the following code (just copy and past this into your WiseScript:

item: Remark
Text=Change Registry Security
end
item: Install File
Source=P:\Tools\RegDACLE\RegDACL.exe
Destination=%TEMP%\RegDACL.exe
Flags=0000000010100010
File Size=49152
File Date=20020710 161330
end
item: Execute Program
Pathname=%TEMP%\RegDACL.exe
Command Line="HKLM\SOFTWARE\System Innovators" /GGE:F
Flags=00000110
end
item: Delete File
Pathname=%TEMP%\RegDACL.exe
end

You will have to edit this, of course, to suit youyr own source locations and keys.

Let me pre-empt your next question - which is likely to be, how do I set File and Folder permissions.

Find and download a command-line utility called xcacls (http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/xcacls-o.asp) and then past the following code into your WiseScript editor:

item: Remark
Text=Change Folder Security
end
item: Install File
Source=P:\Tools\XCACLS\xcacls.exe
Destination=%TEMP%\xcacls.exe
Flags=0000000010100010
end
item: Execute Program
Pathname=%TEMP%\xcacls.exe
Command Line="C:\cashv4" /t /e /g "Everyone":f /y
Flags=00001010
end
item: Delete File
Pathname=%TEMP%\xcacls.exe
end

For both RegDacl and xcacl you really need read the provided documentation so you can know what the various switches do.

Good luck!

Respectfully,

- Sean Roberts
Answered 03/19/2004 by: sean_c_roberts
Senior Purple Belt

Please log in to comment
1
There is also a tool called RegGrant.....some ppl use it here at my work and it does work ok.
Answered 03/21/2004 by: MSIMaker
Second Degree Black Belt

Please log in to comment
1
Does a batch file called from within a msi installation run with Elevated Rights? I have never tried it and so I wonder if it does.
Answered 03/21/2004 by: MSIMaker
Second Degree Black Belt

Please log in to comment
1
it uses this program in order to shape the permissions of access to the registry keys.

regperm.exe
Answered 06/30/2005 by: Tipolosco
Yellow Belt

Please log in to comment
0
we use xcacl as stated to do file/folder perms and subinacl for reg permissions.

Example of a line in a batch file for subinacl is:

/output=%REGPERMLOG% /subkeyreg "HKEY_LOCAL_MACHINE\SOFTWARE\xxxxxx" /grant=Users=F

this sets full control on the key and outputs the change to a log file. Replace F with other values to give different perms. It also only edits the acl so existing permisions stay, it only sets the new perms on the user/groups you have specified.
Answered 06/30/2005 by: swwdesktops
Senior Yellow Belt

Please log in to comment
Answer this question or Comment on this question for clarity