Hi,

I have given Deny permissions ( for Administrators ) to registries during installation, during uninstallation I need to revoke the permissions to delete those keys. Could any1 write a script/INFfile to revoke the permissions.

Ex: HKLM\Software\Adobe

Thanks
sanhivi
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
Could any1 write a script/INFfile to revoke the permissions.Yes, they could. I charge by the hour for scripting so, if you'd like to discuss likely costs, PM me. To give me an idea of how long it might take, can you tell me what tool you used to set the permissions? You mention INF file so I guess it was SecEdit?
Answered 01/28/2009 by: VBScab
Red Belt

Please log in to comment
0
Yes if its thru INF file, SecEdit will be used.
Answered 01/28/2009 by: sanhivi
Second Degree Green Belt

Please log in to comment
0
Gauging by your reply, you're not tied to using SecEdit so, as I say, PM me and we can discuss a price for the job.
Answered 01/28/2009 by: VBScab
Red Belt

Please log in to comment
0
Why don't you simply use the open-source executable "SetAcl.exe" from a script? Your original post was not very descriptive about what you are looking for. However, here are some examples for securing, and unsecuring a registry key.

You can download SetAcl from here: http://sourceforge.net/project/showfiles.php?group_id=69165&package_id=68032

'
On Error Resume Next

dim machineName 'NetBIOS Name of the Machine.
dim wshNetwork 'Network Scripting Object.
dim wshShell 'Shell Access.

set wshNetwork = WScript.CreateObject("WScript.Network")
set wshShell = WScript.CreateObject("WScript.Shell")

machineName = wshNetwork.ComputerName

'Gives access only for Administrators (Read + Set), and Everyone (Read) - not inherited.
Secure "HKLM\Software\Adobe"

'This resets the key to default settings (of parent key)
UnSecure "HKLM\Software\Adobe"


'*----------------------------------------------------------------------------*
sub Secure(key)
'Access only for Administrators (Read + Set), and Everyone (Read) - not inherited.
WScript.Echo "Securing " & key & "..."
wshShell.Run "setacl -on """ & key & """ -ot reg -actn ace -ace ""n:" & machineName & "\Administrators;p:query_val,enum_subkeys,notify,write_dacl,write_owner,read_access""", 0, true
wshShell.Run "setacl -on """ & key & """ -ot reg -actn ace -ace ""n:Everyone;p:query_val,enum_subkeys,notify,read_access""", 0, true
wshShell.Run "setacl -on """ & key & """ -ot reg -actn setprot -op dacl:p_nc", 0, true end sub
'*----------------------------------------------------------------------------*


'*----------------------------------------------------------------------------*
sub UnSecure(key)
' Set Inheritence on - clear non-inherited ACEs
WScript.Echo "UnSecuring " & key & "..."
wshShell.Run "setacl -on """ & key & """ -ot reg -actn setprot -op dacl:np", 0, true
wshShell.Run "setacl -on """ & key & """ -ot reg -actn clear -clr dacl,sacl", 0, true end sub
'*----------------------------------------------------------------------------*
'
Answered 01/28/2009 by: concept03
Yellow Belt

Please log in to comment
0
Here are more things you can do with "SetAcl.exe":

http://setacl.sourceforge.net/html/examples.html

You can set permissions (with SetAcl) on services, files, folders, registry keys, printers, and shares. This program is pretty incredible (and open source).
Answered 01/28/2009 by: concept03
Yellow Belt

Please log in to comment
0
Hi experts .
i want to know hoe to save or we can say block a file like exe (not folder or directory) frm deletion using setacl.exe.
Answered 11/19/2009 by: Nouman
Yellow Belt

Please log in to comment
0
Ooooh...I don't know....how about using 'Example 1' shown in the page linked to in the post above yours as a template and set the 'Everyone' group's permission as 'Read'?
Answered 11/19/2009 by: VBScab
Red Belt

Please log in to comment
0
Sir i know this page is talking about some other problem and soluiton.


I want to block a file(its complete access read,write,execute and delete). I m successful to block read,write,execute but can,t block deletion of file. Sorry for post in wrong forum.. If u know how to block plz let me know
Answered 11/19/2009 by: Nouman
Yellow Belt

Please log in to comment
0
The permission will be delegated from above meaning; the folder. So my guess is that you need to re-think your strategy a bit.
Answered 11/19/2009 by: AngelD
Red Belt

Please log in to comment
0
Do you understand how Windows permissions work?

Typically, for a folder, the 'Administrators' group would be assigned 'Full Control' as would the local System account, 'Power Users' would probably have all bar 'Full Control' and 'Users' would have 'Read' only. For any file in that folder (presuming - as is the default - that the folder's permissions were set to inherit those from the folder) with that set of permissions, clearly, only a member of the 'Administrators' group or the local System account would be able to delete it.
Answered 11/20/2009 by: VBScab
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity