I want to change registry permissions by calling secedit as a custom action and using a security template I have created. I can't work out secedit though. Is there any way to avoif the databse step and fire it straight into the registry.

Or how do I use it?
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
Hi Col,

I looked at using Secedit back along and the most useful info I found in my short time looking is here.

You can ignore the Prism specific stuff, the basics of using Secedit is there. I did get it working but it all seemed a bit heavy handed for my requirements so I just ended up using the lock permissions table [:D]

Anyway, hope it's of some use to you. I know other people on this forum use this Secedit every day so will probably be able to give you more specific help if you need it.

Regards,
Rob.
Answered 02/08/2005 by: MSIPackager
Third Degree Black Belt

Please log in to comment
2
[8D]

Hello Colin,

Once you have your SECEDIT .inf file, the following command should suffice:

secedit.exe /configure /db "C:\Windows\Security\Database\UNIQUE_REFERENCE.sdb" /cfg "SECEDIT_FILE.inf" /areas REGKEYS FILESTORE /quiet

where:

UNIQUE_REFERENCE = A unique file name referring to your SECEDIT_FILE name
SECEDIT_FILE = Your SECEDIT .inf file name


Example:
secedit.exe /configure /db "C:\Windows\Security\Database\AdobeAcrobat_700.sdb" /cfg "AdobeAcrobat_700.inf" /areas REGKEYS FILESTORE /quiet


[8D] Keep cool. [8D]
Answered 02/09/2005 by: brenthunter2005
Fifth Degree Brown Belt

Please log in to comment
0
Thanks for the reply boys.

Brent , what does it do with the database? I don't really get how that bit works. Does it just need somewhere to write the existing information to., or does it read from and compare? I'm concerned about the irrelevant settings being transfered to the new machine.

Thanks

Col
Answered 02/09/2005 by: Colin Parker
Senior Yellow Belt

Please log in to comment
0
[8D]

Running the secedit command in my previously post will create a new database (.sdb file) in that folder (C:\windows\security\database).

The only thing that should be in your .inf file are the objects/security info you actually want to apply.

Here is an example of a security template .inf file to set 'builtin users group' permissions on a registry key:


[Unicode]
Unicode=yes
[Registry Keys]
"MACHINE\SOFTWARE\MyApplication\Settings",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KA;;;BU)"
[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
Description=An example of permissioning a registry key with 'user' rights with inheritable settings enabled.



[8D] Cool? [8D]
Answered 02/09/2005 by: brenthunter2005
Fifth Degree Brown Belt

Please log in to comment
0
In a nutshell, it's the process of adding a Local Security Policy to the machine via the command line. Same thing, no GUI.
Answered 02/09/2005 by: VikingLoki
Second Degree Brown Belt

Please log in to comment
0
Yep, though Colin wanted a Custom Action to do it. (ie: no GUI.)
Answered 02/09/2005 by: brenthunter2005
Fifth Degree Brown Belt

Please log in to comment
0
But what does it put in the database?

I've got a nice simple inf file:

[Unicode]
Unicode=yes
[Registry Values]
[Registry Keys]
"CLASSES_ROOT\Software\RealNetworks",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KA;;;BU)"
[Version]
signature="$CHICAGO$"
Revision=1

Which tells it everything I want it to know - Change the permissions on that key, and that's it, don't touch anything else, hands off, leave it alone, it's nothing to do with you.

I'm just a bit scared of adding unnecessarys into the equation. Or is the database just a merge of what exists and what will exist with the inf file applied?

Thanks for taking the time.
Answered 02/09/2005 by: Colin Parker
Senior Yellow Belt

Please log in to comment
0
Hi Guys,

I have used lock permissions table and secedit method.I prefer secedit method.
I have attached a small doc for reference.

In addition two Vb scripts have to be included and it is called from the property.If you guys are interested i can give the vb scripts also.

I have learnt this from my client in NL.

Kind Regards,

Nagaraj
Answered 02/09/2005 by: adaptability
Orange Senior Belt

Please log in to comment
0
Hi

It looks like i do not have permission to attach some files.
Answered 02/09/2005 by: adaptability
Orange Senior Belt

Please log in to comment
0
I have just used this method to create a custom action and it works nicely except that i cannot suppress the command box. the /quiet option just seems to suppress the info within the box but i still get a command box popping up - is that standard or am i doing somethign wrong?

My CA table has this entry

DB_UNSET_REGISTRY_PERMSSIONS,3234,SystemFolder, Secedit.exe /configure /db secedit.sdb /cfg [WindowsFolder]security\templates\winrar.inf /areas regkeys /quiet
Answered 02/10/2005 by: Lozza
Senior Yellow Belt

Please log in to comment
0
[8D]

You could try to run the secedit command using the 'start' command with the 'MIN' switch
Answered 02/10/2005 by: brenthunter2005
Fifth Degree Brown Belt

Please log in to comment
Answer this question or Comment on this question for clarity