Set Special Permissions In The Registry
Hello,
i need professional help for the following task.
This key has full permissions for "everyone/user" group
[HKEY_CLASSES_ROOT\ZSDlg.ControlAccess]
@="ZSDlg.ControlAccess"
Now i have so un/set the special permission "Delete"
I should look like this:
Permissions: Allow Deny
Full Control
Query Value x
Set Value x
Create Subkey x
Enumerate Subkeys x
Notify x
Create Link x
Delete
Wirte DAC x
Wirte Owner x
Read Control x
I Don´t habe any idea how to do this
I look for setacl.exe but there no description for the special permissions
i need professional help for the following task.
This key has full permissions for "everyone/user" group
[HKEY_CLASSES_ROOT\ZSDlg.ControlAccess]
@="ZSDlg.ControlAccess"
Now i have so un/set the special permission "Delete"
I should look like this:
Permissions: Allow Deny
Full Control
Query Value x
Set Value x
Create Subkey x
Enumerate Subkeys x
Notify x
Create Link x
Delete
Wirte DAC x
Wirte Owner x
Read Control x
I Don´t habe any idea how to do this
I look for setacl.exe but there no description for the special permissions
0 Comments
[ + ] Show comments
Answers (4)
Please log in to answer
Posted by:
anonymous_9363
16 years ago
ORIGINAL: RayekThere is a document supplied with SetACL that describes the special permissions. IIRC, it's called 'Command line.TXT'. It's all on SourceForge, too.
I look for setacl.exe but there no description for the special permissions
Anyway, I've never done this but try:
. SetACL -on "HKCR\ZSDlg.ControlAccess" -ot reg -actn ace -ace "n:Everyone;m:revoke"
Posted by:
Rayek
16 years ago
Hello,
thank you for your fast help! [;)]
I got the latest version of setacl and took a closer look
Yes there is an cmdline.txt file and it is very good explained
Finally i implemented this solution in my msi
SetACL.exe" -on "HKCR\ZSDlg.ControlAccess" -ot reg -actn ace -ace "n:users;p:query_val,set_val,create_subkey,enum_subkeys,notify,create_link,write_dacl,write_owner,read_access;m:set"
Thanks a lot!
thank you for your fast help! [;)]
I got the latest version of setacl and took a closer look
Yes there is an cmdline.txt file and it is very good explained
Finally i implemented this solution in my msi
SetACL.exe" -on "HKCR\ZSDlg.ControlAccess" -ot reg -actn ace -ace "n:users;p:query_val,set_val,create_subkey,enum_subkeys,notify,create_link,write_dacl,write_owner,read_access;m:set"
Thanks a lot!
Posted by:
Coriolus
16 years ago
Personally I like to use SECEDIT. I create a security template using the security snapin in MMC and then apply the template using SECEDIT. It works great as a custom action embedded within an MSI or outside an MSI run with a batch command. I did notice however that if you do run it outside the MSI the drive you run it on will require write access.. I think it needs to update secedit.sdb or something when it is run. The command I use is this:
secedit.exe /configure /db "<path to SDB file\secedit.sdb" /cfg "<path to security template>\template.inf"
good luck..
secedit.exe /configure /db "<path to SDB file\secedit.sdb" /cfg "<path to security template>\template.inf"
good luck..
Posted by:
anonymous_9363
16 years ago
ORIGINAL: RayekA *lot* of the other articles I located on using SetACL prefix the actual setting command line with one which removes all ACEs first. I think this would generally be regarded as A Good Thing.
Finally i implemented this solution in my msi
SetACL.exe" -on "HKCR\ZSDlg.ControlAccess" -ot reg -actn ace -ace "n:users;p:query_val,set_val,create_subkey,enum_subkeys,notify,create_link,write_dacl,write_owner,read_access;m:set"
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.