Hello,
i need professional help for the following task.
This key has full permissions for "everyone/user" group

[HKEY_CLASSES_ROOT\ZSDlg.ControlAccess]
@="ZSDlg.ControlAccess"

Now i have so un/set the special permission "Delete"

I should look like this:

Permissions: Allow Deny
Full Control
Query Value x
Set Value x
Create Subkey x
Enumerate Subkeys x
Notify x
Create Link x
Delete
Wirte DAC x
Wirte Owner x
Read Control x

I Don´t habe any idea how to do this
I look for setacl.exe but there no description for the special permissions
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
ORIGINAL: Rayek
I look for setacl.exe but there no description for the special permissions
There is a document supplied with SetACL that describes the special permissions. IIRC, it's called 'Command line.TXT'. It's all on SourceForge, too.

Anyway, I've never done this but try:

. SetACL -on "HKCR\ZSDlg.ControlAccess" -ot reg -actn ace -ace "n:Everyone;m:revoke"
Answered 04/29/2008 by: VBScab
Red Belt

Please log in to comment
0
Hello,
thank you for your fast help! [;)]

I got the latest version of setacl and took a closer look
Yes there is an cmdline.txt file and it is very good explained

Finally i implemented this solution in my msi

SetACL.exe" -on "HKCR\ZSDlg.ControlAccess" -ot reg -actn ace -ace "n:users;p:query_val,set_val,create_subkey,enum_subkeys,notify,create_link,write_dacl,write_owner,read_access;m:set"

Thanks a lot!
Answered 04/29/2008 by: Rayek
Yellow Belt

Please log in to comment
0
Personally I like to use SECEDIT. I create a security template using the security snapin in MMC and then apply the template using SECEDIT. It works great as a custom action embedded within an MSI or outside an MSI run with a batch command. I did notice however that if you do run it outside the MSI the drive you run it on will require write access.. I think it needs to update secedit.sdb or something when it is run. The command I use is this:

secedit.exe /configure /db "<path to SDB file\secedit.sdb" /cfg "<path to security template>\template.inf"

good luck..
Answered 04/29/2008 by: Coriolus
Orange Belt

Please log in to comment
0
ORIGINAL: Rayek
Finally i implemented this solution in my msi

SetACL.exe" -on "HKCR\ZSDlg.ControlAccess" -ot reg -actn ace -ace "n:users;p:query_val,set_val,create_subkey,enum_subkeys,notify,create_link,write_dacl,write_owner,read_access;m:set"
A *lot* of the other articles I located on using SetACL prefix the actual setting command line with one which removes all ACEs first. I think this would generally be regarded as A Good Thing.
Answered 04/30/2008 by: VBScab
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity