I am trying to elivate permissions to HKEY_CLASSES_ROOT\CLSID registry folder. I tried with various tools like REGINI etc...but not successful. I know its not a best practise to open whole CLSID but my app needs permissions. Even LockPermissions didn't help. Is there any tool to do this?

0 Comments   [ - ] Hide Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
Answer this question or Comment on this question for clarity


no. can't be done at that level. best i've found is run the app as an admin and try to capture all the subkeys under HKEY_CLASSES_ROOT\CLSID, and apply perms to those in LockPermissions
Answered 11/10/2006 by: aogilmor
Ninth Degree Black Belt

Please log in to comment

Thanks for the prompt response. I agree with you that we can't do such thing. Thats why I tried my best to catch the specific CLASSID so that I can gives permissions to that...No success so far.
After installing the app, I started WISE capture process and launched the shortcut, to catch which classes its looking for access.
One I got the class, I gave perms to that class. When I launched as user, again I got the error (from app) due to lack of perms.
I ran REGMON to see where exactly access being denied. I found its HKCR\CLSID --- ACCDENIED
Looks like app is looking for access to HKCR\CLSID (which is really strange).
Any idea what do I need to do here?
I tried to create a new registry table called:

registry1250 0 CLASSES_ROOT\CLSID\

and I gave to this reg key permissions in the LockPermissions table as below:

registry1250 Registry Everyone 268435456

But it didn't work. Thanks for your tips.
Answered 11/10/2006 by: YRKUMAR
Senior Yellow Belt

Please log in to comment
i agree it can be quite frustrating to work with those legacy apps, but sometimes it is possible to capture enough of the keys to let the app run successfully even if it deliberately frustrates you.
another technique I have used (similar to what you describe above) - take the log file from regmon, search for ACCDENIED and then copy and paste the keys into the registry table and the lockpermissions table (you can also use wise or your favorite WISE gui). Sometimes you have to do this several times (each time running the app on a fresh image) before it gets all the keys, but usually (IME) it can be done.
Answered 11/10/2006 by: aogilmor
Ninth Degree Black Belt

Please log in to comment
As the trouble is permissions - you are perhaps trying to add HKCR info in user context!?
Try this:
Add the keys to HKCU\Software\Classes

The HKCR consist of two types of entries.

Users have editing rights to the HKCU\Software\Classes, so permissions are not the problem here!
Answered 11/13/2006 by: svein
Yellow Belt

Please log in to comment
We recently had an app that had this 'feature' of wanting to be able to write to the root of HKCR\CLSID
Try the following (sold as seen :)
Start, run, mmc
Add/Remove snapin - Security Templates
Highlight C:\Windows\security\templates
Right-click - New Template, give it a name and click OK
Browse within the console window C:\Windows\security\templates\MyTemplateName\Registry
Right-click - AddKey, browse to CLASSES_ROOT\CLSID and click OK
On the Database Security for CLASSES_ROOT\CLSID window select Advanced
You'll notice that 'Users' have 'read' access to 'This key and subkeys'
You can Add an additional entry for 'Users' giving them access rights to this key only - therefore only opening up the root of CLSID
Click Add, Users, OK
At the permissions settings window, tick 'Set Value' and 'Create Subkey' - from the drop-down box 'Apply onto' select 'This key only'

Click OK until you get back to the console window
Right-click on C:\Windows\security\templates\MyTemplateName and select 'Save'
Browse in Explorer to C:\Windows\security\templates\MyTemplateName.inf
Add the inf file to your MSI

Then use secedit.exe to implement the security settings in your inf file (Execute Deferred Custom Action)

This may not work - environment, GP, your application may be stranger still...
Our app needed write access to HKCR\CLSID\subkeys - if you gave the subkeys Users:Full Control, the app deleted the subkeys and then tried to recreate them - but obviously couldn't
So this helped in our instance - and it's an old app that hardly anyone will ever request... that's life :)
Good luck...
Answered 11/13/2006 by: AB
Purple Belt

Please log in to comment

Thanks for taking time and posting your responses.
I am going to try all the options you have guys have suggested.
There is one more tool that I didn't try with. REGGRANT. With this tool, we can give permissions to even Registry Hives. I am going to try that also. Let me see which will work for this case.
I will keep you guys posted on this soon.
Thanks again for your time.
Answered 11/13/2006 by: YRKUMAR
Senior Yellow Belt

Please log in to comment
this is like the last resort but you can make a security template using SecEdit, a tool in windows... you can add any files/reg using this. It creates an .inf file in the C:\windows\security\templates folder. adding the file into the ism and call it thru a small script....

btw... you using Installshiled or Wise?
Answered 11/14/2006 by: fsubzwari
Senior Yellow Belt

Please log in to comment