What is the best way to set permissions in registry?
What's the best way setting permissions in registry using Wise Package Studio 5.x ... most effectively and convenient (regarding repair) ... i dont like regini having to copy an .exe and .ini to client .. SetACL is more my way to go ... what is yours?
Bart [8|]
Bart [8|]
0 Comments
[ + ] Show comments
Answers (15)
Please log in to answer
Posted by:
WiseUser
18 years ago
I agree with you on the "Regini" subject - I'm not fond of this tool either.
SetACL is a very good tool which is relatively easy to use - I'd consider making "SetACL.ocx" part of any desktop SOE build. Alternatively, I might make a "SetACL.msm" merge-module and include it in any packages where registry permissions need to be modified - then I could use a VBScript CA.
As a VBScript fan, I guess my favorite method might be WMI - although the script isn't the easiest to write.
SetACL is a very good tool which is relatively easy to use - I'd consider making "SetACL.ocx" part of any desktop SOE build. Alternatively, I might make a "SetACL.msm" merge-module and include it in any packages where registry permissions need to be modified - then I could use a VBScript CA.
As a VBScript fan, I guess my favorite method might be WMI - although the script isn't the easiest to write.
Posted by:
VikingLoki
18 years ago
Could you post an example of the VBScript that would call SetACL.ocx to set permissions? I need to brush up on VB CA's and this is something I could definitely use.
Posted by:
WiseUser
18 years ago
Hi VikingLoki.
Here's a script from my archives - I don' remember if I wrote it myself or if just adapted someone else's code? You may have to play around with it a bit to get it how you want it. The indentation will have to be restored, because it's always lost when I post a script.
Dim oACLTool
Const SE_FILE_OBJECT = 1
Const SE_REGISTRY_KEY = 4
Const ACTN_ADDACE = 1
Const INHPARNOCHANGE = 0
Const GRANT_ACCESS = 1
Const ACL_DACL = 1
'examples
Msgbox AddFileorFolderACE("C:\Test.txt", "user", "full")
Msgbox AddFileorFolderACE("C:\Test", "User", "change")
Msgbox AddRegistryACE("hklm\software\AAAAAAAAAAAAAA\", "user", "full")
Function AddFileorFolderACE(sFilePath, sUser, sPerm)
On Error Resume Next
Dim iError
AddFileorFolderACE = True
Set oACLTool = CreateObject("SETACL.SetACLCtrl.1")
iError = oACLTool.SetObject(sFilePath, SE_FILE_OBJECT)
If iError <> 0 Then AddFileorFolderACE = False
iError = oACLTool.SetAction(ACTN_ADDACE)
If iError <> 0 Then AddFileorFolderACE = False
iError = oACLTool.AddACE(sUser, False, sPerm, INHPARNOCHANGE, False, GRANT_ACCESS, ACL_DACL)
If iError <> 0 Then AddFileorFolderACE = False
iError = oACLTool.Run
If iError <> 0 Then AddFileorFolderACE = False
Set oACLTool = Nothing
End Function
Function AddRegistryACE(sRegKey, sUser, sPerm)
On Error Resume Next
Dim iError
AddRegistryACE = True
Set oACLTool = CreateObject("SETACL.SetACLCtrl.1")
iError = oACLTool.SetObject(sRegKey, SE_REGISTRY_KEY)
If iError <> 0 Then AddRegistryACE = False
iError = oACLTool.SetAction(ACTN_ADDACE)
If iError <> 0 Then AddRegistryACE = False
iError = oACLTool.AddACE(sUser, False, sPerm, INHPARNOCHANGE, False, GRANT_ACCESS, ACL_DACL)
If iError <> 0 Then AddRegistryACE = False
iError = oACLTool.Run
If iError <> 0 Then AddRegistryACE = False
Set oACLTool = Nothing
End Function
For those who don't know this tool see the following link:
http://setacl.sourceforge.net
Obviously, the OCX has to be registered before this will do anything!
There may even be some better examples on Helge Kleins website - I haven't checked?
Here's a script from my archives - I don' remember if I wrote it myself or if just adapted someone else's code? You may have to play around with it a bit to get it how you want it. The indentation will have to be restored, because it's always lost when I post a script.
Dim oACLTool
Const SE_FILE_OBJECT = 1
Const SE_REGISTRY_KEY = 4
Const ACTN_ADDACE = 1
Const INHPARNOCHANGE = 0
Const GRANT_ACCESS = 1
Const ACL_DACL = 1
'examples
Msgbox AddFileorFolderACE("C:\Test.txt", "user", "full")
Msgbox AddFileorFolderACE("C:\Test", "User", "change")
Msgbox AddRegistryACE("hklm\software\AAAAAAAAAAAAAA\", "user", "full")
Function AddFileorFolderACE(sFilePath, sUser, sPerm)
On Error Resume Next
Dim iError
AddFileorFolderACE = True
Set oACLTool = CreateObject("SETACL.SetACLCtrl.1")
iError = oACLTool.SetObject(sFilePath, SE_FILE_OBJECT)
If iError <> 0 Then AddFileorFolderACE = False
iError = oACLTool.SetAction(ACTN_ADDACE)
If iError <> 0 Then AddFileorFolderACE = False
iError = oACLTool.AddACE(sUser, False, sPerm, INHPARNOCHANGE, False, GRANT_ACCESS, ACL_DACL)
If iError <> 0 Then AddFileorFolderACE = False
iError = oACLTool.Run
If iError <> 0 Then AddFileorFolderACE = False
Set oACLTool = Nothing
End Function
Function AddRegistryACE(sRegKey, sUser, sPerm)
On Error Resume Next
Dim iError
AddRegistryACE = True
Set oACLTool = CreateObject("SETACL.SetACLCtrl.1")
iError = oACLTool.SetObject(sRegKey, SE_REGISTRY_KEY)
If iError <> 0 Then AddRegistryACE = False
iError = oACLTool.SetAction(ACTN_ADDACE)
If iError <> 0 Then AddRegistryACE = False
iError = oACLTool.AddACE(sUser, False, sPerm, INHPARNOCHANGE, False, GRANT_ACCESS, ACL_DACL)
If iError <> 0 Then AddRegistryACE = False
iError = oACLTool.Run
If iError <> 0 Then AddRegistryACE = False
Set oACLTool = Nothing
End Function
For those who don't know this tool see the following link:
http://setacl.sourceforge.net
Obviously, the OCX has to be registered before this will do anything!
There may even be some better examples on Helge Kleins website - I haven't checked?
Posted by:
TomB
18 years ago
Something we do at my company is we create a security template inf file and a CA for secedit on Windows 2000 and XP.
Run the MMC snap in and open the Security Templates. Create a Security template that fits your needs for either file folder and\or registry permissions. Then save the template.
Add the inf file to your install by either copying it to the [WindowsFolder]Security\Templates or add it to the iniFile table (InstallShield allows an easy import).
Add entries to the Directory table to the folder [WindowsFolder]Security\Templates and [WindowsFolder]Security\Database.
Add the Custom Action to call the inf using secedit
Type:
3170
Source:
SystemFolder
Target:
secedit /configure /DB "[SecDBFolder]application.sdb" /CFG "[SecTemplates][PKGID].inf" /verbose /log "[WindowsFolder]Log\[PKGID]-secedit.log"
This works out pretty good for me, but I have not used the SetACL.ocx so I do not have a good basis for comparison.
Run the MMC snap in and open the Security Templates. Create a Security template that fits your needs for either file folder and\or registry permissions. Then save the template.
Add the inf file to your install by either copying it to the [WindowsFolder]Security\Templates or add it to the iniFile table (InstallShield allows an easy import).
Add entries to the Directory table to the folder [WindowsFolder]Security\Templates and [WindowsFolder]Security\Database.
Add the Custom Action to call the inf using secedit
Type:
3170
Source:
SystemFolder
Target:
secedit /configure /DB "[SecDBFolder]application.sdb" /CFG "[SecTemplates][PKGID].inf" /verbose /log "[WindowsFolder]Log\[PKGID]-secedit.log"
This works out pretty good for me, but I have not used the SetACL.ocx so I do not have a good basis for comparison.
Posted by:
ZhuBaJie
18 years ago
....or use this script embedded in a custom action with your Security Template.
The template should be added to the package.
This works great since it's fast and totally silent (no DOS boxes flying around)
==================================================
'Secedit script v1.1
'Purpose 1. Hidden execution of the secedit command.
' 2. Secedit will only run once per machine
' 3. Secedit will only run if the user has execution rights
Set ws = CreateObject("Wscript.Shell")
Set fs = CreateObject("Scripting.FilesystemObject")
Dim Regpath, Infname, Regtype, Security, sdbpath, cfgfile, ret
Infname = "Business-Objects-SA-Business-Objects-5.1.inf" 'Variable per MSI-package
Regpath = "HKLM\SOFTWARE\INFSTATE\"
Regtype = "REG_EXPAND_SZ"
Security ="Secedit /configure"
cfgloc = "\security\templates\"
wssys = ws.ExpandEnvironmentStrings("%Systemroot%")
set syspath = fs.GetFolder(wssys)
sdbpad = " /db " & syspath &"\security\Database\applics.sdb"
cfgfile = " /cfg " & syspath & cfgloc
ret = 1
On error resume next
Err.Clear
If Readfile("\security\Database\secedit.sdb") then
If not Readkey() then
if Readfile(cfgloc & infname) then
ret=ws.Run(Security & sdbpad & cfgfile & Infname & " /quiet",0,"true")
if Err.number <> 0 then
ws.Logevent 1, "Secedit execution of " & Infname & " Failed with errorcode: " & _
Err.number & " Description: " & Err.Description
Else
Writekey()
end if
Else
ws.Logevent 1, syspath & cfgloc & infname & _
" couldn't be found on the specified location during execution of secedit."
end if
Err.Clear
End if
End if
Function Readfile(filetochk)
Dim pathfile
pathfile = syspath & filetochk
Readfile = (fs.FileExists(pathfile))
End Function
Function ReadKey()
on error resume next
u="jgv"
u=ws.RegRead(Regpath & Infname)
If u = "Done" then
ReadKey = True
Else
ReadKey = False
Err.Clear
End if
End Function
Function WriteKey()
on error resume next
o=ws.RegWrite(Regpath & Infname, "Done", Regtype)
End Function
The template should be added to the package.
This works great since it's fast and totally silent (no DOS boxes flying around)
==================================================
'Secedit script v1.1
'Purpose 1. Hidden execution of the secedit command.
' 2. Secedit will only run once per machine
' 3. Secedit will only run if the user has execution rights
Set ws = CreateObject("Wscript.Shell")
Set fs = CreateObject("Scripting.FilesystemObject")
Dim Regpath, Infname, Regtype, Security, sdbpath, cfgfile, ret
Infname = "Business-Objects-SA-Business-Objects-5.1.inf" 'Variable per MSI-package
Regpath = "HKLM\SOFTWARE\INFSTATE\"
Regtype = "REG_EXPAND_SZ"
Security ="Secedit /configure"
cfgloc = "\security\templates\"
wssys = ws.ExpandEnvironmentStrings("%Systemroot%")
set syspath = fs.GetFolder(wssys)
sdbpad = " /db " & syspath &"\security\Database\applics.sdb"
cfgfile = " /cfg " & syspath & cfgloc
ret = 1
On error resume next
Err.Clear
If Readfile("\security\Database\secedit.sdb") then
If not Readkey() then
if Readfile(cfgloc & infname) then
ret=ws.Run(Security & sdbpad & cfgfile & Infname & " /quiet",0,"true")
if Err.number <> 0 then
ws.Logevent 1, "Secedit execution of " & Infname & " Failed with errorcode: " & _
Err.number & " Description: " & Err.Description
Else
Writekey()
end if
Else
ws.Logevent 1, syspath & cfgloc & infname & _
" couldn't be found on the specified location during execution of secedit."
end if
Err.Clear
End if
End if
Function Readfile(filetochk)
Dim pathfile
pathfile = syspath & filetochk
Readfile = (fs.FileExists(pathfile))
End Function
Function ReadKey()
on error resume next
u="jgv"
u=ws.RegRead(Regpath & Infname)
If u = "Done" then
ReadKey = True
Else
ReadKey = False
Err.Clear
End if
End Function
Function WriteKey()
on error resume next
o=ws.RegWrite(Regpath & Infname, "Done", Regtype)
End Function
Posted by:
babric
18 years ago
Sorry, but I really don't understand what you are talking about.
Permissions in regsitry ?
Someone could explain it briefly ?
Thanks.
Permissions in regsitry ?
Someone could explain it briefly ?
Thanks.
Posted by:
AngelD
18 years ago
The exact same as permission with files but setting permission for regkeys.
Grap your regedit, select a key and then click Permissions in the Edit menu.
Was that briefly? ;)
Grap your regedit, select a key and then click Permissions in the Edit menu.
Was that briefly? ;)
Posted by:
babric
18 years ago
Was that briefly? ;)
yes, but I don't have any "Permission" option in the Edit Menu...[:(]
Posted by:
babric
18 years ago
EDIT : Win 2000
http://img296.imageshack.us/my.php?image=registry9kk.gif
I tried under XP Pro, and... I found it :-)
So, guess that there are no permissions in 2000 ?
http://img296.imageshack.us/my.php?image=registry9kk.gif
I tried under XP Pro, and... I found it :-)
So, guess that there are no permissions in 2000 ?
Posted by:
AngelD
18 years ago
hmm ehhhh, bummer? ;)
regedit must be corrupted or something, never seen that one before.
regedit must be corrupted or something, never seen that one before.
Posted by:
babric
18 years ago
bummer
Sorry but I don't speak english very well, what do you mean by "bummer" ? disappointed ?
Thank you to increase my english skills :-)
Posted by:
AngelD
18 years ago
lets translate that to "tough luck" [;)]
Your regedit picture looks more like regedit in windows 2000 as that version does not have the Permissions option either.
Your regedit picture looks more like regedit in windows 2000 as that version does not have the Permissions option either.
Posted by:
plangton
18 years ago
Babric,
There are registry permissions in Windows 2000, to view them you have to run regedt32.exe
Rgds
Paul
There are registry permissions in Windows 2000, to view them you have to run regedt32.exe
Rgds
Paul
Posted by:
babric
18 years ago
lets translate that to "tough luck"
Thanks :-)
There are registry permissions in Windows 2000, to view them you have to run regedt32.exe
Thanks too :-)
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.
