Access Denied errors recorded by Regmon.exe

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

The log from regmon grows steadily as the machine is used(filtered to show
only access denied). All application opens produces one or more entries
amounting to over a hundred in a few hours use. I have looked at the
permissions for a few of the registry keys in question but can see nothing
obvious wrong to explain the access denied error. My expertise runs out here
but the tick box to inherit from parent the permission entries that apply....
and clicking edit shows all allow boxes ticked but grey which is as it
should be I suspect. Is there more I can do to find out why these errors
occur and recitify them? A couple of samples from this log are pasted below.

3212.41381836 explorer.exe:3732 QueryValue HKCU\SessionInformation\ProgramCount ACCESS DENIED RICHARD-U5QWMDM\Richard
3291.86767578 services.exe:772 QueryValue HKLM\System\CurrentControlSet\Services\SISNPF\DeleteFlag ACCESS DENIED NT_AUTHORITY\SYSTEM

Any help here will be greatly appreciated,
Richard.
 
For this key:
HKEY_CURRENT_USER\SessionInformation

Registry Permissions in my system:
=======================

Administrator - Full
{My User account} - Full
RESTRICTED - FULL
SYSTEM - FULL

Owner is {My User account}


--
Ramesh, Microsoft MVP
Windows XP Shell/User

Windows XP Troubleshooting
http://www.winhelponline.com
 
Correction
------------

Administrator - Full
{My User account} - Full
RESTRICTED - READ
SYSTEM - FULL

Owner is {My User account}

--
Ramesh, Microsoft MVP
Windows XP Shell/User

Windows XP Troubleshooting
http://www.winhelponline.com
 
Thanks Ramesh,
I log in as user Richard who has administrative power and the owner of this
key is Administrators. In addition to Administators, Restricted and System
another user exists S-1-5-21-1935655697-299502267-68200333-103 . All these
users have Read access and all except Restricted has Full access. My actual
login is not there - but Administrators is - is this good enough? There is no
tick for Replace owner on subcontainers and objects. To me this looks OK but
still gives access denied error. Do permissions exist at each level from and
including HKCU - which is itself owned by Administrators?
If I can sort this particular key then I should be able to fix the rest too
I hope.

Richard (jaistar)
 
I went to the top level HKCU key and added user Richard and set key owner as
Richard and ticked replace owner on all sub objects. I checked some actual
keys to make sure changes were reflected there OK.The vast majority of access
denied errors are in here but not all. Logged on as Richard even after reboot
had no effect on Regmon errors listed. I even tried "run as" administratorfor
explorer.exe but saw same error. Could I have a corrupt profile? should I
try to make a new user and see if problem exists there? Or despite being an
administrator is there something wrong withe the administrators group profile
that affects its "power"? Is there any ways that I would be able to check
these theories?
Richard.
 
Richard,

Testing with a new user account would be a good idea as you said. I don't
have any other ideas right now, apart from running AccessEnum
(www.sysinternals.com) and comparing the output with another Windows XP
system.

--
Ramesh, Microsoft MVP
Windows XP Shell/User

Windows XP Troubleshooting
http://www.winhelponline.com
 
Thanks Ramesh,
My laptop has XP home (OEM) as opposed to this bought XP pro here. Can I do
comparisons with this? - it has no access denied errors when I checked last
week. I meant to mention - when I added Richard as described earlier I had
still to tick "full control"although Richard was already an Administrator.
Also the program count data in SessionInformation does in fact change
indicating one less that the number of segments in the taskbar so some access
is in fact allowed.
 
Also I have set Regmon to filter for programcount and see thatwrite access is
made.
15:53:43 explorer.exe:2620 QueryValue HKCU\SessionInformation\ProgramCount ACCESS DENIED RICHARD-U5QWMDM\Richard
15:53:43 explorer.exe:2620 SetValue HKCU\SessionInformation\ProgramCount SUCCESS 0x7

What is 0x7 and what is the "Other" field in Regmon showing - I can find no
information on the sysinternals site to help here.
Thanks,
Richard.
 
Interesting one, Richard.

QueryValue fails, but SetValue succeds?

Also in my system, no QueryValue is done (only CreateKey, and SetValue) when
I open/close applications.

--
Ramesh, Microsoft MVP
Windows XP Shell/User

Windows XP Troubleshooting
http://www.winhelponline.com
 
Thanks Ramesh,
Comparing Regmon output between laptop and desktop using "Bags" as filter
gives on laptop 39 lines opening IE6 and a total of 60 lines closing IE6. On
laptop all are SUCCESS apart from 6 NOT FOUND. On suspect desktop the total
is 77 including 16 ACCESS DENIED - which all occur on closing IE6.
On desktop keys like Shell\\MinPos1280x1024(1).x get QueryValue twice at
lines 4 & 5 with SUCESS but later at line 43 QueryValue of same key gives
ACCESS DENIED followed at line 44 by a SetValue with SUCCESS.
This makes no sense to me at all - any ideas? or am I looking at a clean
reinstall - not an attractive prospect:-)

Richard.
 
Thanks Ramesh,
Created Rich2 as administrator and logged on to this account but saw same
failure to regsvr32 /i shdocvw command and same access denied errors in
Regmon output. I suspect there is not much more to try now?
Richard.
 
Richard,

For more exposure, you may start a new topic in WindowsXP_General group.
David Candy or some others may help you fix the problem.

--
Ramesh, Microsoft MVP
Windows XP Shell/User

Windows XP Troubleshooting
http://www.winhelponline.com
 
Namaskar Ramesh,
Many thanks for all your suggestions, I have learnt a lot in the process
too:-) I will follow your new suggestion directly.
Richard.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Access Denied errors recorded by Regmon 4
SP2 - Access Denied Error 1
SP2 Access is denied 3
User Accounts Access Denied errors 3
SP3 fails with Access is Denied error 6
SOLVED: ERROR >> "Access Denied" with Maxtor OneTouch 4 backupsoftware 0
Access Denied Error 2
SideBySide Access is denied event viewer errors 1

Back
Top