Command-line registry ACL editting

[chris a]

It may be out there, but I forgot, is there a built-in
command-line utility that is available that will allow me
to change permissions on hives and keys in the registry
of an XP machine, something on the line of the CACLS or
the XCACLS utility to change file ACLs? Thanks.

 

[Drew Cooper [MSFT]]

It doesn't ship with the OS, but you can download subinacl from Microsoft:
http://www.microsoft.com/downloads/...56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

 

[Guest]

Excellent, I'll give it a try. Thanks!

-----Original Message-----
It doesn't ship with the OS, but you can download subinacl from Microsoft:
http://www.microsoft.com/downloads/details.aspx? FamilyID=e8ba3e56-d8fe-4a91-93cf-
ed6985e3927b&displaylang=en
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

It may be out there, but I forgot, is there a built-in
command-line utility that is available that will allow me
to change permissions on hives and keys in the registry
of an XP machine, something on the line of the CACLS or
the XCACLS utility to change file ACLs? Thanks.

.

 

[chris a]

Ok, I tried using the SUBINACL.EXE utility but I couldn't
get it to do what I needed to. Maybe i'm not using the
right syntax, I don't know. The problem is, I'm trying
to replace and remove ACL permissions on some of the
hives (such as removing the EVERYONE group and some
others), but my only options are to grant or deny.

For example, the HKEY_LOCAL_MACHINE key has
Administrators, System, Restricted and Power Users group
that have access to that particular hive. I need to
remove Restricted and Power Users and add Creator Owner
and Users, then set their permissions. Adding the two
groups isn't a problem, removing the other two is the
problem. Another thing I'm attempting to do is to enable
auditing on the registry hive. I can set it to audit
either successes or failures, but I can't do both at the
same time.

Is there another switch I need to throw to do everything
I need it to do or is there another utility out there
somewhere that i'll need to use? Thanks.

-----Original Message-----
It doesn't ship with the OS, but you can download subinacl from Microsoft:
http://www.microsoft.com/downloads/details.aspx? FamilyID=e8ba3e56-d8fe-4a91-93cf-
ed6985e3927b&displaylang=en
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

It may be out there, but I forgot, is there a built-in
command-line utility that is available that will allow me
to change permissions on hives and keys in the registry
of an XP machine, something on the line of the CACLS or
the XCACLS utility to change file ACLs? Thanks.

.

 

[Drew Cooper [MSFT]]

Doesn't /revoke do what you want?
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Ok, I tried using the SUBINACL.EXE utility but I couldn't
get it to do what I needed to. Maybe i'm not using the
right syntax, I don't know. The problem is, I'm trying
to replace and remove ACL permissions on some of the
hives (such as removing the EVERYONE group and some
others), but my only options are to grant or deny.

For example, the HKEY_LOCAL_MACHINE key has
Administrators, System, Restricted and Power Users group
that have access to that particular hive. I need to
remove Restricted and Power Users and add Creator Owner
and Users, then set their permissions. Adding the two
groups isn't a problem, removing the other two is the
problem. Another thing I'm attempting to do is to enable
auditing on the registry hive. I can set it to audit
either successes or failures, but I can't do both at the
same time.

Is there another switch I need to throw to do everything
I need it to do or is there another utility out there
somewhere that i'll need to use? Thanks.

-----Original Message-----
It doesn't ship with the OS, but you can download subinacl from Microsoft:
http://www.microsoft.com/downloads/details.aspx? FamilyID=e8ba3e56-d8fe-4a91-93cf-
ed6985e3927b&displaylang=en
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

It may be out there, but I forgot, is there a built-in
command-line utility that is available that will allow me
to change permissions on hives and keys in the registry
of an XP machine, something on the line of the CACLS or
the XCACLS utility to change file ACLs? Thanks.

.

 

[Guest]

IT WORKS!!!!!!! I guess I wasn't using the right
command. I must have over looked that one. Thanks!!!!

-----Original Message-----
Doesn't /revoke do what you want?
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Ok, I tried using the SUBINACL.EXE utility but I couldn't
get it to do what I needed to. Maybe i'm not using the
right syntax, I don't know. The problem is, I'm trying
to replace and remove ACL permissions on some of the
hives (such as removing the EVERYONE group and some
others), but my only options are to grant or deny.

For example, the HKEY_LOCAL_MACHINE key has
Administrators, System, Restricted and Power Users group
that have access to that particular hive. I need to
remove Restricted and Power Users and add Creator Owner
and Users, then set their permissions. Adding the two
groups isn't a problem, removing the other two is the
problem. Another thing I'm attempting to do is to enable
auditing on the registry hive. I can set it to audit
either successes or failures, but I can't do both at the
same time.

Is there another switch I need to throw to do everything
I need it to do or is there another utility out there
somewhere that i'll need to use? Thanks.

and
confers no rights. allow
me

.

 

[Guest]

Ok, new problem. Setting up file auditing on the C:
drive to be inherited through the rest of the system.
How do I get it to audit Failure=Full Control AND
Success=Delete, Change Permissions and Take Ownership?

Right now when I do the sgrant and sdeny commands, it
changes the audit settings to one or the other, not both.

-----Original Message-----
Doesn't /revoke do what you want?
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Ok, I tried using the SUBINACL.EXE utility but I couldn't
get it to do what I needed to. Maybe i'm not using the
right syntax, I don't know. The problem is, I'm trying
to replace and remove ACL permissions on some of the
hives (such as removing the EVERYONE group and some
others), but my only options are to grant or deny.

For example, the HKEY_LOCAL_MACHINE key has
Administrators, System, Restricted and Power Users group
that have access to that particular hive. I need to
remove Restricted and Power Users and add Creator Owner
and Users, then set their permissions. Adding the two
groups isn't a problem, removing the other two is the
problem. Another thing I'm attempting to do is to enable
auditing on the registry hive. I can set it to audit
either successes or failures, but I can't do both at the
same time.

Is there another switch I need to throw to do everything
I need it to do or is there another utility out there
somewhere that i'll need to use? Thanks.

and
confers no rights. allow
me

.

 

[Drew Cooper [MSFT]]

That I don't know. I haven't used subinacl for SACLs. According to the
documentation, it's supposed to add ACES when you "/sgrant" and "/sdeny",
not overwrite the previous SACL. If it's not doing that, I don't know what
to tell you.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Ok, new problem. Setting up file auditing on the C:
drive to be inherited through the rest of the system.
How do I get it to audit Failure=Full Control AND
Success=Delete, Change Permissions and Take Ownership?

Right now when I do the sgrant and sdeny commands, it
changes the audit settings to one or the other, not both.

-----Original Message-----
Doesn't /revoke do what you want?
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Ok, I tried using the SUBINACL.EXE utility but I couldn't
get it to do what I needed to. Maybe i'm not using the
right syntax, I don't know. The problem is, I'm trying
to replace and remove ACL permissions on some of the
hives (such as removing the EVERYONE group and some
others), but my only options are to grant or deny.

For example, the HKEY_LOCAL_MACHINE key has
Administrators, System, Restricted and Power Users group
that have access to that particular hive. I need to
remove Restricted and Power Users and add Creator Owner
and Users, then set their permissions. Adding the two
groups isn't a problem, removing the other two is the
problem. Another thing I'm attempting to do is to enable
auditing on the registry hive. I can set it to audit
either successes or failures, but I can't do both at the
same time.

Is there another switch I need to throw to do everything
I need it to do or is there another utility out there
somewhere that i'll need to use? Thanks.


-----Original Message-----
It doesn't ship with the OS, but you can download
subinacl from Microsoft:
http://www.microsoft.com/downloads/details.aspx?
FamilyID=e8ba3e56-d8fe-4a91-93cf-
ed6985e3927b&displaylang=en
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and
confers no rights.


It may be out there, but I forgot, is there a built- in
command-line utility that is available that will allow
me
to change permissions on hives and keys in the registry
of an XP machine, something on the line of the CACLS or
the XCACLS utility to change file ACLs? Thanks.


.

.

 

[cquirke (MVP Win9x)]

On Fri, 9 Apr 2004 12:46:00 -0700, "Drew Cooper [MSFT]"

That I don't know. I haven't used subinacl for SACLs. According to the
documentation, it's supposed to add ACES when you "/sgrant" and "/sdeny",
not overwrite the previous SACL. If it's not doing that, I don't know what
to tell you.

Wow, that went swish! over my head - my per-word comprehension of this
paragraph is low even by OCR standards

Does XP contain a reference on this stuff?

And can you help me with the HOLY GRAIL:

1) Getting non-default settings to "stick" in XP Home
user accounts that are set to sub-Admin permissions

2) Setting up the new user account prototype so that all
newly-created accounts are born with the above
non-default settings as well as custom shell folder paths

OK, make that two Holy Grails

Seriously, without both of these in place, limited and multiple user
accounts remain unfit for use in XP Home.

I've read an MS article on how to transfer contents of an existing
non-admin account to the Default account (from which newly-created
accounts inheret content). Two problems:
- this excludes the registry, thus all registry settings
- some settings are inherited from "somewhere else"

So I still have stick to one account, full admin permissions, if I
want the safety afforded by settings like "don't hide extensions",
"show all paths and files" etc. and the speed, managability and
survivability benefits of data relocated over multiple HD volumes.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[Drew Cooper [MSFT]]

Sorry. I really don't have an solution for that.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

On Fri, 9 Apr 2004 12:46:00 -0700, "Drew Cooper [MSFT]"

That I don't know. I haven't used subinacl for SACLs. According to the
documentation, it's supposed to add ACES when you "/sgrant" and "/sdeny",
not overwrite the previous SACL. If it's not doing that, I don't know what
to tell you.

Wow, that went swish! over my head - my per-word comprehension of this
paragraph is low even by OCR standards

Does XP contain a reference on this stuff?

And can you help me with the HOLY GRAIL:

1) Getting non-default settings to "stick" in XP Home
user accounts that are set to sub-Admin permissions

2) Setting up the new user account prototype so that all
newly-created accounts are born with the above
non-default settings as well as custom shell folder paths

OK, make that two Holy Grails

Seriously, without both of these in place, limited and multiple user
accounts remain unfit for use in XP Home.

I've read an MS article on how to transfer contents of an existing
non-admin account to the Default account (from which newly-created
accounts inheret content). Two problems:
- this excludes the registry, thus all registry settings
- some settings are inherited from "somewhere else"

So I still have stick to one account, full admin permissions, if I
want the safety afforded by settings like "don't hide extensions",
"show all paths and files" etc. and the speed, managability and
survivability benefits of data relocated over multiple HD volumes.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

-------------------- ----- ---- --- -- - - - -

 

[cquirke (MVP Win9x)]

On Mon, 12 Apr 2004 16:18:55 -0700, "Drew Cooper [MSFT]"

Sorry. I really don't have an solution for that.

Ouch! Well, next time someone over at your place says "I can't
understand why users don't use limited accounts", wave my last post!

As a roving tech, working on PCs with multiple user accounts is hell -
settings have to be repeated in each account and if there's an account
with an unknown password, you can't complete the job.

Building PCs is a nightmare when every time someone creates a new user
accound, all the settings get lost, with massive MP3 collections
bloating up C: and so on.

Effectively, user acounts (especially if "limited") force the darkness
of MS default settings to be the standard, and that sucks!

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[Drew Cooper [MSFT]]

I know a few of the folks working on making it easier to run limited
accounts - I'll forward a link to your newsgroup posts to them.

Things should be better when Longhorn is released, although I know that
doesn't make life any easier for you at the moment. Sorry.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

On Mon, 12 Apr 2004 16:18:55 -0700, "Drew Cooper [MSFT]"

Sorry. I really don't have an solution for that.

Ouch! Well, next time someone over at your place says "I can't
understand why users don't use limited accounts", wave my last post!

As a roving tech, working on PCs with multiple user accounts is hell -
settings have to be repeated in each account and if there's an account
with an unknown password, you can't complete the job.

Building PCs is a nightmare when every time someone creates a new user
accound, all the settings get lost, with massive MP3 collections
bloating up C: and so on.

Effectively, user acounts (especially if "limited") force the darkness
of MS default settings to be the standard, and that sucks!

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

-------------------- ----- ---- --- -- - - - -

 

[cquirke (MVP Win9x)]

On Fri, 16 Apr 2004 13:34:45 -0700, "Drew Cooper [MSFT]"

I know a few of the folks working on making it easier to run limited
accounts - I'll forward a link to your newsgroup posts to them.

Thanks! In a nutshell, we need:
- an ability to set up the 'new account' prototype
- an ability to administer Regedit-level settings across accounts **
- limited accounts must retain settings!

The settings I'm refering to include:
- shell and user-shell folder paths
- IE cache size and location
- UI settings such as show paths, extenions etc.
- safety-related settings such as IE's options etc.
- startup and other integration entry points (malware cleanup)

On the last; thinking of the present advice to "run AdAware, Spybot
etc. from *every* user account to clean up commercial malware".

Things should be better when Longhorn is released, although I know that
doesn't make life any easier for you at the moment. Sorry.

Longhorn's a way off; for this, one would hope for a Serice Pack or
"XP 2004 Edition" sort of time frame. As it is, it's a disaster; the
"welcome to XP" pushes newbs into spawning new user accounts, and
there's no way to effectively preset or manage these.

** Here, I'd suggest using the existing RegEdit interface, perhaps by
adding some sort of account-spanning depth to this. It's what us
stand-alone field techs are familiar with, and thus easier than
learning yet another administration UI


The other big thing that must be in place soon, at least by Longhorn
if not before, is a replacement for DOS mode as maintenance OS.

But that's another thread ;-)

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.