How do I get Registry key permissions for a specific user or group via WMI?

[Mark-Allen Perry]

To all:

The code below checks to see if the user account running the script has the
specified permissions; in this case, QUERY_VALUE.

What I would like is a similar code example on how to ask if a 'specified
user or group' has a specific permission. Does anyone know of a code
example that will do this? Or can post a link to a URL somewhere. I've
checked all over MS and MSDN, and on Google but after checking about 100
sites, nothing looks promising.

'---------------------------------------------------------------------------
------
' Create constants for access rights and registry hive
const KEY_QUERY_VALUE = &H0001
const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")

strKeyPath = "SYSTEM\CurrentControlSet"

' Does the account under which the script runs have the
' right to query the SYSTEM\CurrentControlSet key
'---------------------------------------------------------------
objReg.CheckAccess HKEY_LOCAL_MACHINE, strKeyPath, KEY_QUERY_VALUE,
bHasAccessRight

If bHasAccessRight = True Then
Wscript.Echo "Has Query Value Access Rights on
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
Else
Wscript.Echo "No Query Value Access Rights on
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
End If

'---------------------------------------------------------------------------
------

There are example for using WMI for checking the DACLs of file objects;
files and folders. But I haven't been able to find something similar for
Regsitry keys.

many thanks for all the help,

 

[Mark-Allen Perry]

Hi all,

Ok, my boss found something buried deep inside MSDN but I was able to use it
to accomplish my task. Below is the code I wrote to compare a list of
user/groups and permissions for each against a list of Registry DACLs.

===============================================================

Sub AuditReg(ByVal sRegKey, _
ByVal iAccessMask, _
ByVal sGroupName, _
ByVal sAccessText, _
ByVal iAttribCounter, _
ByVal iGroupCounter)
Dim oRegSD, oDACL_ACEs, oADsSecurityUtility

'--
' THIS LINE WAS WHAT WE NEEDED TO DO WHAT WE WANTED.
' --------------------------------------------------
'
' Create an ADsSecurityUtlity object.
'--
Set oADsSecurityUtility = CreateObject("ADsSecurityUtility")

'
' Get the Security Descriptor for the given NTFS File path.
' - specify a Registry path
'
Set oRegSD = oADsSecurityUtility.GetSecurityDescriptor(sRegKey, _
ADS_PATH_REGISTRY, ADS_SD_FORMAT_IID)

'
' Get the Discrectionary ACL for the key.
'
Set oDACL_ACEs = oRegSD.DiscretionaryAcl

Call CheckDacl(oDACL_ACEs, iAccessMask, sGroupName, sRegKey, _
sAccessText, iAttribCounter, iGroupCounter)

Set oADsSecurityUtility = Nothing
Set oRegSD = Nothing
Set oDACL_ACEs = Nothing

End Sub

===================================

Hope this may someone else.
--
Mark-Allen Perry
ALPHA Systems
Marly, Switzerland
mark-allen_AT_mvps_DOT_org