MS patches changing registry entries

  • Thread starter Thread starter wjr
  • Start date Start date
W

wjr

Is there a way to prevent MS updates from changing a specified registry
setting? For one of the text converters, we point to a specific one we
install, but for some reason, MS recently has started to set that entry
back to the default setting. I don't want to see that setting changed
from our custom setting.

FYI, we are a vendor at the site and the site is responsible for admin
of their AD. We have little/no say over what can happened in their AD.
So any AD solution will have to run to the Admin group get approved
then go through an executive committee and the security group before it
can be deployed. Individual users do not get admin rights.
 
Which specific registry setting are you referring to ?

Is it related to the registry settings that resulted from installing
KB973904 ?

MS09-073: Description of the security update for Windows XP, Windows
2000, and Windows Server 2003: December 8, 2009
http://support.microsoft.com/kb/973904/


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked
 
wjr said:
Is there a way to prevent MS updates from changing a specified registry
setting? For one of the text converters, we point to a specific one we
install, but for some reason, MS recently has started to set that entry
back to the default setting. I don't want to see that setting changed
from our custom setting.

FYI, we are a vendor at the site and the site is responsible for admin of
their AD. We have little/no say over what can happened in their AD. So
any AD solution will have to run to the Admin group get approved then go
through an executive committee and the security group before it can be
deployed. Individual users do not get admin rights.
Click to expand...

You could right-click that key, then click Security. Now make yourself the
owner and give everyone else nothing but read-access. Best to test your
modification - some MS Automatic Updates might fail when they cannot do
their usual job.
 
Which updates?

Most updates change all sorts of things in the Registry by default.
 
PA said:
Which updates?

Most updates change all sorts of things in the Registry by default.
Click to expand...
I don't know the specific key as I am waiting for details from the
on-site engineer. But the specific key really doesn't answer the basic
question which I have asked. Which was "Is there a way to prevent MS
patch updates from changing a registry entry?". They way I see it,
someone doesn't need the specific reg entry to answer the general
question, assuming they know an answer.
 
wjr said:
I don't know the specific key as I am waiting for details from the
on-site engineer. But the specific key really doesn't answer the basic
question which I have asked. Which was "Is there a way to prevent MS
patch updates from changing a registry entry?". They way I see it,
someone doesn't need the specific reg entry to answer the general
question, assuming they know an answer.
Click to expand...

Patches WILL change registry entries. So the answer is no, not if you
want patches installed.
 
Bob said:
Patches WILL change registry entries. So the answer is no, not if you
want patches installed.
Click to expand...

Exactly.

The only other option is that once the update is applied -- and assuming
that this update is indeed responsible for the changing of the specific
registry entry (which is unknown!) -- , change the registry setting to
what one wishes it to be (and hope that it won't compromise one's
security!).
 
wjr said:
I don't know the specific key as I am waiting for details from the
on-site engineer. But the specific key really doesn't answer the basic
question which I have asked. Which was "Is there a way to prevent MS
patch updates from changing a registry entry?". They way I see it,
someone doesn't need the specific reg entry to answer the general
question, assuming they know an answer.
Click to expand...

[OK, we'll bottompost...]

Then the answer is No, nor can you have your hair cut without cutting your
hair.
 
PA said:
wjr said:
I don't know the specific key as I am waiting for details from the
on-site engineer. But the specific key really doesn't answer the basic
question which I have asked. Which was "Is there a way to prevent MS
patch updates from changing a registry entry?". They way I see it,
someone doesn't need the specific reg entry to answer the general
question, assuming they know an answer.
Click to expand...

[OK, we'll bottompost...]

Then the answer is No, nor can you have your hair cut without cutting
your hair.
Click to expand...
Nice try but fail. It's more can I get my hair but don't touch the
cowlick. Still, I will give you a C- for effort.
 
wjr said:
Is there a way to prevent MS updates from changing a specified
registry setting? For one of the text converters, we point to a
specific one we install, but for some reason, MS recently has
started to set that entry back to the default setting. I don't
want to see that setting changed from our custom setting.

FYI, we are a vendor at the site and the site is responsible for
admin of their AD. We have little/no say over what can happened in
their AD. So any AD solution will have to run to the Admin group
get approved then go through an executive committee and the
security group before it can be deployed. Individual users do not
get admin rights.
Click to expand...

First off - if the entry is being changed to default by a patch - it must be
in some place the patch writers deems it important to change. Which patch?
All patches?

You say you are a vendor and this is a 'text converter' and a 'specific one
we install' <-- is that your resistance in giving the name of said
converter? Or the registry key location? Or the patch that supposedly
changes the registry value?

Also - I caught your, "I don't know the specific key as I am waiting for
details from the on-site engineer..." reply. So you are not one of the
trouble-shooters or the people who do the actual work on the product in
question - I assume? And if you are - couldn't you recreate the issue
easily enough and thus 'know the specific key'?

Here's a simple set of facts - as you seem resistant to exposing your
product to ridicule and/or to pointing out the registry key(s) in question
and/or even specifying what patch(es) are supposedly changing the registry
key(s) in question - that should be fairly obvious...

- If someone/something has administrative rights on a system - that
someone/something can (in the end) do just about anything they want to said
system (excluding cracking into encryption that is not theirs in most cases
without subterfuge and returning at a later date.)
- Windows/Microsoft Updates are not installed with 'lesser' priviledges.
They are installed with administrative level priviledges (and/or as
"system".) Thus - they can, using logic, "do just about anything they want
to said system."

That being said, just like malware writers, you could change the permissions
on the registry entry(ies) in question so that everyone could read it but no
one can write/change it without taking ownership and changing the
permissions first. Not saying you are a malware writer - just using them as
an example, you see. In theory - that would prevent a patch from changing
said registry key - however it would also prevent (most likely) the patch
from being reported back as 'installed successfully' and - you have a whole
new problem because - well - you have become an annoyance (*at least) in the
eyes of those who probably will, sooner or later, discover the issue.

So - other than the above (permissions change) possibility (it is not a
certainty that it could not be changed - as I pointed out - administrative
level accounts can do just about anything) - the answer to your generic
question (barring any specifics you brave to put out such as the specific
patch(es) you believe do this, the specific product (text converter?)
installed or the location of the registry key/value that gets changed) is,
"No."
 
Back
Top