Permissions are reset on Key after restart

[Mike Sharpton]

Hello,

We have all machines in a "locked down" environment (no
admin priveledges to users. However, an app that is
needed by our users, is unable to read the following
registry key "HKLM\Hardware\DeviceMap\SerialComm", if I
change the persmission on the key to allow authenticated
users "Full Control" after restart the permissions are re-
ACL'd, causing the app to fail. Is there any way around
this? Is WFP causing this to occur?

Thanks
Mike

 

[Mark V]

Mike Sharpton wrote in

Hello,

We have all machines in a "locked down" environment (no
admin priveledges to users. However, an app that is
needed by our users, is unable to read the following
registry key "HKLM\Hardware\DeviceMap\SerialComm", if I
change the persmission on the key to allow authenticated
users "Full Control" after restart the permissions are re-
ACL'd, causing the app to fail. Is there any way around
this? Is WFP causing this to occur?

I don't know. That key here (W2K SP4) has EVERYONE=READ by default.
Could it be it's inherting a bad ACE from above?

 

[Mark V]

Mike Sharpton wrote in

Hello,

We have all machines in a "locked down" environment (no
admin priveledges to users. However, an app that is
needed by our users, is unable to read the following
registry key "HKLM\Hardware\DeviceMap\SerialComm", if I
change the persmission on the key to allow authenticated
users "Full Control" after restart the permissions are re-
ACL'd, causing the app to fail. Is there any way around
this? Is WFP causing this to occur?

I don't know. That key here (W2K SP4) has EVERYONE=READ by default.
Could it be it's inherting a bad ACE from above?

 

[Ndi]

Or misconfigured policy.

 

[Ndi]

Or misconfigured policy.

 

[Mike Sharpton]

-----Original Message-----
Or misconfigured policy.

--
Andrei "Ndi" Dobrin
Brainbench MVP
www.Brainbench.com


.

Yes, I know everyone has read, however, I want to add, or
give "Full Control" to "Everyone", when I do this, the key
is re-acl'd after restart. I just built 2000 out of the
box, no local or domain policy, and this occurs. Thanks
for trying, anyone else?

Mike

 

[Mike Sharpton]

-----Original Message-----
Or misconfigured policy.

--
Andrei "Ndi" Dobrin
Brainbench MVP
www.Brainbench.com


.

Yes, I know everyone has read, however, I want to add, or
give "Full Control" to "Everyone", when I do this, the key
is re-acl'd after restart. I just built 2000 out of the
box, no local or domain policy, and this occurs. Thanks
for trying, anyone else?

Mike

 

[Mark V]

Mike Sharpton wrote in [ ]

Yes, I know everyone has read, however, I want to add, or
give "Full Control" to "Everyone", when I do this, the key
is re-acl'd after restart. I just built 2000 out of the
box, no local or domain policy, and this occurs. Thanks
for trying, anyone else?

Mike

Firstly I do not understand why READ is not sufficient for the
subject program. No User-mode program should need R-W or FULL there
at all. I suggest there is a problem with the application. If
possible alter the program to either accept a READ as sufficient
permission or to Store and Read from another (persistent) key
(HKLM... / HKCU...).

HKLM\HARDWARE\ is a volatile key created during OS startup. It is
not saved persistently in a on-disk hive file. So, if you are asking
how to force the system to use an alternate security specification
for the "HARDWARE" key or sub-key, I do not know. It may be
impossible (or not).

If the application is broken and cannot be fixed, then I'd say you
will need to dynamically alter the ACLs for the target key
(SerialComm) after system startup. You might do that with a script
that runs prior to any user logon. You might be able to use the
regini.exe tool from the Windows Resource Kit or perhaps the 3rd-
party tool SETACL from sourceforge.net. In either case if it can
work at all the script/tools will need to have
Administrator or SYSTEM authority
Disable inheritance from above
Alter the ACE for EVERYONE
and this is making a few assumptions. I've not tried it here, but
_in_theory_...

 

[Mark V]

Mike Sharpton wrote in [ ]

Yes, I know everyone has read, however, I want to add, or
give "Full Control" to "Everyone", when I do this, the key
is re-acl'd after restart. I just built 2000 out of the
box, no local or domain policy, and this occurs. Thanks
for trying, anyone else?

Mike

Firstly I do not understand why READ is not sufficient for the
subject program. No User-mode program should need R-W or FULL there
at all. I suggest there is a problem with the application. If
possible alter the program to either accept a READ as sufficient
permission or to Store and Read from another (persistent) key
(HKLM... / HKCU...).

HKLM\HARDWARE\ is a volatile key created during OS startup. It is
not saved persistently in a on-disk hive file. So, if you are asking
how to force the system to use an alternate security specification
for the "HARDWARE" key or sub-key, I do not know. It may be
impossible (or not).

If the application is broken and cannot be fixed, then I'd say you
will need to dynamically alter the ACLs for the target key
(SerialComm) after system startup. You might do that with a script
that runs prior to any user logon. You might be able to use the
regini.exe tool from the Windows Resource Kit or perhaps the 3rd-
party tool SETACL from sourceforge.net. In either case if it can
work at all the script/tools will need to have
Administrator or SYSTEM authority
Disable inheritance from above
Alter the ACE for EVERYONE
and this is making a few assumptions. I've not tried it here, but
_in_theory_...

 

[Mike Sharpton]

-----Original Message-----
Mike Sharpton wrote in [email protected]:
[ ]

Yes, I know everyone has read, however, I want to add, or
give "Full Control" to "Everyone", when I do this, the key
is re-acl'd after restart. I just built 2000 out of the
box, no local or domain policy, and this occurs. Thanks
for trying, anyone else?

Mike

Firstly I do not understand why READ is not sufficient for the
subject program. No User-mode program should need R-W or FULL there
at all. I suggest there is a problem with the application. If
possible alter the program to either accept a READ as sufficient
permission or to Store and Read from another (persistent) key
(HKLM... / HKCU...).

HKLM\HARDWARE\ is a volatile key created during OS startup. It is
not saved persistently in a on-disk hive file. So, if you are asking
how to force the system to use an alternate security specification
for the "HARDWARE" key or sub-key, I do not know. It may be
impossible (or not).

If the application is broken and cannot be fixed, then I'd say you
will need to dynamically alter the ACLs for the target key
(SerialComm) after system startup. You might do that with a script
that runs prior to any user logon. You might be able to use the
regini.exe tool from the Windows Resource Kit or perhaps the 3rd-
party tool SETACL from sourceforge.net. In either case if it can
work at all the script/tools will need to have
Administrator or SYSTEM authority
Disable inheritance from above
Alter the ACE for EVERYONE
and this is making a few assumptions. I've not tried it here, but
_in_theory_...

.

Thanks Mark,

I agree the app in question is no doubt a POS. However, I
need to work with them to get it working. The software is
checking what COM ports are available, "READ" should be
sufficient. However this "uber" app, needs more. I will
use your reply to aid me in my battles. Thanks.

Mike

 

[Mike Sharpton]

-----Original Message-----
Mike Sharpton wrote in [email protected]:
[ ]

Yes, I know everyone has read, however, I want to add, or
give "Full Control" to "Everyone", when I do this, the key
is re-acl'd after restart. I just built 2000 out of the
box, no local or domain policy, and this occurs. Thanks
for trying, anyone else?

Mike

Firstly I do not understand why READ is not sufficient for the
subject program. No User-mode program should need R-W or FULL there
at all. I suggest there is a problem with the application. If
possible alter the program to either accept a READ as sufficient
permission or to Store and Read from another (persistent) key
(HKLM... / HKCU...).

HKLM\HARDWARE\ is a volatile key created during OS startup. It is
not saved persistently in a on-disk hive file. So, if you are asking
how to force the system to use an alternate security specification
for the "HARDWARE" key or sub-key, I do not know. It may be
impossible (or not).

If the application is broken and cannot be fixed, then I'd say you
will need to dynamically alter the ACLs for the target key
(SerialComm) after system startup. You might do that with a script
that runs prior to any user logon. You might be able to use the
regini.exe tool from the Windows Resource Kit or perhaps the 3rd-
party tool SETACL from sourceforge.net. In either case if it can
work at all the script/tools will need to have
Administrator or SYSTEM authority
Disable inheritance from above
Alter the ACE for EVERYONE
and this is making a few assumptions. I've not tried it here, but
_in_theory_...

.

Thanks Mark,

I agree the app in question is no doubt a POS. However, I
need to work with them to get it working. The software is
checking what COM ports are available, "READ" should be
sufficient. However this "uber" app, needs more. I will
use your reply to aid me in my battles. Thanks.

Mike