Reg command

[Guest]

I am trying to load a user hive from a UNC path. When I do this I get access
denied. I can do this from a Windows XP machine. If I copy the file locally
I can the load the hive. What is preventing me from loading it through a UNC
path?

 

[Guest]

If you are running this on the command prompt make sure you are using either
the Run As command, or run the command prompt with admin privlileges. UAC
will not appear during the command prompt.

 

[Guest]

I am running this with admin privileges. I turned off UAC as well. This
problem is even reproduced with Regedit.

Open Regedit and select HKLM
Click File and Load Hive
Navigate to a NTUSER.DAT file located on a network share
Give the key a name and select OK.
Access denied.

Is this a new security feature with Vista and if so how do you undo it?

 

[Guest]

Try running this command with the actual administrator account, this account
bypasses alot of UAC and vista restrictions.

 

[Guest]

UAC is turned off

Try running this command with the actual administrator account, this account
bypasses alot of UAC and vista restrictions.

 

[dean-dean]

For lack of a better idea, try this. Navigate to C:\Windows\ and
right-click on regedit.exe. Choose Run as Administrator.

 

[Guest]

Same result.

I think it has something to do with a policy from somewhere. What I mean.
I have a Vista and XP machine in the same OU with the same policy being
applied to them both. I can load a registry hive under XP but not Vista. I
then made a RDP connection to a Vista machine off our domain. Opened Regedit
and repeated the same steps and I can load the registry hive. Do you think
it has anything to do with a trusted path that Vista looks at more closely
than XP did?

 

[Guest]

Are you trying to load this hive over the network? Vista does restrict
certain registry paths from being editted remotely.

System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog

These paths are allowed to be remotely accessible and their sub-paths. These
settings are stored in the security settings of group poilicy under:
Network Access: Remotely accessible registry paths and sub-paths
Since the machines share the same OU try running a Result of Policies to see
if any settings differ. Also open Regedit and right click on the hive that
you are editting and select permissions. The default permissions might be
different on this machine due to the OUs or other reasons. If your account
has permissions and you are locally logged in, you should be able to edit the
registry without error.

 

[Guest]

Not to be dense here but I can't find Computer Configuration\Windows
Settings\Security Settings\Network Access Protection

Under Security Settings
-Account Policies
-Local Policies
-Windows Firewall with Advanced Security
-Public Key Policies
-Software Restriction Policies
-IP Security Policies on Local Computer

What am I missing?

 

[Guest]

Go to Local Policies then Security Options. the User Rights Assignment folder
will assign rights to users and Security Options enables or disables computer
security settings.

 

[Guest]

Found it. XP does not contain Network access: Remotely accessible registry
paths and subpaths. So this is probably blocking me. So if I understand
this correctly, this list provides which keys can be editted when you load a
hive. When a user's hive is loaded (NTUSER.DAT), is it then scanned to see
if there isn't anything violating the list? If so, you get access denied?

 

[Guest]

Correct. Any other registry hives will be blocked if it isn't listed or a
sub-path of a hive on that list remotely. If you are applying this to
multiple machines, try one first and then see the results. Hopefully this
will fix it. Let me know, I'm curious if that is what is blocking it.

 

[Guest]

I removed the entries from the list. Thinking this would disable the
setting. Same result. I then added back to the list the top most keys of
the hive (AppEvents, Console, Control Panel, Environment, Identities,
Keyboard Layout, Printers, Software, UNICODE Program Groups) and again the
same result. I still don't know if the setting is actually blocking me or
not. I did do a gpupdate /force and restart between changes.

 

[Guest]

Can you tell me what the error says word for word. And are there any events
that popup in the event viewer? Try loading another NTUser.dat file,
preferably one that is new and almost blank.

 

[Guest]

Sorry for taking so long to get back to you. The error states: "Cannot Load
\\server\share\folder\NTUSER.DAT: Access is denied"

This is after trying to load the hive. I did use process monitor to see
what was happening and this is what it reports:

28547 8:46:25.4002811 AM reg.exe 4832 RegLoadKey HKLM\test ACCESS DENIED
Hive Path: UNC\Domain\Share\profiles\User\NTUSER.DAT
32293 8:46:26.0527129 AM reg.exe 4832 QuerySecurityFile
\\Domain\Share\Profiles\User\NTUSER.DAT ACCESS DENIED Information: DACL

There are no error messages in the event log

I will try and load another new NTUSER.DAT