Registry permissions defaults

[cpnet]

I am trying to install Norton AV Pro on my father's Dell Inspiron 8200 w/ XP
Pro sp1, and all critical updates applied. I have an almost identical Dell
Inspiron (different modem I think), and have used NAV Pro 2002 through 2004
no problems.

On my father's computer, near the end of the install, I keep on getting an
error which is essentially caused by the Symantec registry keys not having
the correct permissions. At first I was thinking this was a problem with
the newest NAV install, but as I looked deeper, I'm not sure. I looked at
permissions for a number of registry keys, comparing both Inspiron's, as
well as the registry in a Virtual PC XP Pro sp1 install that's on my
Inspiron. What I saw was odd. On my dad's laptop, there are many more
registry keys that only have Administrator and SYSTEM with assigned
permissions, and many more keys where permissions apply to "this key only",
and for Administrator, there is usually only 'read' rights. On my XP, and
my virtual XP, I see Power Users, Users, etc. with permissions - not just
Administrators and SYSTEM. I also see many more keys where permissions
apply to the key and its children. Administrators generally have the
correct permissions (i.e. full control).

One interesting example is for some software that I authored, that's
installed on the machines. My install is a Windows Installer install that I
built myself, and my install code does NOT explicitly set any permissions on
the registry. Anything that gets set is done by the OS with it's defaults.
On my Dad's machine for "HKLM\Software\MyCompany", only "Administrators" and
"SYSTEM" are assigned permissions. The are only assigned "special
permissions". When I examine the permissions, I see that "SYSTEM" has 'full
control' on "this key only". "Administrators" have 'read' on 'this key
only'. This is compared to my own machine for the same key
("HKLM\Software\MyCompany") I see permissions for "Administrators", "Power
Users", "Users", "SYSTEM", "CREATOR OWNER". For all except,"CREATOR OWNER",
their respective permissions apply to, "this key and subkeys". The
permissions for each of the users/groups seems appropriate - i.e
Administrators have 'full control'.

What is going on here?

I also see something that is a concern... On my Dad's machine,
"HKLM\Software\Microsoft" only has permissions for "Everyone", and
"Everyone" has plain "Full Control"!!! Some of the subkeys are more locked
down - but not all - this doesn't seem good.

I have scanned my dad's machine w/ Trend Micro's free HouseCall, the
pre-scan that the NAV install does, and the free PestPatrol scan. None have
found any viruses or malware. My father uses another PC for most of his
web/e-mail access, so this laptop doesn't get a lot of exposure to threats.

Is there any way to fix this?

Thanks

 

[Doug Knox MS-MVP]

Many of the differences that you see may be the difference between Home and Pro. Home does not recognize user groups other than Administrators and Users, by default. Power Users, Backup Operators and other mid-level groups don't exist in XP Home.

As for Administrator permissions, in the Registry, many keys are read-only, even for the Administrator, and some don't even have Read permissions. But as a general rule, anything in HKLM\Software should allow the Administrator full access. There may be some exceptions, but none that come to mind right now.

 

[cpnet]

The thing is, all of the machines are XP Pro sp1. The 2 'real' ones (mine
and my dad's laptops) are OEM versions installed by Dell. The XP Pro sp1
virtual machine on my laptop was installed from my MSDN cd's.

On my Dad's machine (the odd one), I do see Administrators, Power Users,
etc. with permissions on some keys, but on many they're not there. It's
like something has gone through and messed up all of the registry
permissions. Based on your info, it's almost like some keys are using Pro
permissions, while others have Home permissions. Yet, with giving
"Everyone" "full control" to "HKLM\Software\Microsoft", I wonder if
something else has gone wrong too. I managed to get NAV Pro 2004 installed
after giving Administrators full control to everything in the Symantec part
of HKLM\Software, and a full scan revealed nothing. So, I've now done yet
another virus scan, and I'm not coming up with anything.

The one thing I was thinking of... maybe Dell installed a bad security
template, or maybe my Dad's template got messed up at some point. (I know
he wouldn't know how to apply a template). I've never worked with these
before, but maybe I can re-apply the default security template? Can I
safely copy the default template from my machine in case his is messed up?

Thanks,
cpnet

 

[Doug Knox MS-MVP]

I don't see why you wouldn't be able to. And its possible that the OEM modified the permissions intentionally. In many cases, Power Users and below may not have any access to specific Registry keys, as they may only be used by processes that run under the System account. And there are specific keys, even in the HKCU branch that an Administrator will not have access to, by default.

 

[cpnet]

I think that there is likely some problem with the registry permissions,
because I have also have an Inspiron 8200 (same as my Dad's except for the
modem). They both have a Dell OEM version of XP Pro, and while my registry
permissions are similar to that of an XP Pro install from MSDN CD's, my
father's is very different. I do realize that Administrator(s) won't always
have permisisons, but there are keys (such as the ones for my own software)
where Administrators should have Full Control.

Anyway, I will first try to re-apply the security template and see if that
fixes things. Dell's tech support has told me that I should re-install the
OS, but I think this is one of those things they say when they don't really
know what the problem is or how to fix it. The tech said he understood the
problem and symptoms, but gave no details about what the actual root problem
was. He just said I needed to re-install XP (which I'd rather not do if I
can avoid it).

Anyway, thanks for your help.