SUBINACL and the WINREG key.

[Carl Hilton]

My previous posts about remote registry access was due to the lack LOCAL
SERVICE with R permsisions on the WINREG key. So I am attempting to fix that
on a number of workstations.


I have a batch file that is:

SUBINACL /subkeyreg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecuredPipeServers\winre
g /GRANT="LOCAL SERVICE"=R
SUBINACL /subkeyreg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecuredPipeServers\winre
g /GRANT="MYDOMAIN\Domain Admins"=F
SUBINACL /subkeyreg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecuredPipeServers\winre
g /GRANT="%COMPUTERNAME%\Adminstrators"=F


With the following results...

The first two lines of the batch file work but the last is giving me
problems.



A:\>\\sacfs\kixstuff\SUBINACL /subkeyreg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
/GRANT="MYWORKSTATION\Adminstrators"=F
LookupAccountName :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurepipeServers\winreg
:myworkstation\adminstrators 1337 The security ID structure is
invalid.

Current object
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
will not be processed


Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 1
Last Syntax Error:WARNING : /grant=myworkstation\adminstrators=f : Error
whenchecking arguments -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

 

[Roger Abell]

Did you try this without qualifying Administrators with
the %COMPUTERNAME%\ ?
As the Adminstrators is a built-in well-known sid this may
be throwing it off, making it expect a machine local group
instead of a well-knows SID.