Edit HKLM Registry Keys without Admin

[uchacker11]

I am trying to create a script that will allow users to edit the HKLM registry keys. The Users do not have admin access to these machines and they will have to edit these keys fairly often.

I have looked at RunAs() but can't figure out how to make it work the way I want.

does anyone know how to get this to work?

[spudw2k]

You could always grant permission to the required keys. Much safer than using a script that runs with elevated privileges in my opinion.

Edited December 15, 2011 by spudw2k

[sleepydvdr]

You could create a script that edits the keys and compile it into an executable. Then use FileInstall to extract it to a temp directory.

When extracted, use RunAs to run it as an admin (or better yet, RunAsWait). When finished, clean up by deleting the temp .exe.

[uchacker11]

Thanks for your replies.

OK I decided to create a script and give the users a starter script that calls the editing exe as an admin. However this isn't working.

Starter.exe:

RunAswait("domain_admin","domain.com","password",1,"c:Reg_editor.exe")
Sleep(1000)

Reg_editor.exe

$ToolsPath=RegRead("HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSession ManagerEnvironment","USER_SCADE_TOOLS_PATH")
if ($ToolsPath=("")) Then
MsgBox(4096, "Error","Environment Variable USER_SCADE_TOOLS_PATH not defined for " & @UserName & " on machine " & @ComputerName)
Else
regwrite("HKEY_LOCAL_MACHINESOFTWAREEsterel TechnologiesCustomStudioExtensionsCUSTOM_SCADE_TOOLS","PathName","REG_SZ",$ToolsPath)
RegWrite("HKEY_LOCAL_MACHINESOFTWAREEsterel TechnologiesStudio 2Work InterfacesCUSTOM_SCADE_TOOLS","PathName","REG_SZ","ETCUST.DLL")
Sleep(5000)
EndIf

When I run Starter.exe it successfully starts reg_editor.exe but nothing is changed. I believe that the problem lies with Reg_editor or there is a permissions issue.

[BrewManNH]

What happens if you run reg_editor.exe as an administrator without calling it from the script first? Note, that if the settings are different for every user then you'll still have a problem because the information pulled from the registry is going to be for the RunAs user, and not the logged on user.

One last thought, 32 or 64 bit OS?

[uchacker11]

If I am logged in as an administrator reg_editor.exe works great but if I am logged in as a normal user and right-click and select RunAs an administrator it doesn't work. The information will be the same for all the users, the env var just points to a customization file on the network that the users will update as necessary. This script will just make applying the new customizations easier.

64-bit XP is the OS

[spudw2k]

If the keys in your example are actual then I see no issue with simply granting permission to those keys instead of running as a domain admin.

Perhaps more work for the initial to set it up, but safer in the long run. Just my three cents.

http://blogs.msdn.com/b/alejacma/archive/2008/03/11/how-to-change-registry-permissions-with-regini-exe-vbscript.aspx