Update Registry Security using Autoit

[Wooltown]

Hello !

Is there a way to update the security descriptors in the Registry using Script or another tool ?

I would like to remove some registry settings via script, that I don't have permission to change.

I can manually change the security using REGEDT32 on Win 2000/NT/XP, but that is not a solution on all computers.

/Sven

[Coder_Demon]

Hello !

Is there a way to update the security descriptors in the Registry using Script or another tool ?

I would like to remove some registry settings via script, that I don't have permission to change.

I can manually change the security using REGEDT32 on Win 2000/NT/XP, but that is not a solution on all computers.

/Sven

<{POST_SNAPBACK}>

Hello. I've got the same problem, my friend wrote a program on C++ for changing permissins in the registry(I didn't find any thing like it in the internet). Use it at you own risk, but I don't find any problems in it. When you setting up permissions in Win 2000\XP you have to keep in mind the notion "inheritance", it works just like the CACLS command.

Use it like this (RPP.EXE and RPP.CFG due to be in same folder as your script.):

RunWait (@ScriptDir&"\RPP.EXE "&@ScriptDir&"\RPP.CFG",@ScripDir,@SW_HIDE)

RPP.zip

[Wooltown]

Hello. I've got the same problem, my friend wrote a program on C++ for changing permissins in the registry(I didn't find any thing like it in the internet). Use it at you own risk, but I don't find any problems in it. When you setting up permissions in Win 2000\XP you have to keep in mind the notion "inheritance", it works just like the CACLS command. 

Use it like this (RPP.EXE and RPP.CFG due to be in same folder as your script.):

RunWait (@ScriptDir&"\RPP.EXE "&@ScriptDir&"\RPP.CFG",@ScripDir,@SW_HIDE)

<{POST_SNAPBACK}>

Hello !

When I use this syntax, Everyone gets Full access

PKEY = HKEY_LOCAL_MACHINE

SUBKEY = SYSTEM\CurrentControlSet\Enum\USBSTOR

PERMISSIONS = E:A:S

But When I use this, System is in the list, but no access, Everyone is missing in the list in REGEDT32.

PKEY = HKEY_LOCAL_MACHINE

SUBKEY = SYSTEM\CurrentControlSet\Enum\USBSTOR

PERMISSIONS = LS:A:S;E:A:S;

/Sven

[DaveF]

SubInACL is a command-line tool from Microsoft that can add, remove and change (substitute) entries in the system registry Access Control List. It works on Windows XP and Server 2003.

It's not really simple to use or to learn, but it will do anything you need with registry permissions.

Though it's available in the Server 2003 resource Kit, I really recommend using the link above to download it, because the version of subinacl.exe that was in the original release (in 2003) of the Resource Kit was broken, and as of the last time I checked the copy in the Resource Kit is still broken.

[Wooltown]

Thank you for the help; SubInACL works just fine, exactly was I needed!

/Sven

[Coder_Demon]

Hello !

When I use this syntax, Everyone gets Full  access

PKEY = HKEY_LOCAL_MACHINE

SUBKEY = SYSTEM\CurrentControlSet\Enum\USBSTOR

PERMISSIONS = E:A:S

But When I use this, System is in the list, but no access, Everyone is missing in the list in REGEDT32.

PKEY = HKEY_LOCAL_MACHINE

SUBKEY = SYSTEM\CurrentControlSet\Enum\USBSTOR

PERMISSIONS = LS:A:S;E:A:S;

/Sven

<{POST_SNAPBACK}>

Hi,

You've forget one thing. This registry's subkey (SYSTEM\CurrentControlSet\Enum\USBSTOR) was read only for "Everyone" and full acces for "System". And when you tried set permission with read only rights, system couldn't do it. Get it ?

Use PSEXEC (www.sysinternals.com) with "-S" key to run your script with system's rights or run it as service.

And one more thing, when you'll check permissions in Regedit32, check the "Advanced..." button and "View/Edit" button.

P.S.: SubInACL doesn't work on NT 4.0 (critical for me) instead of my suggestion (works on every NT platforms)

Edited August 4, 2005 by Coder_Demon