Sign in to follow this  
Followers 0
jcmpix

using RunAsSet with subinacl

8 posts in this topic

#1 ·  Posted (edited)

Hi, I am trying to write a script that will deny read access to certain registry entries. The following works on an administrator account:

RunAsSet('Admin',@ComputerName,'xxxx')

RunWait('subinacl /keyreg "HKEY_LOCAL_MACHINE\HARDWARE\Devicemap\Scsi\Scsi Port 0" /deny=Everyone=r')

RunWait('subinacl /keyreg "HKEY_LOCAL_MACHINE\HARDWARE\Devicemap\Scsi\Scsi Port 2" /deny=Everyone=r')

RunAsSet()

MsgBox(64, "SCSI", "Ready!")

It won't work on a limited user account. When I try to run the .exe it returns

Line -1:

Error: Unable to execute the external program.

Access is denied.

When I try running the script it says there is an error on the first RunWait. I guess that means the RunAsSet didn't work properly. When I run subinacl from the command prompt it works, though of course it won't let me change registry permissions. Is this a problem with my script or with the way subinacl works (i.e. can't be used with secondary logon)? Thanks in advance!

Forgot to mention running XP SP2.

Edited by jcmpix

Share this post


Link to post
Share on other sites



I tried adding @CommonFilesDir and other directories as the working directory, still same error.

Share this post


Link to post
Share on other sites

I'm not really sure what that means, but this computer isn't part of a network, if that helps. The subinacl command is on D:\Program Files\Windows Resource Kits\Tools, where D: is on the same disk as C:. Would it help if I typed in the whole path in the RunWait? Sorry, new to this. First time scripting actually.

Share this post


Link to post
Share on other sites

I'm not really sure what that means, but this computer isn't part of a network, if that helps. The subinacl command is on D:\Program Files\Windows Resource Kits\Tools, where D: is on the same disk as C:. Would it help if I typed in the whole path in the RunWait? Sorry, new to this. First time scripting actually.

Yes its worth a try. The key thing to remember here is that you change the credentials to another Userid and directories/paths could not be accessible anymore.

One other thing you could try is to go into the cmd window and run "RUNAS /user:newuser CMD.exe" and then try to run your command. This will more or less simulate what your are trying to do.

Jos


Visit the SciTE4AutoIt3 Download page for the latest versions  - Beta files                                How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

I tried replacing subinacl with a few other .exe files which I'm sure this (limited user) account can run, all came up with the same error. For example using RunWait with the Firefox.exe didn't work either, with or without the RunAsSet preceding it! Also, I tried simulating the script by typing Runas at the command prompt, I get an access is denied error. When I type in the password, should the cursor stay at the same position? Because that's what it does.

Wait, let me check if secondary logon is enabled... If that's the problem this would be really embarassing...

Edited by jcmpix

Share this post


Link to post
Share on other sites

Yup, the secondary logon service was disabled. I was staring at the Help file all this time and couldn't see the answer right in front of me! The script works perfectly now. Thank you for your patience!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0