using RunAsSet with subinacl

[jcmpix]

Hi, I am trying to write a script that will deny read access to certain registry entries. The following works on an administrator account:

RunAsSet('Admin',@ComputerName,'xxxx')

RunWait('subinacl /keyreg "HKEY_LOCAL_MACHINE\HARDWARE\Devicemap\Scsi\Scsi Port 0" /deny=Everyone=r')

RunWait('subinacl /keyreg "HKEY_LOCAL_MACHINE\HARDWARE\Devicemap\Scsi\Scsi Port 2" /deny=Everyone=r')

RunAsSet()

MsgBox(64, "SCSI", "Ready!")

It won't work on a limited user account. When I try to run the .exe it returns

Line -1:

Error: Unable to execute the external program.

Access is denied.

When I try running the script it says there is an error on the first RunWait. I guess that means the RunAsSet didn't work properly. When I run subinacl from the command prompt it works, though of course it won't let me change registry permissions. Is this a problem with my script or with the way subinacl works (i.e. can't be used with secondary logon)? Thanks in advance!

Forgot to mention running XP SP2.

Edited February 14, 2008 by jcmpix

[Jos]

Is the workdir available under the Admin account ?

Maybe try adding a valid workdir to the runwait command..

[jcmpix]

I tried adding @CommonFilesDir and other directories as the working directory, still same error.

[Jos]

Is the script running from a UNC or mapped drive ?

[jcmpix]

I'm not really sure what that means, but this computer isn't part of a network, if that helps. The subinacl command is on D:\Program Files\Windows Resource Kits\Tools, where D: is on the same disk as C:. Would it help if I typed in the whole path in the RunWait? Sorry, new to this. First time scripting actually.

[Jos]

I'm not really sure what that means, but this computer isn't part of a network, if that helps. The subinacl command is on D:\Program Files\Windows Resource Kits\Tools, where D: is on the same disk as C:. Would it help if I typed in the whole path in the RunWait? Sorry, new to this. First time scripting actually.

Yes its worth a try. The key thing to remember here is that you change the credentials to another Userid and directories/paths could not be accessible anymore.

One other thing you could try is to go into the cmd window and run "RUNAS /user:newuser CMD.exe" and then try to run your command. This will more or less simulate what your are trying to do.

Jos

[jcmpix]

I tried replacing subinacl with a few other .exe files which I'm sure this (limited user) account can run, all came up with the same error. For example using RunWait with the Firefox.exe didn't work either, with or without the RunAsSet preceding it! Also, I tried simulating the script by typing Runas at the command prompt, I get an access is denied error. When I type in the password, should the cursor stay at the same position? Because that's what it does.

Wait, let me check if secondary logon is enabled... If that's the problem this would be really embarassing...

Edited February 14, 2008 by jcmpix

[jcmpix]

Yup, the secondary logon service was disabled. I was staring at the Help file all this time and couldn't see the answer right in front of me! The script works perfectly now. Thank you for your patience!