HKCU Registry Permission Change Needed

[itpro0309]

Good Afternoon! I am currently working on project that I could use some assistance with and by the way Group Policy, while this would be of great assistance, is presently not an option, that's why we are using auto it for registry changes (or hacks):

Objective:

To force the Outlook 2003 client to empty deleted items once the client is closed and to also "disable (or gray out)" the empty deleted items upon exit checkbox in the options box.

Progress thus far:

We have the needed to registry keys to be able to make the changes

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Outlook\DisabledCmdBarItemsList]

"TCID1"="1886"

"UID"="1671"

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Options\General]

"WarnDelete"=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\DisabledCmdBarItemsList]

"TCID1"="1886"

"UID"="1671"

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Options\General]

"WarnDelete"=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Outlook\Preferences]

"EmptyTrash"=dword:00000001

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Preferences]

"EmptyTrash"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OutlookForceDel"="\"C:\\Program Files\\OutlookForceDel\\ForceDelete.bat\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OutlookForceDelPermissions"="\"C:\\Program Files\\OutlookForceDel\\OutDelRunAs.exe\""

However, because this is under the HKCU, we can not write to these keys unless the user has admin rights (which is also not an option0. Because this will have to be run at start-up, we created a script to modify the permissions; however, this would not work, even running it as an admin.

Does anyone have any recommendations as to how we can automate updating the permissions on the HKCU key's from to "Full Control" for everyone so we can write to these keys the needed additions/modifications? Any assistance would be greatly appreciated.

[James]

You need to update HKCU registry give settings without being an admin?

Why not, run the application as an admin user?

[dantay9]

I know there are ways to change the status of your account to admin using cmd.exe. Google it and I'm sure you'll find the answer.

[toxicvn]

How to: Use a Script to Change Registry Permissions from the Command Line

View products that this article applies to.

Article ID : 245031

Last Review : November 1, 2006

Revision : 1.1

This article was previously published under Q245031

SUMMARY

This article describes how to use a script to change permissions defined in a registry key from a command prompt by using the Regini.exe utility included with Microsoft Windows NT Server 4.0 Resource Kit. The Resource Kit is a separate product that can be purchased from Microsoft.

MORE INFORMATION

CAUTION: When you use a script to change registry permissions, you replace the entire set of current permissions defined in a registry key. For example, if you have four types of users whose permissions are defined in a particular registry key, and you create and run a script file that changes the permissions for only three of the four types of users, the information about the fourth type is deleted.

To use a script to change permissions defined in a registry key from a command prompt:

1. Install the latest version of the Windows NT Server 4.0 Resource Kit.

2. Create a script file that contains the change commands:

a. Start any text editor (such as Notepad).

b. Type the registry keys and the appropriate permissions in the following format

\Registry\hive\key [permissions]

where hive is the name of the registry hive, key is the name of the registry key, and [permissions] is the binary number format of the permissions.

For example, to modify the HKEY_LOCAL_MACHINE\Software registry key to give the Administrators group and the Creator/Owner group Full Control permission and the Everyone group Read permission, type the following string:

\Registry\Machine\Software [1 5 8]

NOTE: You must type the permissions in the binary number format. You must also refer to the registry hive in the predefined format. For more information about how to refer to a registry hive in a script file and about the binary numbers for various types of permissions, refer to the 'Reference to Registry Hives and Binary Number Representation for Permissions' section in this article.

c. Save and then close the script file.

3. Type the following command at a command prompt, and then press ENTER

REGINI [-m \\computername] scriptname

where computername is the name of the computer and scriptname is the name of the script file you just created.

NOTE: Use the -m option only when you edit the registry of a remote computer. Be sure to include the entire path to the script file.

Reference to Registry Hives and Binary Number Representation for Permissions

Refer to registry hives as indicated below:

HKEY_LOCAL_MACHINE - \Registry\Machine

HKEY_USERS - \Registry\Users

HKEY_CURRENT_USER - \Registry\User\User_SID (where User_SID is the current user's security identifier)

Permissions and their binary number representations are as follows:

Administrator Full 1

Administrator R 2

Administrator RW 3

Administrator RWD 4

Creator Full 5

Creator RW 6

World Full 7

World R 8

World RW 9

World RWD 10

Power Users Full 11

Power Users RW 12

Power Users RWD 13

System Op Full 14

System Op RW 15

System Op RWD 16

System Full 17

System RW 18

System R 19

Administrator RWX 20

You can use the Regdmp utility, also included with the Resource Kit, to obtain the current permissions of a registry key in the binary number format.

http://support.microsoft.com/kb/q245031/

[PsaltyDS]

Actually, this should be enforced by either local security, or domain Group policies. Hacking the registry directly should not be required.

[jkorsak]

I have one question and one comment. First, is this inability to write to HKCU coming from your current security policies? I was under the impressions that HKCU is just a pointer to HKU\{user sid} and the current user would have the ability to write to their own profile. I am assuming you are fine with administratively writing to HKLM for the run key change.

What if you impersonated the administrative account using:

LogonUser Lib "advapi32.dll" Alias "LogonUserA" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, phToken As Long) As Long

and then call

ImpersonateLoggedOnUser Lib "advapi32.dll" (ByVal hToken As Long) As Long

Then do what you need to to do and revert back to the existing user or just close the handle since the thread will be dying shortly.

CloseHandle Lib "kernel32.dll" (ByVal hObject As Long) As Long

RevertToSelf Lib "advapi32.dll" () As Long

I haven't tried this in AutoIt, although I have some VB 6 code that does this if that would be helpful. Also, I'm not sure if you would want to do this since it will embed the administrative password into the compiled script.

Edited July 10, 2009 by jkorsak

[GEOSoft]

You need to update HKCU registry give settings without being an admin?

Why not, run the application as an admin user?

Certain keys in HKCU can't be changed with just Admin privileges either. It would be nice if we could RunAs "System" but alas...

[99ojo]

Good Afternoon! I am currently working on project that I could use some assistance with and by the way Group Policy, while this would be of great assistance, is presently not an option, that's why we are using auto it for registry changes (or hacks):

Objective:

To force the Outlook 2003 client to empty deleted items once the client is closed and to also "disable (or gray out)" the empty deleted items upon exit checkbox in the options box.

Progress thus far:

We have the needed to registry keys to be able to make the changes

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Outlook\DisabledCmdBarItemsList]

"TCID1"="1886"

"UID"="1671"

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Options\General]

"WarnDelete"=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\DisabledCmdBarItemsList]

"TCID1"="1886"

"UID"="1671"

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Options\General]

"WarnDelete"=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Outlook\Preferences]

"EmptyTrash"=dword:00000001

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Preferences]

"EmptyTrash"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OutlookForceDel"="\"C:\\Program Files\\OutlookForceDel\\ForceDelete.bat\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OutlookForceDelPermissions"="\"C:\\Program Files\\OutlookForceDel\\OutDelRunAs.exe\""

However, because this is under the HKCU, we can not write to these keys unless the user has admin rights (which is also not an option0. Because this will have to be run at start-up, we created a script to modify the permissions; however, this would not work, even running it as an admin.

Does anyone have any recommendations as to how we can automate updating the permissions on the HKCU key's from to "Full Control" for everyone so we can write to these keys the needed additions/modifications? Any assistance would be greatly appreciated.

Hi,

1) On normal circumstances you dont need admin rights to write regkeys in HKCU.

2) You need admin rights to write reg keys in HKLM

I would try coding with function run to set HKCU and runas to set hklm keys e.g:

HKCU Keys

Run ("reg add HKCU\Software\Microsoft\Office\12.0\Outlook\Options\General /v WarnDelete /REG_DWORD /d 00000000", "", @SW_Hide)

HKLM Keys

RunAs ("username", "domain", "password",0, "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v OutlookForceDel /t REG_SZ /d \""""C:\\Program Files\\OutlookForceDel\\OutDelRunAs.exe\""""", "", @SW_HIDE)

Run also reg /? on cmd for more information.

Use regedit, to see which security is set on the regkey. So you may see, which account you need for changing.

Think about changing security with group policy on reg keys you want to change, if you dont have proper rights.

Good Luck

Stefan

Edited July 10, 2009 by 99ojo

[Anteaus]

Certain keys in HKCU can't be changed with just Admin privileges either. It would be nice if we could RunAs "System" but alas...

Unfortunately that won't work, because user hives are only loaded when the owner is logged-on. Thus, changing permissions on a user-hive as admin or system will merely result in a report that the hive isn't loaded. The only answer I can find is to promote the user, and start a new session (or relogon) as the promoted user.

This situation arises if the user's SID has been changed by a reinstall, and is something of a catch-22.

If you can't write to HKCU then a SID problem is most likely the reason.

[hispeed_mike]

Unfortunately that won't work, because user hives are only loaded when the owner is logged-on. Thus, changing permissions on a user-hive as admin or system will merely result in a report that the hive isn't loaded. The only answer I can find is to promote the user, and start a new session (or relogon) as the promoted user.

This situation arises if the user's SID has been changed by a reinstall, and is something of a catch-22.

If you can't write to HKCU then a SID problem is most likely the reason.

Another way you might get some success is to load the NTUSER.DAT from the users folder and then mount it inot the registry as say "HKEY_LOCAL_MACHINE\TempHive". It will load up just like the "HKEY_CURRENT_USER" when the user is logged on. Write all you want to that hive and then unload the TempHive from the registry.

Search abit on loading the hive from command line and you will still be able to automate it in Autoit.

Hope it helps.