Jump to content

Reprogramming Registry Permissions


Recommended Posts

I know how to reprogram user and group account premissions on file and folder level using the cacls.exe command. However I do not know how to do the same to the registry. If I where to export the registry and try and cacls.exe it, and then import it back in would that work or is there another trick?

Just curious, thanks!

Link to post
Share on other sites

Honestly, I usually just use Lunarsoft's Dial-a-fix (doesn't work on Vista though). Other than that, I think I have an .inf that you right click and install to allow access to regedit (if that's the problem).

edit: was just going through my toolkit and realized I forgot to mention subinacl, it's a wonderful little tool from MS (I just haven't had to use it in quite some time).

Link to post
Share on other sites

I have been reading this artical here http://support.microsoft.com/kb/264584

If someone here has experence on this I have a few questions for example. It seems like its kinda like using cacls commands

My 1st question, do I need to deny the registry key first before I can allow it to be edited just like in cacls. My example

c:\windows\system32\ cacls.exe dssenhn.dll /D everyone

then reboot

then c:\windows\system32\cacls.exe dssenhn.dll /G everyone:F

then c:\windows\system32\dssenhn.dll del

So if I'm reading this artical right the command used to allow permission in the registry would go like this:

regini.exe -m \\localhost MyFix.txt HKEY_Local_Machine/Software/Classes/CLSID/8739BFA5-123A-498D-BA7E-73AD7D40B0D5/InproServer32/dssenhn.dll

With in the MyFix.txt if I where to change lets say the name of the file to like dssenhn2.dll would that work? And or if I list in the MyFix.txt

\Registry\Machine\Software\Classes\CLSID\8739BFA5-123A-498D-BA7E-73AD7D40B0D5\InproServer32 [1]

Does this seem like it should grant the admin account full control over this parent directory InproServer32?

I hope I'm making since, I am not a programer and editing the registying I know is can be a pain. Any advice on this would be helpful Thanks.

Link to post
Share on other sites

Honestly, I usually just use Lunarsoft's Dial-a-fix (doesn't work on Vista though). Other than that, I think I have an .inf that you right click and install to allow access to regedit (if that's the problem).

edit: was just going through my toolkit and realized I forgot to mention subinacl, it's a wonderful little tool from MS (I just haven't had to use it in quite some time).

Yes I used dialafix to repair the permissions, that still didnt work on the registry part, and or the cacls.exe was still being denied on that file.

Is the subinacl similar to dialafix repair permissions?

Link to post
Share on other sites

Ok I have read that and I have edited the user name to owner as thats the user name Im currently using. Here is what I have, does this look right, I want to be 100% before I continue as I know messing up permissions can really screw everything up

cd /d "%programfiles%\Windows Resource Kits\Tools"

subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=Owner=f /setowner=administrators > %temp%\

subinacl_output.txtsubinacl /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=Owner=f /setowner=administrators >> %temp%\

subinacl_output.txtsubinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\

subinacl_output.txtsubinacl /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\

subinacl_output.txtsubinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\

subinacl_output.txtsubinacl /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt

subinacl /subdirectories %programfiles%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt

subinacl /subdirectories %windir%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt

Link to post
Share on other sites

Thanks but thats not working, the following Security warning comes up:

Ubale to save permissions changes on InproServer32

Access is denied

Link to post
Share on other sites

Well, here's what my reset.txt file looks like:

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f
Link to post
Share on other sites

Here's a quote from one of the MSDN guys:

Reset the entire registry permissions to defaults

Here is the detailed instruction on resetting the permissions for the whole registry. This was posted by Ken Zhao of Microsoft.

1. Download and install SubInACL

2. Create a file named reset.cmd in C:\Program Files\Windows Resource

Kits\Tools folder.

3. Edit the reset.cmd file with the following content.

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f

subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f

subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f

subinacl /subdirectories %SystemDrive% /grant=administrators=f

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f

subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f

subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f

subinacl /subdirectories %SystemDrive% /grant=system=f

4. Enter into CMD prompt.

5. Enter the following commands one at a time and click Enter.

cdcd "C:\Program Files\Windows Resource Kits\Tools"

reset.cmd

6. After a few minutes by processing subinacl, the permission will be reset.

Link to post
Share on other sites

Alrighty then thanks, going to give it a try now. I will post on the verdict after its finished

Link to post
Share on other sites

Done: 54003 Modified 54000, failed 3, syntax errors 0

Last failed HKEY_Local_Machine/Software/Classes/CLSID/8739BFA5-123A-498D-BA7E-73AD7D40B0D5/InproServer32/

dang even that was denied!!!

This one is just being a big pain in the a$$

Any ideas of what to try next...

Link to post
Share on other sites

Not sure, but if the issue is deleting a key related to malware then you may be taking the wrong approach as it could be protecting it's own keys. You could of course try RegAssassin: http://www.malwarebytes.org/regassassin.php but it's only useful if you're trying to delete a key, not modify it. But even then, if it's some sort of rootkit or trojan using a kernel mode driver, then I doubt anything besides Bart's or MS D.a.R.T. could get rid of it, and it may then just regenerate the key(s).

Link to post
Share on other sites

Not sure, but if the issue is deleting a key related to malware then you may be taking the wrong approach as it could be protecting it's own keys. You could of course try RegAssassin: http://www.malwarebytes.org/regassassin.php but it's only useful if you're trying to delete a key, not modify it. But even then, if it's some sort of rootkit or trojan using a kernel mode driver, then I doubt anything besides Bart's or MS D.a.R.T. could get rid of it, and it may then just regenerate the key(s).

yes its malware related and yes I want to delete the keys, I thought It maybe a rootkit, how ever the following scans are not finding anything, mcafee rootkit detective, avenger, combofix, avg internet security rootkit scanner, all show up clean.

However thing I did find thats interesting, which maybe housing the infections is this, in device manager when viewing hidde devices nunder non-plug and play drivers there is a yellow ! on the AMD AGP Bus Filter Drvier, and on the PartMgr, and on the VIA AGP Bus Filter, and on the ViaIde.

I have seen infections compromise the beep.sys driver, but I do not recall it showing a Yellow ! over top of it, what do you think?

Link to post
Share on other sites

Those drivers don't look like infections, and guessing by the drivers they are, there are probably resource conflicts between them and that's the reason for the exclamation mark. It might not be a rootkit, it could just be a trojan, I remember back in the day when Vundo and Zlob where monsters to get rid of that they would display similar tactics guarding their registry keys without the use of a rootkit and the only way to get rid of them would be to remove the file first, and then the keys in the registry (for some infections that order is reversed, of course). I was a professional PC tech back then, and there were no tools like MBAM that I could use to get rid of them, I had to do it all the old fashioned way and that usually meant slaving the drive to another PC to remove the files or using, as I said before, either a Bart's disc or MS D.a.R.T. to do it with the system offline.

Link to post
Share on other sites

ok sounds good, I will hang tight and just wait it out, hopefully we can get a fix for it if not may have to do a reformat and OS install

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.