PLEASE HELP: SET REGISTRY PERMISSIONS <NEWBIE>
I am using Wise Installation System 9 - Profesional Edition
What is the cleanest way to set the permissions for a given registry key?
Example: HKEY_LOCAL_MACHINE\SOFTWARE\xqueuemonitor\general
I need to grant "FULL CONTROL" permissions for a specific login/userid.
Any ideas?
Any help is greatly appreciated!!!
What is the cleanest way to set the permissions for a given registry key?
Example: HKEY_LOCAL_MACHINE\SOFTWARE\xqueuemonitor\general
I need to grant "FULL CONTROL" permissions for a specific login/userid.
Any ideas?
Any help is greatly appreciated!!!
0 Comments
[ + ] Show comments
Answers (11)
Please log in to answer
Posted by:
bheers
20 years ago
you can go to the component in which the registry key is present.
then go to registry data under that component, select the registry key you want to set the permissions on, right click on the registry key and click permissions. there you can add the domain and userid/login. then under that you can select what all permission you want to grant.
then go to registry data under that component, select the registry key you want to set the permissions on, right click on the registry key and click permissions. there you can add the domain and userid/login. then under that you can select what all permission you want to grant.
Posted by:
mrtap
20 years ago
The advice given in the parent post is 100% correct (for interest the information ends up in the LockPermission table).
Important extra information for the newbie is that the permission specified replaces the current permission, so if you want administrators to retain full control then this must also be explicitly stated.
Also note that the domain can be left blank for generic groups like "Users", "Administrators", "Power Users" etc
Important extra information for the newbie is that the permission specified replaces the current permission, so if you want administrators to retain full control then this must also be explicitly stated.
Also note that the domain can be left blank for generic groups like "Users", "Administrators", "Power Users" etc
Posted by:
thales
20 years ago
you can also do it with a batch.
you need the regini.exe (Ressource Kit Windows).
First create a file like perms.ini
open it and write on it:
\Registry\Machine\Software\xqueuemonitor\general [X X X X]
\Registry\Machine <- don-t change it.
replace the X with:
1 - Administrators Full Access
2 - Administrators Read Access
3 - Administrators Read and Write Access
4 - Administrators Read, Write and Delete Access
5 - Creator Full Access
6 - Creator Read and Write Access
7 - World Full Access
8 - World Read Access
9 - World Read and Write Access
10 - World Read, Write and Delete Access
11 - Power Users Full Access
12 - Power Users Read and Write Access
13 - Power Users Read, Write and Delete Access
14 - System Operators Full Access
15 - System Operators Read and Write Access
16 - System Operators Read, Write and Delete Access
17 - System Full Access
18 - System Read and Write Access
19 - System Read Access
20 - Administrators Read, Write and Execute Access
21 - Interactive User Full Access
22 - Interactive User Read and Write Access
23 - Interactive User Read, Write and Delete Access
save your file and exucute this command line:
regini.exe perms.ini
you need the regini.exe (Ressource Kit Windows).
First create a file like perms.ini
open it and write on it:
\Registry\Machine\Software\xqueuemonitor\general [X X X X]
\Registry\Machine <- don-t change it.
replace the X with:
1 - Administrators Full Access
2 - Administrators Read Access
3 - Administrators Read and Write Access
4 - Administrators Read, Write and Delete Access
5 - Creator Full Access
6 - Creator Read and Write Access
7 - World Full Access
8 - World Read Access
9 - World Read and Write Access
10 - World Read, Write and Delete Access
11 - Power Users Full Access
12 - Power Users Read and Write Access
13 - Power Users Read, Write and Delete Access
14 - System Operators Full Access
15 - System Operators Read and Write Access
16 - System Operators Read, Write and Delete Access
17 - System Full Access
18 - System Read and Write Access
19 - System Read Access
20 - Administrators Read, Write and Execute Access
21 - Interactive User Full Access
22 - Interactive User Read and Write Access
23 - Interactive User Read, Write and Delete Access
save your file and exucute this command line:
regini.exe perms.ini
Posted by:
KentD
20 years ago
During an installation registry permissions are added when the keys are installed. Because Windows Installer does not let you control the order in which the registry keys are installed, you cannot set ACLs (Access Control Lists) at the folder level. Per Wise Support “If the order that the keys install place a sub key down first with out the permissions on it, when the parent key is written it does not overwrite the permissions of the child key. This can force the parent key to have a strict permission that the child key is not under.â€Â
· In Wise Installer Editor, go to the Installation Expert View
· In the Installation Expert, click on the Registry Page
· In the bottom Features tab
· In the bottom right pane, select the registry key you want to set permissions and click the details button.
· On the Permissions tab click the Add button
· Leave the Domain Name blank.
· Enter the Users Group.
To insure that all user groups have needed permissions, this process must be done for each specific user group. “Administrators†“Power Users†and “Usersâ€Â.
· Click OK to save the changes
· In Wise Installer Editor, go to the Installation Expert View
· In the Installation Expert, click on the Registry Page
· In the bottom Features tab
· In the bottom right pane, select the registry key you want to set permissions and click the details button.
· On the Permissions tab click the Add button
· Leave the Domain Name blank.
· Enter the Users Group.
To insure that all user groups have needed permissions, this process must be done for each specific user group. “Administrators†“Power Users†and “Usersâ€Â.
· Click OK to save the changes
Posted by:
MSIMaker
20 years ago
Getting installations to make permission changes can be a bit dodgy because they force it on the OS and sometimes while they seem to work ok.....they actually dont always place the info so that the Security layer can read it.
One way I have found that works very well is to make an .inf file with the MMC Security Tab and then make a custom action that runs secedit.exe and installs the permissions.
This works for both file and registry permsissions and places them in the correct order and you can set permissions that will propagate correctly. It also works across domains if you are working in a DEV domain and push the package to a PROD domain.
This command line in a script will do it for you. Just replace the paths.
secedit.exe /configure /db "[Path to SDB created by secedit]" /cfg "[Path to inf file" /quiet
You can place this is a Wisescript and call it in the Execute Deferred section just before InstallFinalise.
One way I have found that works very well is to make an .inf file with the MMC Security Tab and then make a custom action that runs secedit.exe and installs the permissions.
This works for both file and registry permsissions and places them in the correct order and you can set permissions that will propagate correctly. It also works across domains if you are working in a DEV domain and push the package to a PROD domain.
This command line in a script will do it for you. Just replace the paths.
secedit.exe /configure /db "[Path to SDB created by secedit]" /cfg "[Path to inf file" /quiet
You can place this is a Wisescript and call it in the Execute Deferred section just before InstallFinalise.
Posted by:
Rhonamac
20 years ago
Regdacl from Heysoft is also a nice tool to use within a .bat file...
Posted by:
sean_c_roberts
20 years ago
Get a free command-line utility called RegDacl (http://www.heysoft.de/nt/reg/ep-regd.htm) and then use the following code (just copy and past this into your WiseScript:
item: Remark
Text=Change Registry Security
end
item: Install File
Source=P:\Tools\RegDACLE\RegDACL.exe
Destination=%TEMP%\RegDACL.exe
Flags=0000000010100010
File Size=49152
File Date=20020710 161330
end
item: Execute Program
Pathname=%TEMP%\RegDACL.exe
Command Line="HKLM\SOFTWARE\System Innovators" /GGE:F
Flags=00000110
end
item: Delete File
Pathname=%TEMP%\RegDACL.exe
end
You will have to edit this, of course, to suit youyr own source locations and keys.
Let me pre-empt your next question - which is likely to be, how do I set File and Folder permissions.
Find and download a command-line utility called xcacls (http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/xcacls-o.asp) and then past the following code into your WiseScript editor:
item: Remark
Text=Change Folder Security
end
item: Install File
Source=P:\Tools\XCACLS\xcacls.exe
Destination=%TEMP%\xcacls.exe
Flags=0000000010100010
end
item: Execute Program
Pathname=%TEMP%\xcacls.exe
Command Line="C:\cashv4" /t /e /g "Everyone":f /y
Flags=00001010
end
item: Delete File
Pathname=%TEMP%\xcacls.exe
end
For both RegDacl and xcacl you really need read the provided documentation so you can know what the various switches do.
Good luck!
Respectfully,
- Sean Roberts
item: Remark
Text=Change Registry Security
end
item: Install File
Source=P:\Tools\RegDACLE\RegDACL.exe
Destination=%TEMP%\RegDACL.exe
Flags=0000000010100010
File Size=49152
File Date=20020710 161330
end
item: Execute Program
Pathname=%TEMP%\RegDACL.exe
Command Line="HKLM\SOFTWARE\System Innovators" /GGE:F
Flags=00000110
end
item: Delete File
Pathname=%TEMP%\RegDACL.exe
end
You will have to edit this, of course, to suit youyr own source locations and keys.
Let me pre-empt your next question - which is likely to be, how do I set File and Folder permissions.
Find and download a command-line utility called xcacls (http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/xcacls-o.asp) and then past the following code into your WiseScript editor:
item: Remark
Text=Change Folder Security
end
item: Install File
Source=P:\Tools\XCACLS\xcacls.exe
Destination=%TEMP%\xcacls.exe
Flags=0000000010100010
end
item: Execute Program
Pathname=%TEMP%\xcacls.exe
Command Line="C:\cashv4" /t /e /g "Everyone":f /y
Flags=00001010
end
item: Delete File
Pathname=%TEMP%\xcacls.exe
end
For both RegDacl and xcacl you really need read the provided documentation so you can know what the various switches do.
Good luck!
Respectfully,
- Sean Roberts
Posted by:
MSIMaker
20 years ago
There is also a tool called RegGrant.....some ppl use it here at my work and it does work ok.
Posted by:
MSIMaker
20 years ago
Does a batch file called from within a msi installation run with Elevated Rights? I have never tried it and so I wonder if it does.
Posted by:
Tipolosco
19 years ago
it uses this program in order to shape the permissions of access to the registry keys.
regperm.exe
regperm.exe
Posted by:
swwdesktops
19 years ago
we use xcacl as stated to do file/folder perms and subinacl for reg permissions.
Example of a line in a batch file for subinacl is:
/output=%REGPERMLOG% /subkeyreg "HKEY_LOCAL_MACHINE\SOFTWARE\xxxxxx" /grant=Users=F
this sets full control on the key and outputs the change to a log file. Replace F with other values to give different perms. It also only edits the acl so existing permisions stay, it only sets the new perms on the user/groups you have specified.
Example of a line in a batch file for subinacl is:
/output=%REGPERMLOG% /subkeyreg "HKEY_LOCAL_MACHINE\SOFTWARE\xxxxxx" /grant=Users=F
this sets full control on the key and outputs the change to a log file. Replace F with other values to give different perms. It also only edits the acl so existing permisions stay, it only sets the new perms on the user/groups you have specified.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.