security on registry keys

[fp]

I have got a problem that is driving me crazy.

On my HP laptop with XP Pro, as administrator I install PDFCreator and
VMWare server console. I then logout and reconnect as a simple user,
group "Users" and I 'm not able to use these programs.

If I do the same thing with PDFCreator on a freshly installed (and
completely patched) XP Pro, I can switch to other users and use the
programs with no problems. (I could not try vmware console)

Using sysinternal tools I see that both programs fail to read some
registry keys.

So I went with regedit and found that:
- on the HP laptop only administrator and system have "Special
privileges", not inherited
- on selfinstalled pc, authorization is given to Users (readonly),
PowerUsers (special), Adminisrator system admin creator owner (full
control), all inherited by CLASSES_ROOT

If I manually give read only access to users, program starts ok.

I askep HP support if they set some policies but they say no. I also
checked myself if some policies were set but I could not find anything.


I BELIEVE that some system wide setting masks some bits in the ACL
and/or auth fields in RegCreateKeyEx and similar functions, but could
not find any clear info on this subject.... it's like umask in unix
directories... a friend told me about an "inheritance" property...

Both systems use XP pro italian version, so it's also a problem to look
for informations because I don't know the english wordings..

Francesco

 

[jwgoerlich@gmail.com]

Hello Francesco,

First, good job troubleshooting the problem. I agree with you that HP
most likely sets different permissions in their system build, as your
experience shows. Many hardware vendors do this. That the HP support
person was not aware of any such policy is not surprising. This is not
likely to be an oft asked question.

To answer what I think your questions are: Yes, the registry supports
permissions or access control lists (acl). Yes, a registry key can be
set such that the acl is inherited from the parent.

The permissions on Hkey_Classes_Root change depending upon who is
logged in. This is because the hive is assembled on the fly by
combining HKCU\Software\Classes and HKLM\Software\Classes. The
permissions you see in come from these keys.

Hope that helps,

J Wolfgang Goerlich

On Jan 3, 4:38 pm, fp <mc8647__nnoossppa...@mclink.it> wrote:
> I have got a problem that is driving me crazy.
>
> On my HP laptop with XP Pro, as administrator I install PDFCreator and
> VMWare server console. I then logout and reconnect as a simple user,
> group "Users" and I 'm not able to use these programs.
>
> If I do the same thing with PDFCreator on a freshly installed (and
> completely patched) XP Pro, I can switch to other users and use the
> programs with no problems. (I could not try vmware console)
>
> Using sysinternal tools I see that both programs fail to read some
> registry keys.
>
> So I went with regedit and found that:
> - on the HP laptop only administrator and system have "Special
> privileges", not inherited
> - on selfinstalled pc, authorization is given to Users (readonly),
> PowerUsers (special), Adminisrator system admin creator owner (full
> control), all inherited by CLASSES_ROOT
>
> If I manually give read only access to users, program starts ok.
>
> I askep HP support if they set some policies but they say no. I also
> checked myself if some policies were set but I could not find anything.
>
> I BELIEVE that some system wide setting masks some bits in the ACL
> and/or auth fields in RegCreateKeyEx and similar functions, but could
> not find any clear info on this subject.... it's like umask in unix
> directories... a friend told me about an "inheritance" property...
>
> Both systems use XP pro italian version, so it's also a problem to look
> for informations because I don't know the english wordings..
>
> Francesco