Please Help. Need to configure registry permision in XP.

[elkinm]

I have some registry entries that I want to lock from editing by programs but I want the program to be able to read the entries.

What I did was add a restriction to a key and denied all write and change permisions to all adminstrators and I use a logon from the administrators group.


This did not work as the registry key appears to be completely unecsessable as the keys do not seem to work in the program. Worst of all, if I try to change the permisions now, I get an access denied error when I try to change permisions of add new ones.

I can use the adminstrator to unlock it again but what I want to do is to lock some entire key from modification by any running program but I still want to be able to change it manualy through regedit so if needed I want to also create a list of programs like regedit that always have unrestricted control but none of the others can access it.

Also, when a program attemps to write to a restricted key I want it to think the write was successfull so I won't recieve any errors.

Please help do this.

Thank You
elkinm

 

[bsobel]

Apps should be opening the registry key with only the actual rights they need (e.g. don't open it for read/write access if you only need read). Unfortuantely many apps don't, and thats probably why your change didn't work. Further, you simply can't do what your asking with the base OS.

Sorry,
Bill

 

[elkinm]

Exactly what part can I not do. I would imagine that restricting seperate programs would not be possible but there should be a way to simply keep a key from changing. For instance there are some keys that connected to the windows registration. These keys can be viewd and used but they cannot be changed. Iwant the same thing.

At first I tried restricting the system account as I thought any program would run through the system and Adminstrators would only be things done by the user. But unfortunately anything run from an administars account is an administrator process which is bad for me. Why is there no way to distinguish between a program or soemthing actualy done by the user through the keyboard and mouse.

Also restricted accounts like the gest account have access to nearly the entire registry but they cannot change most things and I want to make administrators that same way for some keys. Also I want to be able to change preminisions in the administrators account at any time even if they are restricted.

Thanks again.

 

[elkinm]

Actualy I have a bigger problem now. I cannot change the premisions through the administrators account. The problem is that when I try using the adminstrtor to reset the permitsions I cannot se restriction on the administrators group and therefore cannot remove it. And the administrators still have it. I was wondering if there is any way to change the permitions from administrators or to chage other account permisions through the administrator account.

Thanks

 

[elkinm]

Just in case anybody is wondering, what I am specificaly trying to change and lock is the openwith list for media files. The problem is that for some reason some programs add themselves to the open with list. The most anoying one is internet explorer as anytime I play a media type in or from IE online, I see the Iexplorer.exe in the open with list. I want to lock the open with list to have some entries and restrict theit removal and the addition of new programs unless I do it manualy. The is that when I restrict the permisions the open with list is not shown at all.

 

[bsobel]

Originally posted by: elkinm
Exactly what part can I not do. I would imagine that restricting seperate programs would not be possible but there should be a way to simply keep a key from changing. For instance there are some keys that connected to the windows registration. These keys can be viewd and used but they cannot be changed. Iwant the same thing.

The part that you can't do is the 'want it to think the write was successfull so I won't receive any errors'. There isn't a native way for the api's to fail with say ERROR_NO_ACCESS but for the application not to get that back.

Bill

 

[elkinm]

So far there do not seem to be errors. I tried changing the default program to play the media which would change the openwith list and such but the list stays the same without errors.

But things are getting realy messed up after going back to the default account, I tried the adminstrator account aggain. This time I could see the same permistions as from the default account. But once aggain even the Administrator also could not chagne it. Now I though that the main Administrator is the default unrestricted account and can do anythign. Since I restricted administrators, it seems that the Administrator was also restricted. But once aggain, the strange thing is that in administrator the open with list works fine even though I cannot change the permisions. I may be wrong but how is it even possible to have something so inconstistent and so messed up between accounts.

Also, do you know which permission is the one that controls the ability to chage permisions?

Thanks again

 

[bsobel]

Originally posted by: elkinm
So far there do not seem to be errors. I tried changing the default program to play the media which would change the openwith list and such but the list stays the same without errors.

It depends on how the app is written to manage errors, my comment was based on your original statement of "This did not work as the registry key appears to be completely unecsessable as the keys do not seem to work in the program". What you appeared to ask for is a way to have an app 'think' it opened a key for write access when it actually failed, and 'hide' that fact from the app. That is what is not available in the OS by default.

Permissions obviously are, and if the app is written correctly you should be able to specify the read only rights you want.

Bill

 

[elkinm]

I still have the problem that I cannot chage the entries or the permisions of the registry keys that I restricted. And the administrator account has full access to the stated keys as it runs perfectly but it also seems to be restricted from changing keys or settigns. I tried creating a backup operator account and a Power user account but those all have their own registry settings and do not access the Administrator settings.

Anyone know how I can change the permisions and settings of the said keys on my system?

And also, is it possible to have every account view all registry settings including that of other users and groups so I could configure it that way. from any account with the right priveleges.

Thanks

 

[elkinm]

Got it,

I just simply took ownership of the key and that seems to have reset the key permistions giving me full access.

Is this a good way do this and could it affect the system as the original owner was S-1-5-21-854245398-152049171-2147007523-1003.

Also, which parts of the permisions effect adding new srtings to the key only and which permision controlls the ability to change the permisions. As in this case I just want to remove the ability of programs to add new strings to the key, but I want to be able to change the permisions at any time.

Thanks again.