Re: Access Denied for Registry Entries
- With SYSTEM being the owner of the key already, you do not need to
change/take ownership.
- You do not need to create a permission entry for creator owner.
- I can confirm the behavior you described when setting permissions for the
creator owner - this behavior is unrelated to the problem you are having.
- Please confirm you are using a regedit that you started from psexec
running under the SYSTEM account
- Do you get an error message at all or are you just referring to not being
able to accomplish tasks because the controls are disabled? If you get
errors, please list them.
*** I can't modify the permissions for the Symantec keys
This would be the expected behavior if the security settings were being
inherited from a higher-level key. This would explain why you can add a key
but cannot change existing keys. In any case, you probably do not need to
change existing permissions, just add new permissions. In order to be able
to CHANGE permissions in this scenario, you would need to use the advanced
screen and specify that you do not want the key to include inheritable
permissions, and then choose to copy the permissions from the prompt.
*** I can add my regular user acocunt to the top level key with full control
but it won't allow me to add it to the subkeys
- If the subkeys are inheriting permissions, they should pick up this
permission automagically from the top-level key. I have had some issues with
the regedit permission editor where sometimes it would not show permission
changes until I closed and re-opened regedit. You may try this to verify
your security setting changes.
- Can you verify the owner of the subkeys?
- Can you be more specific as to how does it not allow you to add it?
*** The whole goal of this exercise is to be able to control NIS2008 from a
regular user account.
Is it NOT prompting you for a UAC prompt on the options screen for some
reason? Or is your goal to be able to control Norton from a standard user
account WITHOUT a UAC prompt? Note that changing security settings on these
registry keys to something that allows you to change those settings without
seeing a UAC prompt will also allow any malware or other "bad guys" to
change those settings as well.
--
- JB
Microsoft MVP Windows Shell/User
"Rich Bell" <rg_bell@nvbell.net> wrote in message
news:29DAA166-51B0-47E3-B21C-52D77FBE2C0C@microsoft.com...
> The operative word being "should". Symantec tech support thought it might
> be a corrupt Admin account so I created a new account with Admin
> priviledges and reinstalled NIS2008. Still the same thing. I can't modify
> the permissions for the Symantec keys. I uninstalled Norton, ran their
> removal tool, deleted the Symantec keys (I was able to delete them after
> it was uninstalled) and reinstalled from the new Admin account. It made no
> difference. Creator Owner does not have an entry for the Symantec key. I
> can add it but I cannot give it full control. It reverts to Special
> permissions with Subkeys Only set. When I try to change it, it just
> reverts with no error. I can add my regular user account to the top level
> key with full control but it won't allow me to add it to the subkeys.
>
> The whole goal of this exercise is to be able to control NIS2008 from a
> regular user account. Symantec tech services claims that it should prompt
> to elevate to Admin (UAC) when I select Options. They told me to change
> the permissions on the registry keys and that is how I ended up here.
> Could the Norton installer be creating corrupt registry keys that are not
> editable? I might try exporting the keys and seeing if anything looks
> wierd. Maybe and export, delete, and import would fix it.
>
> "Jimmy Brush" <jb@mvps.org> wrote in message
> news:BA723350-14D3-4D35-9F0F-D8C7E02D5EF5@microsoft.com...
>> If system owns the keys then from the system regedit you should be able
>> to add a permission granting system full control. You can also add
>> administrators full control, this allowing you to edit the settings from
>> a normal regedit.
>>
>>
>> --
>> - JB
>> Microsoft MVP Windows Shell/User
>>
>> "Rich Bell" <rg_bell@nvbell.net> wrote in message
>> news:6532E850-1C5A-4B3E-8DCB-C8C07409282F@microsoft.com...
>>> After using psexec to run regedit as "system" I still can't change any
>>> of the permissions. What the heck has Symantec done to prevent changing
>>> the permissions for my registry keys? They are owned by System.
>>>
>>>
>>> "Jimmy Brush" <jb@mvps.org> wrote in message
>>> news:1C344ACA-3070-4736-B00E-44A8A1BE637E@microsoft.com...
>>>> You don't want to take ownership from a System regedit. From the system
>>>> regedit window, you should be able to make whatever changes you need to
>>>> the registry keys without modifying permissions, assuming Norton gave
>>>> System access to those keys.
>>>>
>>>>
>>>> --
>>>> - JB
>>>> Microsoft MVP Windows Shell/User
>>>>
>>>> "Rich Bell" <rg_bell@nvbell.net> wrote in message
>>>> news
44C4EEE-8E63-40F4-8AE3-BC2FAA4CBF0B@microsoft.com...
>>>>> I still get "access denied" when trying to take ownership of these
>>>>> keys
>>>>> after using psexec to start regedit. Any other suggestions.
>>>>>
>>>>> "Jimmy Brush" <jb@mvps.org> wrote in message
>>>>> news:4AE1C3F9-8E21-4A3E-8257-7EB9BBDE5B60@microsoft.com...
>>>>>> Hello,
>>>>>>
>>>>>> From regedit, you should be able to take ownership of the key, and
>>>>>> then change the key's security settings.
>>>>>>
>>>>>> Alternatively, you can download the following tool from microsoft to
>>>>>> open an instance of regedit as system:
>>>>>>
>>>>>> http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx
>>>>>>
>>>>>> The following command line will open a "system" regedit:
>>>>>>
>>>>>> psexec -s -i regedit
>>>>>>
>>>>>> (Note: You have to execute this command line from an "administrator"
>>>>>> command prompt [right-click command prompt and click run as
>>>>>> administrator])
>>>>>>
>>>>>>
>>>>>> --
>>>>>> - JB
>>>>>> Microsoft MVP Windows Shell/User
>>>>>>
>>>>>> "Rich Bell" <rg_bell@nvbell.net> wrote in message
>>>>>> news:4BF6BE7B-236B-40B8-BB21-BE8FFCBFD11E@microsoft.com...
>>>>>>>I am trying to change permissions for the registry keys associated
>>>>>>>with Norton Internet Security 2008. Norton technical support wants me
>>>>>>>to change permissions to allow me to change options from a non-admin
>>>>>>>account. The keys are owned by System and I am unable to change
>>>>>>>permissions or to take ownership of these keys. How can I take
>>>>>>>ownership of System owned keys? I have tried to run Regedit from a
>>>>>>>System user context via Schtasks.exe but it does not allow an
>>>>>>>interactive app from a System user.
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>