Microsoft Windows Registry Guide, Second Edition
Mapping Default Permissions
Understanding the registry's default permissions is useful if you're an IT professional deploying software. Knowing whether members of the Users group can change a particular setting helps you test applications prior to deployment and determine if the application works with default permissions. If you determine that an application does work properly with the default permissions, then it's ready to deploy. If you determine that an application doesn't work properly with the default permissions, you must either fix the program or change the offending key's permissions. The easiest way to do that, of course, is by using security templates.
First you must understand the three fundamental groups in Windows: Users, Power Users, and Administrators. Through these groups, Windows provides different levels of access depending on each group's needs:
- Users.
This group has the highest security because the default permissions given to it don't allow its members to change operating system data or other users' settings. Generally, users in this group can't change per-computer operating system and application settings. They can usually include programs certified for Windows that administrators deploy to their computers. Also, this group gives its members full control over everything in their user profiles, including their profile hives (HKCU). What frequently keeps IT professionals from assigning users to this group is that members can't usually run legacy applications. Rather than assign users to another group, deal with this problem by applying a compatible security template, which you learn how to do in the section titled “Deploying Security Templates,” later in this chapter.
- Power Users.
This group provides backward compatibility for running programs that aren't certified for Windows. The default permissions give this group the ability to change many per-computer operating system and program settings. Generally, if you have legacy applications that users can't run as members of the Users group and you're not going to use security templates, adding those users to the Power Users group allows the applications to run. However, this group does have enough permissions to install most applications; members can't change operating system files or install services. The permissions given to the Power Users group is somewhere in the middle of the Users and Administrators groups. It's similar to the Users group in Microsoft Windows NT 4.0. And no, members of this group can't add themselves to the Administrators group.
- Administrators.
This group provides full control of the entire computer. Its members can change all operating system and application files. They can change all settings in the registry. Also, they can take ownership of keys and change a key's ACL. IT professionals are often tempted to add users to this group to avoid having trouble deploying applications that are otherwise difficult to install or run. Don't. Because users in this group can install anything they like or change any setting they like, viruses are free to do their damage and users are free to subject their configurations to the inevitable bout of human error. To secure your enterprise's desktops and reduce downtime, reserve this group for actual administrators. Even if you're an administrator, use your computer as a power user for the same reasons. Instead, when you need to perform an administrative task, use a secondary logon to start a program as Administrator: hold down the SHIFT key while you right-click the program's shortcut, click Run As, and then type the account name and password that you want to use to run the program.
Table 8-1 describes the registry's default permissions after a fresh installation of Windows. (These permissions don't apply to Windows Server 2003 domain controllers.) Keep in mind that the resulting permissions are different if you upgrade from an earlier version of Windows to Windows XP or Windows Server 2003. I got these permissions from the security template that you use to restore Windows to out of box security. I've focused on the Users and Power Users groups because these are the primary issue. In most of these cases, the Administrators group has full control, as do the Creator Owner and System built-in accounts. In most cases–but not all–each key's permissions replace all subkeys' permissions. This is through the magic of inheritance, which you learned about in the preceding section.
When you see the word Special in the Power Users column, it means the group has special permissions on that key (and subkeys in most cases), and that permissions is usually the ability to modify values. The Power Users group doesn't ever get the Full Control, Create Link, Change Permissions, or Take Ownership permission for any key in the registry, though. The interesting thing about this table is that Windows gives the Users group Read permission and the Power Users group special permissions for all of HKLM\SOFTWARE. The remaining entries in the table are exceptions to this rule that limit access to specific keys in HKLM\SOFTWARE.
Branch | Users | Power Users |
hklm\software | Read | Special |
hklm\software\classes | Read | Special |
hklm\software\classes\.hlp | Read | Read |
hklm\software\classes\helpfile | Read | Read |
hklm\software\microsoft\ads\providers\ldap\extensions | Read | Read |
hklm\software\microsoft\ads\providers\nds | Read | Read |
hklm\software\microsoft\ads\providers\nwcompat | Read | Read |
hklm\software\microsoft\ads\providers\winnt | Read | Read |
hklm\software\microsoft\command processor | Read | Read |
hklm\software\microsoft\cryptography | Read | Read |
hklm\software\microsoft\cryptography\calais | None | None |
hklm\software\microsoft\driver signing | Read | Read |
hklm\software\microsoft\enterprisecertificates | Read | Read |
hklm\software\microsoft\msdtc | None | None |
hklm\software\microsoft\netdde | None | None |
hklm\software\microsoft\non-driver signing | Read | Read |
hklm\software\microsoft\ole | Read | Read |
hklm\software\microsoft\protected storage system provider | None | None |
hklm\software\microsoft\rpc | Read | Read |
hklm\software\microsoft\secure | Read | Read |
hklm\software\microsoft\systemcertificates | Read | Read |
hklm\software\microsoft\upnp device host | Read | None |
hklm\software\microsoft\windows nt\currentversion\accessibility | Read | Read |
hklm\software\microsoft\windows nt\currentversion\aedebug | Read | Read |
hklm\software\microsoft\windows nt\currentversion\asr\commands | Read | Read |
hklm\software\microsoft\windows nt\currentversion\classes | Read | Read |
hklm\software\microsoft\windows nt\currentversion\drivers32 | Read | Read |
hklm\software\microsoft\windows nt\currentversion\efs | Read | Read |
hklm\software\microsoft\windows nt\currentversion\font drivers | Read | Read |
hklm\software\microsoft\windows nt\currentversion\fontmapper | Read | Read |
hklm\software\microsoft\windows nt\currentversion\image file execution options | Read | Read |
hklm\software\microsoft\windows nt\currentversion\inifilemapping | Read | Read |
hklm\software\microsoft\windows nt\currentversion\perflib | None | None |
hklm\software\microsoft\windows nt\currentversion\perflib\009 | None | None |
hklm\software\microsoft\windows nt\currentversion\profilelist | Read | Read |
hklm\software\microsoft\windows nt\currentversion\secedit | Read | Read |
hklm\software\microsoft\windows nt\currentversion\setup\recoveryconsole | Read | Read |
hklm\software\microsoft\windows nt\currentversion\svchost | Read | Read |
hklm\software\microsoft\windows nt\currentversion\terminal server\install\software\microsoft\windows\currentversion\runonce | Read | Read |
hklm\software\microsoft\windows nt\currentversion\time zones | Read | Read |
hklm\software\microsoft\windows nt\currentversion\windows | Read | Read |
hklm\software\microsoft\windows nt\currentversion\winlogon | Read | Read |
hklm\software\microsoft\windows\currentversion\explorer\user shell folders | Read | Read |
hklm\software\microsoft\windows\currentversion\group policy | None | None |
hklm\software\microsoft\windows\currentversion\installer | None | None |
hklm\software\microsoft\windows\currentversion\policies | None | None |
hklm\software\microsoft\windows\currentversion\reliability | Read | Read |
hklm\software\microsoft\windows\currentversion\runonce | Read | Read |
hklm\software\microsoft\windows\currentversion\runonceex | Read | Read |
hklm\software\microsoft\windows\currentversion\telephony | Read | Special |
hklm\software\policies | Read | Read |
hklm\system | Read | Read |
hklm\system\clone | None | None |
hklm\system\controlset001 | None | None |
hklm\system\controlset001\services\dhcp\configurations | Read | Read |
hklm\system\controlset001\services\dhcp\parameters | Read | Read |
hklm\system\controlset001\services\dhcp\parameters\options | Read | Read |
hklm\system\controlset001\services\dnscache\parameters | Read | Read |
hklm\system\controlset001\services\mrxdav\encrypteddirectories | None | None |
hklm\system\controlset001\services\netbt\parameters | Read | Read |
hklm\system\controlset001\services\netbt\parameters\interfaces | Read | Read |
hklm\system\controlset001\services\tcpip\linkage | Read | Read |
hklm\system\controlset001\services\tcpip\parameters | Read | Read |
hklm\system\controlset001\services\tcpip\parameters\adapters | Read | Read |
hklm\system\controlset001\services\tcpip\parameters\interfaces | Read | Read |
hklm\system\controlset002 | None | None |
hklm\system\controlset003 | None | None |
hklm\system\controlset004 | None | None |
hklm\system\controlset005 | None | None |
hklm\system\controlset006 | None | None |
hklm\system\controlset007 | None | None |
hklm\system\controlset008 | None | None |
hklm\system\controlset009 | None | None |
hklm\system\controlset010 | None | None |
hklm\system\currentcontrolset\control\class | None | None |
hklm\system\currentcontrolset\control\keyboard layout | Read | Read |
hklm\system\currentcontrolset\control\keyboard layouts | Read | Read |
hklm\system\currentcontrolset\control\network | Read | Read |
hklm\system\currentcontrolset\control\securepipeservers\winreg | None | None |
hklm\system\currentcontrolset\control\session manager\executive | None | Special |
hklm\system\currentcontrolset\control\timezoneinformation | None | Special |
hklm\system\currentcontrolset\control\wmi\security | None | None |
hklm\system\currentcontrolset\enum | None | None |
hklm\system\currentcontrolset\hardware profiles | None | None |
hklm\system\currentcontrolset\services\appmgmt\security | None | None |
hklm\system\currentcontrolset\services\clipsrv\security | None | None |
hklm\system\currentcontrolset\services\cryptsvc\security | None | None |
hklm\system\currentcontrolset\services\dnscache | Read | Read |
hklm\system\currentcontrolset\services\ersvc\security | None | None |
hklm\system\currentcontrolset\services\eventlog\security | None | None |
hklm\system\currentcontrolset\services\irenum\security | None | None |
hklm\system\currentcontrolset\services\netbt | Read | Read |
hklm\system\currentcontrolset\services\netdde\security | None | None |
hklm\system\currentcontrolset\services\netddedsdm\security | None | None |
hklm\system\currentcontrolset\services\remoteaccess | Read | Read |
hklm\system\currentcontrolset\services\rpcss\security | None | None |
hklm\system\currentcontrolset\services\samss\security | None | None |
hklm\system\currentcontrolset\services\scarddrv\security | None | None |
hklm\system\currentcontrolset\services\scardsvr\security | None | None |
hklm\system\currentcontrolset\services\stisvc\security | None | None |
hklm\system\currentcontrolset\services\sysmonlog\log queries | None | None |
hklm\system\currentcontrolset\services\tapisrv\security | None | None |
hklm\system\currentcontrolset\services\tcpip | Read | Read |
hklm\system\currentcontrolset\services\w32time\security | None | None |
hklm\system\currentcontrolset\services\wmi\security | None | None |
hku\.default | Read | Read |
hku\.default\software\microsoft\netdde | None | None |
hku\.default\software\microsoft\protected storage system provider | None | None |
hku\.default\software\microsoft\systemcertificates\root\protectedroots | None | None |
Figuring out which keys an application uses is part science but mostly art. Sometimes I simply open the program's binary file in a text editor and look for strings that look like keys. Most often, I use a tool such as Winternals Registry Monitor (Regmon), which you learn how to use in Chapter 10, “Finding Registry Settings,” to monitor registry activity while I run the program I'm putting through its paces. Then I record the different keys that the program references and check to see whether the Users or Power Users groups have the required permissions for those keys. Last, well-behaved applications report errors when they can't read or write a value in the registry. I wouldn't count on this behavior, however, because ill-behaved programs just bounce along happily even after encountering a registry error.