Microsoft Windows Registry Guide, Second Edition

Mapping Default Permissions

Understanding the registry's default permissions is useful if you're an IT professional deploying software. Knowing whether members of the Users group can change a particular setting helps you test applications prior to deployment and determine if the application works with default permissions. If you determine that an application does work properly with the default permissions, then it's ready to deploy. If you determine that an application doesn't work properly with the default permissions, you must either fix the program or change the offending key's permissions. The easiest way to do that, of course, is by using security templates.

First you must understand the three fundamental groups in Windows: Users, Power Users, and Administrators. Through these groups, Windows provides different levels of access depending on each group's needs:

Table 8-1 describes the registry's default permissions after a fresh installation of Windows. (These permissions don't apply to Windows Server 2003 domain controllers.) Keep in mind that the resulting permissions are different if you upgrade from an earlier version of Windows to Windows XP or Windows Server 2003. I got these permissions from the security template that you use to restore Windows to out of box security. I've focused on the Users and Power Users groups because these are the primary issue. In most of these cases, the Administrators group has full control, as do the Creator Owner and System built-in accounts. In most cases–but not all–each key's permissions replace all subkeys' permissions. This is through the magic of inheritance, which you learned about in the preceding section.

When you see the word Special in the Power Users column, it means the group has special permissions on that key (and subkeys in most cases), and that permissions is usually the ability to modify values. The Power Users group doesn't ever get the Full Control, Create Link, Change Permissions, or Take Ownership permission for any key in the registry, though. The interesting thing about this table is that Windows gives the Users group Read permission and the Power Users group special permissions for all of HKLM\SOFTWARE. The remaining entries in the table are exceptions to this rule that limit access to specific keys in HKLM\SOFTWARE.

Table 8-1 Default Windows Installation Registry Permissions

Branch

Users

Power Users

hklm\software

Read

Special

hklm\software\classes

Read

Special

hklm\software\classes\.hlp

Read

Read

hklm\software\classes\helpfile

Read

Read

hklm\software\microsoft\ads\providers\ldap\extensions

Read

Read

hklm\software\microsoft\ads\providers\nds

Read

Read

hklm\software\microsoft\ads\providers\nwcompat

Read

Read

hklm\software\microsoft\ads\providers\winnt

Read

Read

hklm\software\microsoft\command processor

Read

Read

hklm\software\microsoft\cryptography

Read

Read

hklm\software\microsoft\cryptography\calais

None

None

hklm\software\microsoft\driver signing

Read

Read

hklm\software\microsoft\enterprisecertificates

Read

Read

hklm\software\microsoft\msdtc

None

None

hklm\software\microsoft\netdde

None

None

hklm\software\microsoft\non-driver signing

Read

Read

hklm\software\microsoft\ole

Read

Read

hklm\software\microsoft\protected storage system provider

None

None

hklm\software\microsoft\rpc

Read

Read

hklm\software\microsoft\secure

Read

Read

hklm\software\microsoft\systemcertificates

Read

Read

hklm\software\microsoft\upnp device host

Read

None

hklm\software\microsoft\windows nt\currentversion\accessibility

Read

Read

hklm\software\microsoft\windows nt\currentversion\aedebug

Read

Read

hklm\software\microsoft\windows nt\currentversion\asr\commands

Read

Read

hklm\software\microsoft\windows nt\currentversion\classes

Read

Read

hklm\software\microsoft\windows nt\currentversion\drivers32

Read

Read

hklm\software\microsoft\windows nt\currentversion\efs

Read

Read

hklm\software\microsoft\windows nt\currentversion\font drivers

Read

Read

hklm\software\microsoft\windows nt\currentversion\fontmapper

Read

Read

hklm\software\microsoft\windows nt\currentversion\image file execution options

Read

Read

hklm\software\microsoft\windows nt\currentversion\inifilemapping

Read

Read

hklm\software\microsoft\windows nt\currentversion\perflib

None

None

hklm\software\microsoft\windows nt\currentversion\perflib\009

None

None

hklm\software\microsoft\windows nt\currentversion\profilelist

Read

Read

hklm\software\microsoft\windows nt\currentversion\secedit

Read

Read

hklm\software\microsoft\windows nt\currentversion\setup\recoveryconsole

Read

Read

hklm\software\microsoft\windows nt\currentversion\svchost

Read

Read

hklm\software\microsoft\windows nt\currentversion\terminal server\install\software\microsoft\windows\currentversion\runonce

Read

Read

hklm\software\microsoft\windows nt\currentversion\time zones

Read

Read

hklm\software\microsoft\windows nt\currentversion\windows

Read

Read

hklm\software\microsoft\windows nt\currentversion\winlogon

Read

Read

hklm\software\microsoft\windows\currentversion\explorer\user shell folders

Read

Read

hklm\software\microsoft\windows\currentversion\group policy

None

None

hklm\software\microsoft\windows\currentversion\installer

None

None

hklm\software\microsoft\windows\currentversion\policies

None

None

hklm\software\microsoft\windows\currentversion\reliability

Read

Read

hklm\software\microsoft\windows\currentversion\runonce

Read

Read

hklm\software\microsoft\windows\currentversion\runonceex

Read

Read

hklm\software\microsoft\windows\currentversion\telephony

Read

Special

hklm\software\policies

Read

Read

hklm\system

Read

Read

hklm\system\clone

None

None

hklm\system\controlset001

None

None

hklm\system\controlset001\services\dhcp\configurations

Read

Read

hklm\system\controlset001\services\dhcp\parameters

Read

Read

hklm\system\controlset001\services\dhcp\parameters\options

Read

Read

hklm\system\controlset001\services\dnscache\parameters

Read

Read

hklm\system\controlset001\services\mrxdav\encrypteddirectories

None

None

hklm\system\controlset001\services\netbt\parameters

Read

Read

hklm\system\controlset001\services\netbt\parameters\interfaces

Read

Read

hklm\system\controlset001\services\tcpip\linkage

Read

Read

hklm\system\controlset001\services\tcpip\parameters

Read

Read

hklm\system\controlset001\services\tcpip\parameters\adapters

Read

Read

hklm\system\controlset001\services\tcpip\parameters\interfaces

Read

Read

hklm\system\controlset002

None

None

hklm\system\controlset003

None

None

hklm\system\controlset004

None

None

hklm\system\controlset005

None

None

hklm\system\controlset006

None

None

hklm\system\controlset007

None

None

hklm\system\controlset008

None

None

hklm\system\controlset009

None

None

hklm\system\controlset010

None

None

hklm\system\currentcontrolset\control\class

None

None

hklm\system\currentcontrolset\control\keyboard layout

Read

Read

hklm\system\currentcontrolset\control\keyboard layouts

Read

Read

hklm\system\currentcontrolset\control\network

Read

Read

hklm\system\currentcontrolset\control\securepipeservers\winreg

None

None

hklm\system\currentcontrolset\control\session manager\executive

None

Special

hklm\system\currentcontrolset\control\timezoneinformation

None

Special

hklm\system\currentcontrolset\control\wmi\security

None

None

hklm\system\currentcontrolset\enum

None

None

hklm\system\currentcontrolset\hardware profiles

None

None

hklm\system\currentcontrolset\services\appmgmt\security

None

None

hklm\system\currentcontrolset\services\clipsrv\security

None

None

hklm\system\currentcontrolset\services\cryptsvc\security

None

None

hklm\system\currentcontrolset\services\dnscache

Read

Read

hklm\system\currentcontrolset\services\ersvc\security

None

None

hklm\system\currentcontrolset\services\eventlog\security

None

None

hklm\system\currentcontrolset\services\irenum\security

None

None

hklm\system\currentcontrolset\services\netbt

Read

Read

hklm\system\currentcontrolset\services\netdde\security

None

None

hklm\system\currentcontrolset\services\netddedsdm\security

None

None

hklm\system\currentcontrolset\services\remoteaccess

Read

Read

hklm\system\currentcontrolset\services\rpcss\security

None

None

hklm\system\currentcontrolset\services\samss\security

None

None

hklm\system\currentcontrolset\services\scarddrv\security

None

None

hklm\system\currentcontrolset\services\scardsvr\security

None

None

hklm\system\currentcontrolset\services\stisvc\security

None

None

hklm\system\currentcontrolset\services\sysmonlog\log queries

None

None

hklm\system\currentcontrolset\services\tapisrv\security

None

None

hklm\system\currentcontrolset\services\tcpip

Read

Read

hklm\system\currentcontrolset\services\w32time\security

None

None

hklm\system\currentcontrolset\services\wmi\security

None

None

hku\.default

Read

Read

hku\.default\software\microsoft\netdde

None

None

hku\.default\software\microsoft\protected storage system provider

None

None

hku\.default\software\microsoft\systemcertificates\root\protectedroots

None

None

Figuring out which keys an application uses is part science but mostly art. Sometimes I simply open the program's binary file in a text editor and look for strings that look like keys. Most often, I use a tool such as Winternals Registry Monitor (Regmon), which you learn how to use in Chapter 10, “Finding Registry Settings,” to monitor registry activity while I run the program I'm putting through its paces. Then I record the different keys that the program references and check to see whether the Users or Power Users groups have the required permissions for those keys. Last, well-behaved applications report errors when they can't read or write a value in the registry. I wouldn't count on this behavior, however, because ill-behaved programs just bounce along happily even after encountering a registry error.

Категории