cer
asked on
Registry-security: how to set in script file
How to set the security permissions in the NT4.0 registry ?
I know only the way to manually edit them with REGEDT32. I need to change them within a batch file.
As far as I know there is no way (so don't give me this as an answer), but maybe someone knows better.
I know only the way to manually edit them with REGEDT32. I need to change them within a batch file.
As far as I know there is no way (so don't give me this as an answer), but maybe someone knows better.
ASKER
I CAN make changes using a batchfile (I mean it is possible on the command line). With REGEDIT I can change the contents of the registry, but not the security.
REGEDIT can be executed as a GUI application OR in a batchfile if you supply parameters.
REGEDIT can be executed as a GUI application OR in a batchfile if you supply parameters.
The only way I found (and not yet fully tested) for such changes that cannot be done through batch files directly, is to use a scripting tool such as WinBatch or MsTest that can click and type for you. It works as the good old recorder, and you can launch a script from a batch file and wait for it to end:
In your batch file: START /WAIT MSTEST.EXE SCRIPT
I'm now trying to install a sound driver unattended using this method and it seems to work fine for such a simple case. Anyway, setting registry security might involve many mouse-clicks and is subject to a long recording&testing phase...
I just read a sentence from Bill Gates on ms web site: "Everything that can be done through the GUI can be automated using batch files or scripting languages..."
*LAUGH* He should have a look at his own products before speaking or may be he was (again) talking about CAIRO ?????
JMJ
In your batch file: START /WAIT MSTEST.EXE SCRIPT
I'm now trying to install a sound driver unattended using this method and it seems to work fine for such a simple case. Anyway, setting registry security might involve many mouse-clicks and is subject to a long recording&testing phase...
I just read a sentence from Bill Gates on ms web site: "Everything that can be done through the GUI can be automated using batch files or scripting languages..."
*LAUGH* He should have a look at his own products before speaking or may be he was (again) talking about CAIRO ?????
JMJ
ASKER
I think the macro way can not be done. If the registry changes, e.g. you get an additional branch in the tree, the macro would fail. Also this wouldn't run if there is no desktop, e.g. from an AUTOSTART.NT batch file.
I agree that there is no good scripting language in NT. Ther are mor trivial things that can not be set. Try to configure a new user with a batch file. You can sett all the password options and (most annoying) you can NOT set the driveletter for the home drive.
I agree that there is no good scripting language in NT. Ther are mor trivial things that can not be set. Try to configure a new user with a batch file. You can sett all the password options and (most annoying) you can NOT set the driveletter for the home drive.
Regini is your answer. REGINI is a very simple command line utility to add or replace registry entries. it is invoked as
regini scriptfile
where scriptfile is a file containing one or more registry keys, values, and data. They key is speciefied on a line by itself in the format registry\<key>.
You can find regini in NT resource kit and only there.
regini scriptfile
where scriptfile is a file containing one or more registry keys, values, and data. They key is speciefied on a line by itself in the format registry\<key>.
You can find regini in NT resource kit and only there.
ASKER
Sorry matz, but I don't understand.
Of course I know about REGINI, but how to set the security permissions with this program? I do NOT want to set a Registry-Key, I want to set the access-permissions for an existing key (as I asked for).
Am I wrong? Can REGINI perform this?
Of course I know about REGINI, but how to set the security permissions with this program? I do NOT want to set a Registry-Key, I want to set the access-permissions for an existing key (as I asked for).
Am I wrong? Can REGINI perform this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I do not have C or VB, I do have Perl which was supplied with the NT4.0 server resourcekit. I never wrote a perl-script so far. I even don't know how to use it. I have a PERL.EXE and a CMD32.EXE (and a PERL100.DLL).
I do not have a list of possible API-Calls (only Win16 supplied with Borland Pascal 7). Is there such a list on the Net?
If you could give me a Perl example it would be great.
I do not have a list of possible API-Calls (only Win16 supplied with Borland Pascal 7). Is there such a list on the Net?
If you could give me a Perl example it would be great.
I will give an answer soon.
SetValue
SetValue ($SubKey, $Type, $Value)
Here , $SubKEy holds the subkey name. $type speciefies the type of value that has been predefined. $Value contains the value to be set.
That's how it can be done in Perl or you can use API calls in Perl like this
NTRegCreateKeyEx( &HKEY_LOCAL_MACHINE, 'SOFTWARE\MyProg',
&NULL, 'My Prog Name', ®_OPTION_NON_VOLATILE, &KEY_ALL_ACCESS, &NULL,
$hkey, $disposition ) ?
&log( "Added key for My Prog NT Registry Database..\n" ):
&gripe( "Couldn't add key for My Prog to NT Registry Database!!\n" );
if ( $disposition == ®_OPENED_EXISTING_KEY ) {
&gripe( "Key exists already, modifying existing key...\n" );
}
NTRegSetValueEx( $hkey, 'BIN', &NULL, ®_SZ, "$bindir" ) ?
&log( "Adding $bindir to script path information\n" ):
&gripe( "Couldn't add script path to registry!!\n" );
NTRegSetValueEx( $hkey, 'PRIVLIB', &NULL, ®_SZ, "$libdir" ) ?
&log( "Adding $libdir to library include path information\n" ):
&gripe( "Couldn't add library path to registry!!\n" );
NTRegSetValueEx( $hkey, 'HTML-DOCS', &NULL, ®_SZ, "$docdir" ) ?
&log( "Adding $docdir to documentation directory\n" ) :
&gripe( "Couldn't add documentation directory to registry!!\n" );
NTRegCloseKey( $hkey );
$fred = 'foo bar baz';
until ( $fred =~ /^(y|n)/i || $fred eq '' ) {
print "Modify search path? [Y/n]";
chop( $fred = <STDIN> );
}
unless ( $fred =~ /^n/i ) {
if( Win32::IsWinNT() ){
NTRegOpenKeyEx ( &HKEY_LOCAL_MACHINE,
'SYSTEM\CurrentcontrolSet\
&NULL, &KEY_ALL_ACCESS, $hkey ) ?
&log( "Retrieving Path information from session manager\n" ):
&gripe( "Couldn't retrieve path information from session manager!!\n" );
NTRegQueryValueEx( $hkey, 'Path', &NULL, $type, $pathstring );
$pathstring =
".;$bindir;" . join (';', grep(!/(perl|\.)/i, split(/;/, $pathstring))) . ";";
NTRegSetValueEx( $hkey, 'Path', &NULL, $type, $pathstring ) ?
&log( "Updated path information in session manager\n" ):
&gripe( "Couldn't update path information in session manager!!\n" );
NTRegCloseKey( $hkey );
}
else{ # must be win95, so update path in autoexec.bat
&log("Attempting to change path in autoexec.bat");
( $bootdrive = $ENV{'windir'} ) =~ s|\\.*||g;
&log( "bootdrive is $bootdrive\n");
open( ABAT,">>$bootdrive\\autoex
gripe( "Couldn't open $bootdrive\\autoexec.bat")
print ABAT "path %path%;$bindir;\n";
close ABAT;
}
}
The API's to use are:
create extension key
RegCreateKeyEx ( HKEY_CLASSES_ROOT, ".mdc", 0, "",
REG_OPTION_NON_VIOLATE, KEY_ALL_ACCESS,
NULL, &hKeyExt, &dwDispositin );
RegCreateKeyEx syntax:
LONG RegCreateKeyEx( HKEY hkey, LPCTSTR lpszSubKey, DWORD dwReserved, LPSTR LpszClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition )
hKey key under which new subkey is to be created.
LpszSubKey LPCTSTR:Pointer to a null-terminated string containing the name of the new subkey. If existing it will be opened
dwReserved: DWORD: Set this value to null.
lpszClass: LPSTR: Pointer to a null-terminated string containing the name of the new class to be created. If exist it will be ignored.
dwOptions: DWORD: Special storage option. REG_OPTION_BACKUP_RESTORE:
REG_OPTION_VOLATILE. Data saved in memory and not saved to disk.
REG-OPTION_NON_VOLATILE: The data is not volatile but is svaed to disk.
samDesired:REGSAM:The desired security access for the key. Can be a combination of
KEY_QUERY_VALUE, Allows subkeys values to be queried
KEY_ENUMERATE_SUBKEYS,Allo
KEY_NOTIFY, , Enables change notification (not win95)
KEY_CREATE_LINK, Allows creation of symbolic links
KEY_SET_VALUE, Allows subkeys values to be written
KEY_CREATE_SUBKEY,
KEY_EXECUTE, allows execution
KEY_READ, mixes KEY_QUERY_VALUE and KEY_ENUMERATE_SUBKEYS and
KEY_NOTIFY
KEY_WRITE. mixes KEY_SET_VALUE and KEY_CREATE_SUBKEY
LPSECURITY_ATTRIBUTES:The security attributes of the key.
specifying NULL indicates default security attributes. Default security attributes do not allow handles in one process to be inherited, the bInheritHandle member of the structure must be set to true. this parameter is ignored in Win95.
lpdwDisposition:LPDWORD: A pointer to a DWORD variabel that indicates whether the subkey was created. (REG_CREATED_NEW_KEY) or an existing subkey was opened (REG_OPENED_EXISTING_KEY).
Returns:LONG:If succeful. ERORR_SUCCESS is retirned;Otherwise, an errorr code is returned.
SetValue ($SubKey, $Type, $Value)
Here , $SubKEy holds the subkey name. $type speciefies the type of value that has been predefined. $Value contains the value to be set.
That's how it can be done in Perl or you can use API calls in Perl like this
NTRegCreateKeyEx( &HKEY_LOCAL_MACHINE, 'SOFTWARE\MyProg',
&NULL, 'My Prog Name', ®_OPTION_NON_VOLATILE, &KEY_ALL_ACCESS, &NULL,
$hkey, $disposition ) ?
&log( "Added key for My Prog NT Registry Database..\n" ):
&gripe( "Couldn't add key for My Prog to NT Registry Database!!\n" );
if ( $disposition == ®_OPENED_EXISTING_KEY ) {
&gripe( "Key exists already, modifying existing key...\n" );
}
NTRegSetValueEx( $hkey, 'BIN', &NULL, ®_SZ, "$bindir" ) ?
&log( "Adding $bindir to script path information\n" ):
&gripe( "Couldn't add script path to registry!!\n" );
NTRegSetValueEx( $hkey, 'PRIVLIB', &NULL, ®_SZ, "$libdir" ) ?
&log( "Adding $libdir to library include path information\n" ):
&gripe( "Couldn't add library path to registry!!\n" );
NTRegSetValueEx( $hkey, 'HTML-DOCS', &NULL, ®_SZ, "$docdir" ) ?
&log( "Adding $docdir to documentation directory\n" ) :
&gripe( "Couldn't add documentation directory to registry!!\n" );
NTRegCloseKey( $hkey );
$fred = 'foo bar baz';
until ( $fred =~ /^(y|n)/i || $fred eq '' ) {
print "Modify search path? [Y/n]";
chop( $fred = <STDIN> );
}
unless ( $fred =~ /^n/i ) {
if( Win32::IsWinNT() ){
NTRegOpenKeyEx ( &HKEY_LOCAL_MACHINE,
'SYSTEM\CurrentcontrolSet\
&NULL, &KEY_ALL_ACCESS, $hkey ) ?
&log( "Retrieving Path information from session manager\n" ):
&gripe( "Couldn't retrieve path information from session manager!!\n" );
NTRegQueryValueEx( $hkey, 'Path', &NULL, $type, $pathstring );
$pathstring =
".;$bindir;" . join (';', grep(!/(perl|\.)/i, split(/;/, $pathstring))) . ";";
NTRegSetValueEx( $hkey, 'Path', &NULL, $type, $pathstring ) ?
&log( "Updated path information in session manager\n" ):
&gripe( "Couldn't update path information in session manager!!\n" );
NTRegCloseKey( $hkey );
}
else{ # must be win95, so update path in autoexec.bat
&log("Attempting to change path in autoexec.bat");
( $bootdrive = $ENV{'windir'} ) =~ s|\\.*||g;
&log( "bootdrive is $bootdrive\n");
open( ABAT,">>$bootdrive\\autoex
gripe( "Couldn't open $bootdrive\\autoexec.bat")
print ABAT "path %path%;$bindir;\n";
close ABAT;
}
}
The API's to use are:
create extension key
RegCreateKeyEx ( HKEY_CLASSES_ROOT, ".mdc", 0, "",
REG_OPTION_NON_VIOLATE, KEY_ALL_ACCESS,
NULL, &hKeyExt, &dwDispositin );
RegCreateKeyEx syntax:
LONG RegCreateKeyEx( HKEY hkey, LPCTSTR lpszSubKey, DWORD dwReserved, LPSTR LpszClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition )
hKey key under which new subkey is to be created.
LpszSubKey LPCTSTR:Pointer to a null-terminated string containing the name of the new subkey. If existing it will be opened
dwReserved: DWORD: Set this value to null.
lpszClass: LPSTR: Pointer to a null-terminated string containing the name of the new class to be created. If exist it will be ignored.
dwOptions: DWORD: Special storage option. REG_OPTION_BACKUP_RESTORE:
REG_OPTION_VOLATILE. Data saved in memory and not saved to disk.
REG-OPTION_NON_VOLATILE: The data is not volatile but is svaed to disk.
samDesired:REGSAM:The desired security access for the key. Can be a combination of
KEY_QUERY_VALUE, Allows subkeys values to be queried
KEY_ENUMERATE_SUBKEYS,Allo
KEY_NOTIFY, , Enables change notification (not win95)
KEY_CREATE_LINK, Allows creation of symbolic links
KEY_SET_VALUE, Allows subkeys values to be written
KEY_CREATE_SUBKEY,
KEY_EXECUTE, allows execution
KEY_READ, mixes KEY_QUERY_VALUE and KEY_ENUMERATE_SUBKEYS and
KEY_NOTIFY
KEY_WRITE. mixes KEY_SET_VALUE and KEY_CREATE_SUBKEY
LPSECURITY_ATTRIBUTES:The security attributes of the key.
specifying NULL indicates default security attributes. Default security attributes do not allow handles in one process to be inherited, the bInheritHandle member of the structure must be set to true. this parameter is ignored in Win95.
lpdwDisposition:LPDWORD: A pointer to a DWORD variabel that indicates whether the subkey was created. (REG_CREATED_NEW_KEY) or an existing subkey was opened (REG_OPENED_EXISTING_KEY).
Returns:LONG:If succeful. ERORR_SUCCESS is retirned;Otherwise, an errorr code is returned.
ASKER
Thanx a lot for the information. It will take some time to get through :-))
You can make a program that do this.