Link to home
Start Free TrialLog in
Avatar of ymilan
ymilan

asked on

Need Help with Windows 2003 .reg file

Hello,

I recieved the following registry information from another person to add to my Windows 2003 registry:

"MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg",0,"D:PAR(A;CI;KA;;;BA)(A;;KR;;;BO)(A;CI;KR;;;S-1-5-19)"

The entry above is supposed to set the permissions for the winreg parameter in the registry.
I copied that information into a .reg file and tried to import it into the registry.  An error message popped up stating that the key selected is invalid.  I did some further research and noticed that the syntax of the reg file might be only for Windows 2000, not 2003.  I tried different variations such as adding brackets, etc., but nothing seems to work.

Any ideas as to how to properly format Windows 2003 permission settings for the registry would be most helpful and appreicated.  Thank you.
SOLUTION
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ymilan
ymilan

ASKER

Hi Rich,

Actually there is a difference between Windows 2003 registry settings and some other versions of Windows.  I've researched this thoroughly.  This is because Windows 2003 Regedit is version 5, whereas Windows NT Regedit is version 4.  Version 5 is not backwards compatible with version 4, however (if specified correctly in the reg file) version 4 does work on Windows 2003. That is why the settings I received, which apparently were for version 4, did not work.  I put the text line:  REGEDIT4  at the top of the reg file and it was finally able to go through with no problems. Here is an exerpt from Microsoft that confirms what I am saying:

Syntax of .Reg Files
A .reg file has the following syntax:

RegistryEditorVersion
Blank line
[RegistryPath1]
"DataItemName1"="DataType1:DataValue1"
DataItemName2"="DataType2:DataValue2"
Blank line
[RegistryPath2]
"DataItemName3"="DataType3:DataValue3"

where:

RegistryEditorVersion is either "Windows Registry Editor Version 5.00" for Windows 2000, Windows XP, and Windows Server 2003, or "REGEDIT4" for Windows 98 and Windows NT 4.0. The "REGEDIT4" header also works on Windows 2000-based, Windows XP-based, and Windows Server 2003-based computers.

Blank line is a blank line. This identifies the start of a new registry path. Each key or subkey is a new registry path. If you have several keys in your .reg file, blank lines can help you to examine and to troubleshoot the contents.

RegistryPathx is the path of the subkey that holds the first value you are importing. Enclose the path in square brackets, and separate each level of the hierarchy by a backslash. For example:
[HKEY_LOCAL_ MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]

Thanks for your comment.

Yvonne
 
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ymilan

ASKER

To both Rich and ns_germany, thank you kindly for your answers.  I gave you both points for providing input to my question.  I hope this is ok with you.  The file I received from my colleague had more than just registry permissions for winreg.  It had permission settings for several registry keys, plus permission settings for systemroot\system32 files.  Looking further into the .reg file I was able to get working by adding the line REGEDIT4, I noted a flaw in how it sets the permissions for the system32 files.  It seems to update or rather add permissions, but not remove the ones already there.  I could be wrong, so I have to do some testing on perhaps one file, remove all permissions except for the administrator, then create a .reg file with the permission settings for just that file, then run it to see if it sets the permissions correctly.  For example, if I have permissions set on a file for administrators/full control, creator/read, and system/full control, and the .reg file denotes permissions administrators/full control and system/full control, but not giving any permissions to creator, the creator should be removed from the permissions while the administrators and system permissions should remain in tact.  This would be the best solution, but it is not working that way.  I just found an article on the net that states:

Option 1: Create or Export Registration Files
You can distribute .reg files that users can then import into the registries of target computers. All you need to do is create—or use regedit to export, then edit—the .reg files, then distribute them. (Registration files have one serious shortcoming, however: They can't delete anything in the registry. See the sidebar "A Registration File Drawback," for details about this limitation.) Format the registration file's contents as follows:

So, I cannot delete any existing permissions, but the file my colleage sent me had included a "0" after each key entry, so I thought that might "zero" out any existing settings.  In the following article:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/operate/distreg.mspx

It states about 1/3 of the way down, that regini.exe can be used to set ACL permissions to keys and data items.  

In addition, the following site:

http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html

indicates that you can use the type of syntax my colleage gave me to create security templates.  However, I think they are referring to .reg files and not .inf files, because I first tried an .inf extension on the info. my colleage gave me and tried to import it using Windows Security and Configuration Analysis tool for Windows 2003 and it wasn't recognizable.  Here is another article on the language specified in the previous article:

http://www.codeproject.com/win32/accessctrl1.asp

I haven't had any time to really look into this article, but it seems like this is pointing somewhere close to what I have received.  I just now have to figure out how to ensure that the existing permissions are in fact replaced with the new permissions, and no existing entries are left.  Any ideas or comments would be helpful.  This sounds like a bit of a challenge :>)

Yvonne
Yes, I did forget to mention that nt4 and win2k need "REGEDIT4" as opposed to 5 in xp and 2003.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\testing-key]
"testing"="12345"


I am finding that on XP Pro SP2, and 2003, the above does not work if the first line is REGEDIT4- rather than "Windows Registry Editor Version 5.00" (you can even use REGEDIT5 ,6 ,7 ,8 and higher, it won't complain- ) and will say its imported the file/values, but it has not, when the .reg file is double-clicked on.
On win2k sp6 using "REGEDIT5" it also says it's imported the values, however it has not. Using version 4 works on win2k.
M$ seems to be a bit vauge on the point in the KB article: http://support.microsoft.com/default.aspx?scid=kb;en-us;310516
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/appcom/apcappen.mspx (the same thing as the above)

The changes in XP and 2003's registry aren't in the registry itself really, but in the registry tools:
http://support.microsoft.com/default.aspx?scid=kb;en-us;310426 (they've added a favorites, and a better way to administer inheiritable permissions)
(except in the 64-bit version of these OS's, the registry is a bit different, there is a 32bit version and a 64-bit version of key's when using the 64-bit version of xp or 2003)

Win2k, "Windows Registry Editor Version 5.00" works, but varying the number doesn't. But only "REGEDIT4" will work on 2000 if using that line as the first.
Same with 2003... regedit4 worked, but regedit5 doesn't HOWEVER "Windows Registry Editor Version 5.00" works, but varying the number doesn't.

Stick with REGEDIT4 and or Windows Registry Editor Version 5.00

This is what the file is supposed to be doing??
To control remote registry access, create the WinReg registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServer. The security permissions set on this key determine which users or groups can remotely access your registry.

You might want to use Secpol.msc instead, open it from the run line, and then go to "Local Policies > Security Options" find the key for "Network access: Remotely accessible registry paths"

-rich
Avatar of ymilan

ASKER

Rich,

Great comments!  Thank you.  I found a solution.  For registry and file permissions, one can make an .inf file instead of a .reg file, but place the following in the header for it to work:

[version]
signature=$CHICAGO$"
DriverVer=10/01/2002, 5.2.3790.0

Not sure if it definitely needs the DriverVer part though.  However, I did this and imported it via Security Configuration Manager for Windows 2003.  It removed the existing permissions and applied the new ones just fine.

Just an FYI.

Thanks again,

Yvonne