I need to deploy rights to hkcu/software/classes

Posted on 2009-05-04
Last Modified: 2013-12-12
In our environment we use a kiosk style machine that automatically logs in as a local user account.  I realized when trying to deploy a java app recently that this user somehow does not have rights to hkcu/software/classes.  After trying a couple of different solutions I decided SUBINACL.exe would be the best bet to resolve this.  Unfortunately when I run Subinacl on HKCU (I run it as a local administrator or system with the problem account logged in)it skips over the CLASSES key.  The only way I can make it work is to make the problem account a local administrator and then run subinacl.  I've also tried the SETACL.EXE command with similar outcomes.  Does anybody have a better way to do this?
Question by:bigas_crane
  • 5
  • 3
LVL 13

Expert Comment

ID: 24298641
Each user that logs into the local machine has their own HKCU hive, could you be running into an issue where the user account you're using to install the software is not the local user you've setup for the kiosk?  

If you login as a local admin and then run subinacl, you'd be running it on the admins HKCU and not on the local users HKCU.

Author Comment

ID: 24298845
I understand this, that's why I'm using a scheduled task to run a subinacl batch file as the SYSTEM account while the local kiosk user is logged in (Just for test purposes for now, later I'll use deployment software to deploy the batch file across the enterprise).  I just don't understand why it keeps skipping over the one key I acutally want to change.  If I poing SUBINACL directly at hkcu/software/classes, it doesn't even recognize that it's there.
LVL 13

Expert Comment

ID: 24298941
If you're running the tool as SYSTEM then you're using SYSTEM's registry hives which may not have a CLASSES key.  Getting back to your original question, have you verified manually (loading up regedit.exe and testing) that your local account doesn't have access to CLASSES?  By default, a local user would have full access to their own HKCU.  You might be digging too deep on a problem that could be solved more easily.

Author Comment

ID: 24298985
I have checked the permissions manually and verified that the kiosk user doesn't have access to the key.  It looks like the user account lost permissions when the image was sysprepped as there is a ghost SID in the permissions table.
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

LVL 13

Expert Comment

ID: 24299056
Do you need to make this change for this one kiosk, or are you trying to engineer a solution for a whole bunch of kiosks?  If you need to fix just this one, here's what you do.

1. Reboot the Computer
2. Login as Local Admin
3. Drop to Command Prompt
4. Go to users profile folder (something like c:\documents and settings\kioskuser)
5. Type (no quotes): "reg load HKLM\_kiosk" ntuser.dat

Now, the kiosk users HKCU is loaded into your HKLM for you to modify.

6. Open the Registry Editor, browse to HKLM\_Kiosk\software\classes
7. Make appropriate security changes, close registry editor.
8. Return to command prompt
9. Type "reg unload HKLM\_Kiosk"

You've now changed the security on the kiosk user.

Author Comment

ID: 24299177
No, I need to change this on 2000 computers.   Also, hkcu/software/classes is derived from the usrclass.dat hive, not ntuser.dat.
LVL 13

Accepted Solution

usachrisk1983 earned 500 total points
ID: 24299247
You're right, classes is it's own dat and not part of ntuser.dat, I apologize.  So, you'll need to script a solution that loads usrclass.dat then made the change, unless usrclass.dat was already loaded (user is logged in), in which case you'd need to get at it through HKEY_USERS.  

Happy to help you through that if it's not something you're familiar with.
LVL 13

Expert Comment

ID: 24299253
One other thing, is your java app being installed as an MSI?  If so, I wonder if elevating the privileges (through policy) for Windows Installer would alleviate the problem?  
LVL 29

Expert Comment

ID: 24324676
You could use something like AutoIT (Free Basic Scripting software), you can do a runas in interactive mode.  Basically exactly what you're doing with Scheduled Tasks but as a script.



Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In our personal lives, we have well-designed consumer apps to delight us and make even the most complex transactions simple. Many enterprise applications, however, are a bit behind the times. For an enterprise app to be successful in today's tech wo…
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
The viewer will learn how to set up a document for the web and print and the recommended PPI for printing.
Video by: Tony
This video teaches viewers how to export a project from Adobe Premiere Pro and the various file types involved.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now