I need to deploy rights to hkcu/software/classes

Posted on 2009-05-04
Medium Priority
Last Modified: 2013-12-12
In our environment we use a kiosk style machine that automatically logs in as a local user account.  I realized when trying to deploy a java app recently that this user somehow does not have rights to hkcu/software/classes.  After trying a couple of different solutions I decided SUBINACL.exe would be the best bet to resolve this.  Unfortunately when I run Subinacl on HKCU (I run it as a local administrator or system with the problem account logged in)it skips over the CLASSES key.  The only way I can make it work is to make the problem account a local administrator and then run subinacl.  I've also tried the SETACL.EXE command with similar outcomes.  Does anybody have a better way to do this?
Question by:bigas_crane
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 13

Expert Comment

ID: 24298641
Each user that logs into the local machine has their own HKCU hive, could you be running into an issue where the user account you're using to install the software is not the local user you've setup for the kiosk?  

If you login as a local admin and then run subinacl, you'd be running it on the admins HKCU and not on the local users HKCU.

Author Comment

ID: 24298845
I understand this, that's why I'm using a scheduled task to run a subinacl batch file as the SYSTEM account while the local kiosk user is logged in (Just for test purposes for now, later I'll use deployment software to deploy the batch file across the enterprise).  I just don't understand why it keeps skipping over the one key I acutally want to change.  If I poing SUBINACL directly at hkcu/software/classes, it doesn't even recognize that it's there.
LVL 13

Expert Comment

ID: 24298941
If you're running the tool as SYSTEM then you're using SYSTEM's registry hives which may not have a CLASSES key.  Getting back to your original question, have you verified manually (loading up regedit.exe and testing) that your local account doesn't have access to CLASSES?  By default, a local user would have full access to their own HKCU.  You might be digging too deep on a problem that could be solved more easily.
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more


Author Comment

ID: 24298985
I have checked the permissions manually and verified that the kiosk user doesn't have access to the key.  It looks like the user account lost permissions when the image was sysprepped as there is a ghost SID in the permissions table.
LVL 13

Expert Comment

ID: 24299056
Do you need to make this change for this one kiosk, or are you trying to engineer a solution for a whole bunch of kiosks?  If you need to fix just this one, here's what you do.

1. Reboot the Computer
2. Login as Local Admin
3. Drop to Command Prompt
4. Go to users profile folder (something like c:\documents and settings\kioskuser)
5. Type (no quotes): "reg load HKLM\_kiosk" ntuser.dat

Now, the kiosk users HKCU is loaded into your HKLM for you to modify.

6. Open the Registry Editor, browse to HKLM\_Kiosk\software\classes
7. Make appropriate security changes, close registry editor.
8. Return to command prompt
9. Type "reg unload HKLM\_Kiosk"

You've now changed the security on the kiosk user.

Author Comment

ID: 24299177
No, I need to change this on 2000 computers.   Also, hkcu/software/classes is derived from the usrclass.dat hive, not ntuser.dat.
LVL 13

Accepted Solution

usachrisk1983 earned 2000 total points
ID: 24299247
You're right, classes is it's own dat and not part of ntuser.dat, I apologize.  So, you'll need to script a solution that loads usrclass.dat then made the change, unless usrclass.dat was already loaded (user is logged in), in which case you'd need to get at it through HKEY_USERS.  

Happy to help you through that if it's not something you're familiar with.
LVL 13

Expert Comment

ID: 24299253
One other thing, is your java app being installed as an MSI?  If so, I wonder if elevating the privileges (through policy) for Windows Installer would alleviate the problem?  
LVL 29

Expert Comment

ID: 24324676
You could use something like AutoIT (Free Basic Scripting software), you can do a runas in interactive mode.  Basically exactly what you're doing with Scheduled Tasks but as a script.



Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
All of the resources available today make learning a new digital media easier than ever-- if you know where to begin. This is a clear, simple guide to a few of the basic digital art mediums and how to begin learning them on your own.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question