Link to home
Start Free TrialLog in
Avatar of bigas_crane
bigas_crane

asked on

I need to deploy rights to hkcu/software/classes

In our environment we use a kiosk style machine that automatically logs in as a local user account.  I realized when trying to deploy a java app recently that this user somehow does not have rights to hkcu/software/classes.  After trying a couple of different solutions I decided SUBINACL.exe would be the best bet to resolve this.  Unfortunately when I run Subinacl on HKCU (I run it as a local administrator or system with the problem account logged in)it skips over the CLASSES key.  The only way I can make it work is to make the problem account a local administrator and then run subinacl.  I've also tried the SETACL.EXE command with similar outcomes.  Does anybody have a better way to do this?
Avatar of usachrisk1983
usachrisk1983
Flag of United States of America image

Each user that logs into the local machine has their own HKCU hive, could you be running into an issue where the user account you're using to install the software is not the local user you've setup for the kiosk?  

If you login as a local admin and then run subinacl, you'd be running it on the admins HKCU and not on the local users HKCU.
Avatar of bigas_crane
bigas_crane

ASKER

I understand this, that's why I'm using a scheduled task to run a subinacl batch file as the SYSTEM account while the local kiosk user is logged in (Just for test purposes for now, later I'll use deployment software to deploy the batch file across the enterprise).  I just don't understand why it keeps skipping over the one key I acutally want to change.  If I poing SUBINACL directly at hkcu/software/classes, it doesn't even recognize that it's there.
If you're running the tool as SYSTEM then you're using SYSTEM's registry hives which may not have a CLASSES key.  Getting back to your original question, have you verified manually (loading up regedit.exe and testing) that your local account doesn't have access to CLASSES?  By default, a local user would have full access to their own HKCU.  You might be digging too deep on a problem that could be solved more easily.
I have checked the permissions manually and verified that the kiosk user doesn't have access to the key.  It looks like the user account lost permissions when the image was sysprepped as there is a ghost SID in the permissions table.
Do you need to make this change for this one kiosk, or are you trying to engineer a solution for a whole bunch of kiosks?  If you need to fix just this one, here's what you do.

1. Reboot the Computer
2. Login as Local Admin
3. Drop to Command Prompt
4. Go to users profile folder (something like c:\documents and settings\kioskuser)
5. Type (no quotes): "reg load HKLM\_kiosk" ntuser.dat

Now, the kiosk users HKCU is loaded into your HKLM for you to modify.

6. Open the Registry Editor, browse to HKLM\_Kiosk\software\classes
7. Make appropriate security changes, close registry editor.
8. Return to command prompt
9. Type "reg unload HKLM\_Kiosk"

You've now changed the security on the kiosk user.
No, I need to change this on 2000 computers.   Also, hkcu/software/classes is derived from the usrclass.dat hive, not ntuser.dat.
ASKER CERTIFIED SOLUTION
Avatar of usachrisk1983
usachrisk1983
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
One other thing, is your java app being installed as an MSI?  If so, I wonder if elevating the privileges (through policy) for Windows Installer would alleviate the problem?  
Avatar of matrixnz
You could use something like AutoIT (Free Basic Scripting software), you can do a runas in interactive mode.  Basically exactly what you're doing with Scheduled Tasks but as a script.

Cheers