Setting permissions for parts of HKCU in Registry via script

All our users are Power Users, but we have a program that need Modify access to these parts of the Registry, which a Power User cannot do, so at the minute said program is unusable.

HKCU\Control Panel\Desktop\MultiUILanguageId
HKCU\Control Panel\Desktop\MUILanguagePending
HKCU\Control Panel\International\Locale

I have looked at setting these via group policy, but apparently I can only use this feature to modify permission for HKEY_LOCAL_MACHINE, HKEY_USERS and HKEY_CLASSES_ROOT.  I realise that the profile for every user is kept in HKEY_USERS, but changing this setting for every user that has ever logged onto that PC would require knowing the SID of every user, which isn't feasible.

If I understand it correctly, when a user logs on, the Registry profile of that user is copied from HKEY_USERS to HKEY_CURRENT_USER.  After this happens, is there no way changing the permissions in HKEY_CURRENT_USER after logon, rahter than changing HKEY_USERS before logon?

I would be looking to have this as some sort of command(s) that run in a Logon Script, so preferably batch commands, or VB Script.

Thanks
meirionwylltSenior Desktop EngineerAsked:
Who is Participating?
 
johnb6767Connect With a Mentor Commented:
"If users have full access to HKCU does that mean that there is probably some other area of the registry (i.e. HKLM) that this program also uses?"

Process Monitor
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx

Set the filter at the top to Include "Result" is "Access Denied" then "Include", and then try and install/launch your app, and then look at the logging, and it will tell you where the permissions are restrictive. Once you open those up, keep retrying until you get the desired results....
0
 
Psy053Connect With a Mentor Commented:
Users should have full access to HKCU, do you have something blocking that access?
0
 
itsmeandnobodyelseCommented:
>>>> If I understand it correctly, when a user logs on, the Registry profile of that user is copied from HKEY_USERS to HKEY_CURRENT_USER.  

No, HKEY_USERS is only the default for new users. The HKCU is stored in Users database for each account at local computer.

You could use the regedit to add/update entries in the hkcu part of registry. Navigate to key in regedit and export the key to a .reg file   (use NT4 reg file format). Then edit the .reg file and reduce it to the keys and entries you want to update. Then distribute the .reg and  try

    regedit /s xxxx.reg

what should work.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
TakedaTCommented:
The regini.exe tool that comes with the resource kit may be what you are looking for.  Here is a link to some documentation for it.

http://support.microsoft.com/kb/237607
0
 
johnb6767Commented:
"No, HKEY_USERS is only the default for new users."

No, the OP is correect. Thats not the Defualt User profile. Thats stored as ntuser.dat under Docs and Settings\Default User.....

The .Default reg hive is the profile for the initial desktop/SYSTEM account.....
0
 
johnb6767Commented:
Psy053 is right. Those subkeys should be inheriting from CURRENT_USER. The only keys that dont get full rights are the policies keys....

What problems are you having exactly?

If it were HKLM, you can use Subinacl.exe as a machine startup script. Cant do that with anything under HKCU, as the CU profile isnt loaded that early....

0
 
itsmeandnobodyelseCommented:

>>>> "No, HKEY_USERS is only the default for new users."
>>>> No, the OP is correect. Thats not the Defualt User profile.

MSDN:
---------------------------------------------
HKEY_USERS
Registry entries subordinate to this key define the default user configuration for new users on the local computer and the user configuration for the current user.
----------------------------------------------

So it is the default profile for new users and the default for all keys not explicitly redefined for the current user.
0
 
johnb6767Commented:
We can get into a barrage of link swapping, but the bottom line is that it is NOT the Default User Profile. I used to think that as well, until I started doing more research, into Customizing the Default User Profile, and exactly what that key does.

The .Default user is not the default user
http://blogs.msdn.com/oldnewthing/archive/2007/03/02/1786493.aspx

HKEY_Users Contains all the actively loaded user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. HKEY_USERS is sometimes abbreviated as "HKU."

from http://support.microsoft.com/kb/256986

0
 
johnb6767Commented:
How to customize the default local user profile when you prepare an image of Windows Vista, Windows Server 2008, Windows XP, or Windows Server 2003
http://support.microsoft.com/kb/959753/en-us

excerpt.....

The default local user profile files are located in the following folders.

Windows Vista, Windows Server 2008, and Windows Server 2008 R2
Drive_Letter:\Users\Default
Windows XP and Windows Server 2003, U.S. English editions
Drive_Letter:\Documents and Settings\Default User
Note The Drive_Letter placeholder is the drive on which you installed Windows.

Not the .Default key in HKU
0
 
meirionwylltSenior Desktop EngineerAuthor Commented:
Thanks for your replies.

I'm using a software that changes the language of Windows/Office between Welsh and English at the click of a button.  It's worked great for us for years but recently changes in policy has forced us to strip Local Admin privileges off the users, down to Power Users.  I recently contacted the Welsh Language Board (who make the software) and they informed me that it was only these three keys that were affected.

Psy053

Not that I'm aware.  If users have full access to HKCU does that mean that there is probably some other area of the registry (i.e. HKLM) that this program also uses?

itsmeandnobodyelse

But this method work for changing permissions to the keys?  Rather than the values of the keys?

TakedaT

the Regini method has the same restriction, namely that is cannot change HKCU

0
 
itsmeandnobodyelseCommented:
>>>> But this method work for changing permissions to the keys?  Rather than the values of the keys?
As already told by others, normally all keys below hkcu can be changed without restrictions from the current user account. If you encounter problems when trying to change keys manually (regedit) or cannot add entries to existing keys using the current user account, you most probably have the same problems when importing via .reg files. But why not simply try it? Export a .reg file below HKCU\Environment and import the same .reg file from command line. If that works you probably can update other keys as well using that method.

Important!!! Add a restore point before making any changes to the registry.
0
 
meirionwylltSenior Desktop EngineerAuthor Commented:
My understanding of HKEY_USERS hive...

When a users logs in, Windows check to see if that users already has a profile on the PC, i.e. if it's logged on previously.  If so, it finds the profile for that user in HKU under S-1-5-18 blah blah, and then copies this over to HKEY_CURRENT_USER at logon.  If the users has not logged onto the PC before, then Windows instead copies the profile in .DEFAULT over to HKCU.

Anyway, Process Monitor worked a treat, there was one place in HKLM that is also needed.  I sorted this with Group Policy to give full permissions to Domain Users to that part of the Registry.

Thanks.
0
 
johnb6767Commented:
Correct except for this part.....

" If the users has not logged onto the PC before, then Windows instead copies the profile in .DEFAULT over to HKCU."

Thats not where the Default User profile is held...... It is created from c:\Docs and Settings\Default User, and copied to thier own profile folder. It is a very common misconception about that key......

Regardless, I am glad youre fixed.....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.