• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 633
  • Last Modified:

Administor account does not have access to some files and registry entries

I'm running Windows XP Pro Service Pack 3 with all updates from Windows Updates. I have renamed the built-in Admintrator account for security and also changed the password to a strong password. This account has always been in the Administrators user group. After doing this I created a user account named Administrator (as suggested by many security sites) and disabled this account. Both of these actions were performed shortly after the OS installation which was long before this problem started.

After researching this problem on the web, somebody had suggested to another person to verify the security setting "Accounts: Administrator account staus" was set to Enabled. I decided to double-check on my machine, and amazingly that setting was set to Disabled. I promise you I did not change that setting to Disabled!! I immediately changed the setting back to Enabled via Safe Mode. I'm guessing that my problem start when setting was somehow changed to Diabled.

However I'm still getting the "Access denied" message when trying to change permissions on SOME files even though the Adninstrators group has the Full Control permission on the file, the owner of the file is either the Adminstators group or the Adminstator(MachineName/RenamedAdminstratorName).

Also I'm getting the same error message while trying to change any String Value of the the HKLM\SOFTWARE\Microdsoft\Windows\CurrentVersion\Run key. This key has the same sort of perrmissions that the above files do. However I can add/modify other String Values in different keys with the EXACT same permissions. Obviously this can cause problems when installing software that must write an entry in the HKLM\SOFTWARE\Microdsoft\Windows\CurrentVersion\Run key.

I'm totaly confused!! I've never had this problem on other machines. Any sugestion on fixing this problem would be greatly appreciated!! Along with an additional
 500 points.
0
robear7nt
Asked:
robear7nt
  • 11
  • 4
  • 4
  • +3
2 Solutions
 
johnb6767Commented:
Try and re inherit permissions from the parents, and applying to all child objects... then see if you get different results..

Sure the pc is free of malwaree and rootkits?
0
 
robear7ntAuthor Commented:
yes, pc is free of virus & malware.

i tried that early on, still got the denied error  :-(
0
 
johnb6767Commented:
http://support.microsoft.com/kb/313222

Might wanna go this route, if no ither admin accounta work....
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
-tjsCommented:
I would first double- or triple-check whether the account you are currently using still is the actual administrator account after the renamings and policy-toggling.  Download a tool called "psgetsid" from technet.microsoft.com/sysinternals and from a command prompt type "psgetsid <the name of the account you are currently logged-in as>" without the <>.  If the SID does not end in -500, then this is not or is no longer the actual administrator account.  The administrator account SID looks like S-1-5-21-[your computer SID here]-500.  If the SID ends in something else, like -1001 or something, copy the whole SID string and replace the last bit with -500 and type "psgetsid <your new string ending in -500>" at a command prompt to reveal the username of the administrator account.

0
 
robear7ntAuthor Commented:
johnb6767,

i saw that page during my web search. sounds like a solution i'd rather not try until no other solution is
determined.

thx john  :-)
0
 
robear7ntAuthor Commented:
-tjs,

i use several sysinternals programs for sys. info, etc.  they are great tools. i have not used this group of tools before, also nice tools.

the psgetsid shows -500 at the end. and then said the account was the Administrator account.

great tip though!

thx -tjs
0
 
edbedbCommented:
I have run into this problem several times. I took care of it using the procedure described here.
http://www.windowsreference.com/security/reset-the-entire-registry-permissions-to-defaults/

NOTE: You have to RUN the downloaded subinacl.msi file.
You might want to omit the Registry reset comands and just use the two refering to the %SystemDrive%
0
 
Adam LeinssCommented:
If it is owned by the SYSTEM account, that could be the issue. Bouncing off of tjs' comment, there is a program called psexec within the Sysinternals pstool suite.  Try running psexec -s regedit and then see if you can change the registry permissions.  This will run regedit under the SYSTEM account.

The same can be accomplished with cacls for file permissions.  Run psexec -s cmd which will run a command prompt under SYSTEM, then use cacls to change the permissions of the files.
0
 
rajkumartechCommented:
Take the ownership of the parent folder and apply ownership to all subfolder and files and then try .
0
 
robear7ntAuthor Commented:
rajkumartech,

i tried that first thing in trying to resolve this problem. i still received the "acces denied" error message.

Thx raj
0
 
robear7ntAuthor Commented:
edbedb,

i gave your solution a try!

unfortunely, i saw that it failed on the HKLM\SOFTWARE\Microdsoft\Windows\CurrentVersion\Run registry key. i tried editing that key again and still got the access denied error.

great tip though!

thx ed
0
 
edbedbCommented:
I only used it a few times but it did the trick every time. Have you tried it in Safe Mode under the Admin account?

Other than that, the only thing I can think of is that it is being blocked by still active malware or maybe you protection software.
0
 
robear7ntAuthor Commented:
aleinss,

the owner of the HKLM\SOFTWARE\Microdsoft\Windows\CurrentVersion\Run registry key is Administrators.

i tried running psexec -s regedit anyway, but nothing happened except showing the copyright info???

i always wondered if you could run a program under the SYSTEM account, now i know how!  great tip!

thx aleinss
0
 
Adam LeinssCommented:
There is an initial EULA that you need to agree to, otherwise it should work.

Try psexec -s -i regedit.  -i stands for interactive.  Looks like I left it off in the original post.
0
 
robear7ntAuthor Commented:
edbedb,

I tried running regedit in Safe Mode under the Admin account. That allowed me to successfully change the permissions on the HKLM\SOFTWARE\Microdsoft\Windows\CurrentVersion\Run key and modify String Values under the key!  yeah!

however when i booted back up and logged in as the Administrator account i could NOT make any changes to the key because of the "access denied" error.

what in the world is happening?? i'm getting all these great solutions but none of them are working. maybe the results from ed's solution will shed some more light on what problem is.

thx ed



0
 
robear7ntAuthor Commented:
aleinss,

right, i accepted the initial EULA the first time i ran any of the tools.

the psexec -s -i regedit command worked this time!! however when i tried to add a String Value under the HKLM\SOFTWARE\Microdsoft\Windows\CurrentVersion\Run key, i get a "Cannot create value: Error writing to the registry." error message.  when i try to modify an existing String Value's data i get "Cannot edit <String Value Name>: Error writing the value's new contents".

Why would it work under Safe Mode and not normal mode???

thx aleinss
0
 
Adam LeinssCommented:
I think edbedb hit it on the head.  You have a piece of software loading in normal mode that is blocking the access.  This sounds like security software.  If you have anything like Mcafee software loaded, I would uninstall it and then see if you get a different result.
0
 
edbedbCommented:
Could you do a scan with Hijackthis then post back with the log so we can get some idea of what's running on your computer? You can get it here.
http://free.antivirus.com/hijackthis/

0
 
robear7ntAuthor Commented:
aleinss & edbedb,

OMG!!!  YOU FOUND THE SOLUTION!!!  THANK YOU  BOTH!!!

i disabled ZoneAarm Pro (firewall only version)  and ESET NOD32 Antivirus 5 (antivirus only version) and EVERYTHING was fixed!!

now i'll have to figure out which one is causing the problem!!  must be ESET because i upgraded from version 4 to version 5 recently. just have to figure out what setting causes it.

YOU GUYS ARE THE BEST!!!  Thanks to everybody for your time and trouble on helping me with this issue as i was pulling my hair out. I'M ONE HAPPY CAMPER!

0
 
robear7ntAuthor Commented:
I promised you guys an additional 500 points for the solution, but it will not let me. i was sure i had awarded additional point before. i learned a lesson on selecting the amount of points. sigh. if there is way to give y'all points, let me know! sorry
0
 
Adam LeinssCommented:
Spyware loves to dump "treasures" in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so it always run on startup, so ESET must be protecting that and other autorun keys.  I wouldn't turn that feature off per se: I would just disable ESET and modify the Run key and then re-enable ESET when you are done making changes.
0
 
edbedbCommented:
I knew from the beginning that you could not assign extra points. In any case your thanks and appreciation are worth way more to me. I am glad we were able to help.
0
 
robear7ntAuthor Commented:
For future refence:

surprisely, it was ZoneAlarm Pro. here is settings to fix the program from the main ZonAlarm Pro  screen: Computer -> Advanced Settings -> OSFirewall -> Enable OS Filewall -> Allow: Change which programs load at startup, Allow: Change the hosts file (only when you wish to edit the hosts file).

IMHO, ZoneAlarm is longer the best software firewall.
 
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 11
  • 4
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now