Jump to content


This is a ready-only archive of the InstallSite Forum. You cannot post any new content here. / Dies ist ein Archiv des InstallSite Forums. Hier können keine neuen Beiträge veröffentlicht werden.
Photo

Registry permissions not being set


7 replies to this topic

Chelley

Chelley
  • Members
  • 43 posts

Posted 27 May 2005 - 08:48

Hi

I'm creating a registry hive that consists of many "levels". For each level it is required that Everyone be given Full control. For each level that has an actual value off of it, the permissions are set fine but for the other levels the permissions are not set.

Example

HKLM\SOFTWARE\Company Name\OASIS\Env\Application\...

So Company Name, OASIS and Env will not allow the permissions to be set but under Application where there's an actual string value it does set it. Is this just coincidence or what else could it be? And how can I get round it???

Michelle

mandy

mandy
  • Members
  • 121 posts

Posted 27 May 2005 - 08:59

Are you using the "LockPermissions" table?

This table has severe limitations that have lead to most people abandoning it in favour of custom actions. You may want to do the same?

The worst limitation is the fact it overwrites ACLs instead of editing them as it should.


Chelley

Chelley
  • Members
  • 43 posts

Posted 27 May 2005 - 13:25

No I'm not using the LockPermissions table. Just creating the registry keys and then right clicking on them and selecting permissions. This doesn't create a row in the Lockpermissions table that I can see

Michelle

mandy

mandy
  • Members
  • 121 posts

Posted 27 May 2005 - 14:37

You're doing this in the "Regedit" or "Installshield" interface?

I'm assuming you mean "Installshield", in which case I'd be surprised if it's not using the lockpermissions table - although I'm a WiseUser so what would I know!?


Chelley

Chelley
  • Members
  • 43 posts

Posted 27 May 2005 - 15:23

Installshield interface. And sorry you're right it is using the LockPermissions table.

it gives the keys the same registry lockpermission table key. maybe because they're the same??

I'm lost with this I have to say. All seems to behave funny. No strict rules

michelle

mandy

mandy
  • Members
  • 121 posts

Posted 27 May 2005 - 16:09

What don't you understand?

Installshield is populating the "LockPermissions" table which is documented here:

http://msdn.microsof...sions_table.asp

Just be aware that the following extract isn't true:

"...The installer attempts to preserve the security on objects that already exist on the system"

There are strict rules which are documented in the SDK here:

http://msdn.microsof..._start_page.asp



Chelley

Chelley
  • Members
  • 43 posts

Posted 27 May 2005 - 16:19

Thing is I don't want to preserve what is already there (permissions that is). If the registry is already there then the permissions might not be set as is required so it must overwrite the permissions that is already there.

The problem is regardless of whether the hive is already there or not, its only setting some of the permissions.

Michelle

mandy

mandy
  • Members
  • 121 posts

Posted 27 May 2005 - 16:51

This is exactly the issue that you're experiencing.

The top level keys already exist, and so do their ACLs. Because you're not explicitly setting permissions at every level, many levels are remaining the same.

In order to be sure that your permissions will be correct all the way from the top of the tree, you'd have to create registry table entry for each level to create the empty key ("+" in the name column and null in the Value column). Then you could explicitly set the permissions on those empty keys. This is a major headache if you have a large tree (unless you create a script to do this for you).

If the keys didn't already exist in the registry when you installed your package, the permissions would be set correctly.

You should probably use a custom action like most people do.

Here's a tool that might help:

http://setacl.sourceforge.net

Edited by mandy, 27 May 2005 - 16:53.