17 replies to this topic

[IT Expert]

I know how to reprogram user and group account premissions on file and folder level using the cacls.exe command. However I do not know how to do the same to the registry. If I where to export the registry and try and cacls.exe it, and then import it back in would that work or is there another trick?

Just curious, thanks!

[exile360]

Honestly, I usually just use Lunarsoft's Dial-a-fix (doesn't work on Vista though). Other than that, I think I have an .inf that you right click and install to allow access to regedit (if that's the problem).

edit: was just going through my toolkit and realized I forgot to mention subinacl, it's a wonderful little tool from MS (I just haven't had to use it in quite some time).

[IT Expert]

I have been reading this artical here http://support.microsoft.com/kb/264584

If someone here has experence on this I have a few questions for example. It seems like its kinda like using cacls commands
My 1st question, do I need to deny the registry key first before I can allow it to be edited just like in cacls. My example
c:\windows\system32\ cacls.exe dssenhn.dll /D everyone
then reboot
then c:\windows\system32\cacls.exe dssenhn.dll /G everyone:F
then c:\windows\system32\dssenhn.dll del

So if I'm reading this artical right the command used to allow permission in the registry would go like this:
regini.exe -m \\localhost MyFix.txt HKEY_Local_Machine/Software/Classes/CLSID/8739BFA5-123A-498D-BA7E-73AD7D40B0D5/InproServer32/dssenhn.dll

With in the MyFix.txt if I where to change lets say the name of the file to like dssenhn2.dll would that work? And or if I list in the MyFix.txt
\Registry\Machine\Software\Classes\CLSID\8739BFA5-123A-498D-BA7E-73AD7D40B0D5\InproServer32 [1]

Does this seem like it should grant the admin account full control over this parent directory InproServer32?

I hope I'm making since, I am not a programer and editing the registying I know is can be a pain. Any advice on this would be helpful Thanks.

[IT Expert]

exile360, on Dec 20 2008, 11:12 PM, said:

Honestly, I usually just use Lunarsoft's Dial-a-fix (doesn't work on Vista though). Other than that, I think I have an .inf that you right click and install to allow access to regedit (if that's the problem).

edit: was just going through my toolkit and realized I forgot to mention subinacl, it's a wonderful little tool from MS (I just haven't had to use it in quite some time).

Yes I used dialafix to repair the permissions, that still didnt work on the registry part, and or the cacls.exe was still being denied on that file.

Is the subinacl similar to dialafix repair permissions?

[exile360]

Yes, it works in a similar way, except Dial-a-fix actually uses secedit, not subinacl to do it's work with permissions. Check this article if you want more info on using subinacl: http://blogs.msdn.com/astebner/archive/200...ermissions.aspx

[IT Expert]

Ok I have read that and I have edited the user name to owner as thats the user name Im currently using. Here is what I have, does this look right, I want to be 100% before I continue as I know messing up permissions can really screw everything up

cd /d "%programfiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=Owner=f /setowner=administrators > %temp%\
subinacl_output.txtsubinacl /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=Owner=f /setowner=administrators >> %temp%\
subinacl_output.txtsubinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\
subinacl_output.txtsubinacl /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\
subinacl_output.txtsubinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\
subinacl_output.txtsubinacl /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
subinacl /subdirectories %programfiles%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
subinacl /subdirectories %windir%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt

[GT500]

Changing permissions in the registry is the same as in the file system. Easier in fact. You just right click on a key, and select 'Permissions'.

[IT Expert]

Thanks but thats not working, the following Security warning comes up:

Ubale to save permissions changes on InproServer32

Access is denied

[exile360]

Well, here's what my reset.txt file looks like:

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f

[exile360]

Here's a quote from one of the MSDN guys:

Reset the entire registry permissions to defaults

Here is the detailed instruction on resetting the permissions for the whole registry. This was posted by Ken Zhao of Microsoft.

1. Download and install SubInACL

2. Create a file named reset.cmd in C:\Program Files\Windows Resource
Kits\Tools folder.

3. Edit the reset.cmd file with the following content.

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f

4. Enter into CMD prompt.

5. Enter the following commands one at a time and click Enter.

cdcd "C:\Program Files\Windows Resource Kits\Tools"
reset.cmd

6. After a few minutes by processing subinacl, the permission will be reset.

[IT Expert]

Alrighty then thanks, going to give it a try now. I will post on the verdict after its finished

[IT Expert]

Done: 54003 Modified 54000, failed 3, syntax errors 0

Last failed HKEY_Local_Machine/Software/Classes/CLSID/8739BFA5-123A-498D-BA7E-73AD7D40B0D5/InproServer32/

dang even that was denied!!!

This one is just being a big pain in the a$$

Any ideas of what to try next...

[exile360]

Not sure, but if the issue is deleting a key related to malware then you may be taking the wrong approach as it could be protecting it's own keys. You could of course try RegAssassin: http://www.malwareby...regassassin.php but it's only useful if you're trying to delete a key, not modify it. But even then, if it's some sort of rootkit or trojan using a kernel mode driver, then I doubt anything besides Bart's or MS D.a.R.T. could get rid of it, and it may then just regenerate the key(s).

[IT Expert]

exile360, on Dec 21 2008, 01:14 AM, said:

Not sure, but if the issue is deleting a key related to malware then you may be taking the wrong approach as it could be protecting it's own keys. You could of course try RegAssassin: http://www.malwareby...regassassin.php but it's only useful if you're trying to delete a key, not modify it. But even then, if it's some sort of rootkit or trojan using a kernel mode driver, then I doubt anything besides Bart's or MS D.a.R.T. could get rid of it, and it may then just regenerate the key(s).

yes its malware related and yes I want to delete the keys, I thought It maybe a rootkit, how ever the following scans are not finding anything, mcafee rootkit detective, avenger, combofix, avg internet security rootkit scanner, all show up clean.

However thing I did find thats interesting, which maybe housing the infections is this, in device manager when viewing hidde devices nunder non-plug and play drivers there is a yellow ! on the AMD AGP Bus Filter Drvier, and on the PartMgr, and on the VIA AGP Bus Filter, and on the ViaIde.

I have seen infections compromise the beep.sys driver, but I do not recall it showing a Yellow ! over top of it, what do you think?

[exile360]

Those drivers don't look like infections, and guessing by the drivers they are, there are probably resource conflicts between them and that's the reason for the exclamation mark. It might not be a rootkit, it could just be a trojan, I remember back in the day when Vundo and Zlob where monsters to get rid of that they would display similar tactics guarding their registry keys without the use of a rootkit and the only way to get rid of them would be to remove the file first, and then the keys in the registry (for some infections that order is reversed, of course). I was a professional PC tech back then, and there were no tools like MBAM that I could use to get rid of them, I had to do it all the old fashioned way and that usually meant slaving the drive to another PC to remove the files or using, as I said before, either a Bart's disc or MS D.a.R.T. to do it with the system offline.

[GT500]

IT Expert, on Dec 21 2008, 03:21 AM, said:

I have seen infections compromise the beep.sys driver, but I do not recall it showing a Yellow ! over top of it, what do you think?

Usually when beep.sys is an infection, it's in the wrong place.

[exile360]

I just found these 2 threads: http://forum.hijackt...ad.php?p=246781
http://www.malwareby...?showtopic=8614

I would just wait and let the expert in our forum help you out (seeing as the thread in the other forum is closed), it looks like they're waiting for some logs to help you remove this.

[IT Expert]

ok sounds good, I will hang tight and just wait it out, hopefully we can get a fix for it if not may have to do a reformat and OS install