Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

(Resolved) How do I integrate registry permissions (KB909520)?

- - - - -

  • Please log in to reply
7 replies to this topic

#1
Explorer09

Explorer09

    Member

  • Member
  • PipPip
  • 182 posts
  • Joined 12-September 11
In KB909520 (Base Smart Card Cryptographic Service Provider update), there's a section in the update_winxp.inf that sets the permission of a registry key.

[SecurityRegistryAfterInstall]

    "MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards",2,"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
; x64 have this additional line:
;   "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards",2,"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

Because I observed what permissions have changed, I can briefly explain what this string does:

"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  • Allow Read permission on 'LOCAL SERVICE'
  • Allow Read permission on 'Users'
  • Allow Read permission on 'Power Users'
  • Allow Full Control permission on 'Administrators'
  • Allow Full Control permission on 'SYSTEM'
  • Allow Full Control permission on 'CREATOR OWNER'
(EDIT: The string format is Security Descriptor Definition Language. For people who want to learn more, read this and this.)

Now here is my question: How do I integrate this permission change? (EDIT: Some people have confused about what I was asking, so let me say it again: I want to set the permissions of a registry key, not to modify a value entry.)

HFSLIP doesn't do anything about this, so in the slipstreamed Windows the key "HKLM\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards" retains the original permission (that is, "inherit from the parent keys").

I didn't test this on nLite though.

Because I'm trying to integrate KB909520 without nLite or HFSLIP, I'm confused about what to do with this. I accept any method (batch scripts, INF file, etc.) as long as I don't have to put the entire "Windows-KB909520-v1.000-x86-ENU.exe" into my disc. Is that possble, and how?

Thank you.

Explorer09

Edited by Explorer09, 17 January 2013 - 07:07 AM.



How to remove advertisement from MSFN

#2
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • Joined 27-November 10
  • OS:XP Pro x86
  • Country: Country Flag
You may want to check this thread:

http://www.msfn.org/board/topic/158481-how-to-permanently-disable-driver-signing-during-windows-setup/
Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#3
Explorer09

Explorer09

    Member

  • Member
  • PipPip
  • 182 posts
  • Joined 12-September 11
Thanks to tomasz86 and the reference here, I made it working now:
INF AddReg Directive (Windows Drivers)

I forgot that it is possible to set the registry permissions by just using the AddReg directive in the INF file.

So here it is. Copy the code below, save it as an INF file, and use it as an HFSLIP addon:
[Version]
Signature="$Windows NT$"

[DefaultInstall]
AddReg=SmartCards.Add.Reg

[SmartCards.Add.Reg]
HKLM,"SOFTWARE\Microsoft\Cryptography\Calais\SmartCards"
; For x64 please uncomment the line below:
; HKLM,"SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards"

[SmartCards.Add.Reg.security]
"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

Edited by Explorer09, 16 December 2012 - 09:10 AM.


#4
ykchanaed

ykchanaed

    Junior

  • Member
  • Pip
  • 94 posts
  • Joined 18-January 07
Should the INF file of the last post be:

[Version]
Signature="$Windows NT$"

[DefaultInstall]
AddReg=SmartCards.Add.Reg

[SmartCards.Add.Reg]
HKLM,"SOFTWARE\Microsoft\Cryptography\Calais\SmartCards"
, 2, "D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"


And if it is an INF file , it is better to put it in HFSVCPACK folder.

Edited by ykchanaed, 16 January 2013 - 08:12 AM.


#5
Explorer09

Explorer09

    Member

  • Member
  • PipPip
  • 182 posts
  • Joined 12-September 11

Should the INF file of the last post be:

[SmartCards.Add.Reg]
HKLM,"SOFTWARE\Microsoft\Cryptography\Calais\SmartCards", 2, "D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"


If you write this way you'll modify a registry value entry. What I want is to set the permissions of a registry key, not to modify a value entry.
You should read some documents about the INF file, such as this:
INF AddReg Directive (Windows Drivers)

#6
ykchanaed

ykchanaed

    Junior

  • Member
  • Pip
  • 94 posts
  • Joined 18-January 07
Then what is this section for?

[SmartCards.Add.Reg.security]
"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

As this section does not have any entry in [DefaultInstall].

#7
Explorer09

Explorer09

    Member

  • Member
  • PipPip
  • 182 posts
  • Joined 12-September 11

Then what is this section for?

[SmartCards.Add.Reg.security]
"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

As this section does not have any entry in [DefaultInstall].


When I told to Read the Manual, I really mean it. The URL I gave to you have described very well about what is the .security section.

http://msdn.microsof...0(v=vs.85).aspx
Each named add-registry section referenced by an AddReg directive has the following format:

[add-registry-section]
reg-root, [subkey],[value-entry-name],[flags],[value][,[value]]
reg-root, [subkey],[value-entry-name],[flags],[value][,[value]]
 ...
[[add-registry-section.security]
"security-descriptor-string"]

An add-registry-section can have any number of entries, each on a separate line. An INF can also contain one or more optional add-registry-section.security sections, each specifying a security descriptor that is applied to all registry values described within a named add-registry-section.


http://msdn.microsof...0(v=vs.85).aspx
security-descriptor-string
Specifies a security descriptor, to be applied to all registry entries created by the named add-registry-section. The security-descriptor-string is a string with tokens to indicate the DACL (D:) security component.
If an add-registry-section.security section is not specified, registry entries inherit the security settings of the parent key.
If an add-registry-section.security section is specified, the following ACE's must be included so that installations and upgrades of devices and system service packs can occur:

  • (A;;GA;;;SY) − Grants all access to the local system.
  • (A;;GA;;;BA) − Grants all access to built-in administrators.
Do not specify ACE strings that grant write access to nonprivileged users.


Edited by Explorer09, 17 January 2013 - 06:57 AM.


#8
ykchanaed

ykchanaed

    Junior

  • Member
  • Pip
  • 94 posts
  • Joined 18-January 07
Oh, thanks for your time to explain the details. :blushing:

That is really new to our newbies! :sneaky:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users