MSFN Forum: (Resolved) How do I integrate registry permissions (KB909520)? - MSFN Forum

Jump to content


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

(Resolved) How do I integrate registry permissions (KB909520)? I mean the [SecurityRegistryAfterInstall] section in the inf file. Rate Topic: -----

#1 User is offline   Explorer09 

  • Member
  • PipPip
  • Group: Members
  • Posts: 131
  • Joined: 12-September 11

Posted 15 December 2012 - 04:30 AM

In KB909520 (Base Smart Card Cryptographic Service Provider update), there's a section in the update_winxp.inf that sets the permission of a registry key.

[SecurityRegistryAfterInstall]

    "MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards",2,"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
; x64 have this additional line:
;   "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards",2,"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"


Because I observed what permissions have changed, I can briefly explain what this string does:

"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

  • Allow Read permission on 'LOCAL SERVICE'
  • Allow Read permission on 'Users'
  • Allow Read permission on 'Power Users'
  • Allow Full Control permission on 'Administrators'
  • Allow Full Control permission on 'SYSTEM'
  • Allow Full Control permission on 'CREATOR OWNER'

(EDIT: The string format is Security Descriptor Definition Language. For people who want to learn more, read this and this.)

Now here is my question: How do I integrate this permission change? (EDIT: Some people have confused about what I was asking, so let me say it again: I want to set the permissions of a registry key, not to modify a value entry.)

HFSLIP doesn't do anything about this, so in the slipstreamed Windows the key "HKLM\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards" retains the original permission (that is, "inherit from the parent keys").

I didn't test this on nLite though.

Because I'm trying to integrate KB909520 without nLite or HFSLIP, I'm confused about what to do with this. I accept any method (batch scripts, INF file, etc.) as long as I don't have to put the entire "Windows-KB909520-v1.000-x86-ENU.exe" into my disc. Is that possble, and how?

Thank you.

Explorer09

This post has been edited by Explorer09: 17 January 2013 - 07:07 AM


#2 User is offline   tomasz86 

  • http://www.windows2000.tk
  • PipPipPipPipPipPipPipPip
  • Group: Members
  • Posts: 2,220
  • Joined: 27-November 10
  • OS:Windows 2000 Professional
  • Country: Country Flag

Posted 15 December 2012 - 09:43 AM

You may want to check this thread:

http://www.msfn.org/board/topic/158481-how-to-permanently-disable-driver-signing-during-windows-setup/

#3 User is offline   Explorer09 

  • Member
  • PipPip
  • Group: Members
  • Posts: 131
  • Joined: 12-September 11

Posted 16 December 2012 - 09:01 AM

Thanks to tomasz86 and the reference here, I made it working now:
INF AddReg Directive (Windows Drivers)

I forgot that it is possible to set the registry permissions by just using the AddReg directive in the INF file.

So here it is. Copy the code below, save it as an INF file, and use it as an HFSLIP addon:
[Version]
Signature="$Windows NT$"

[DefaultInstall]
AddReg=SmartCards.Add.Reg

[SmartCards.Add.Reg]
HKLM,"SOFTWARE\Microsoft\Cryptography\Calais\SmartCards"
; For x64 please uncomment the line below:
; HKLM,"SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards"

[SmartCards.Add.Reg.security]
"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

This post has been edited by Explorer09: 16 December 2012 - 09:10 AM

#4 User is offline   ykchanaed 

  • Junior
  • Pip
  • Group: Members
  • Posts: 90
  • Joined: 18-January 07

Posted 16 January 2013 - 08:00 AM

Should the INF file of the last post be:

Quote

[Version]
Signature="$Windows NT$"

[DefaultInstall]
AddReg=SmartCards.Add.Reg

[SmartCards.Add.Reg]
HKLM,"SOFTWARE\Microsoft\Cryptography\Calais\SmartCards", 2, "D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"


And if it is an INF file , it is better to put it in HFSVCPACK folder.

This post has been edited by ykchanaed: 16 January 2013 - 08:12 AM

#5 User is offline   Explorer09 

  • Member
  • PipPip
  • Group: Members
  • Posts: 131
  • Joined: 12-September 11

Posted 16 January 2013 - 10:31 AM

View Postykchanaed, on 16 January 2013 - 08:00 AM, said:

Should the INF file of the last post be:

[SmartCards.Add.Reg]
HKLM,"SOFTWARE\Microsoft\Cryptography\Calais\SmartCards", 2, "D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"


If you write this way you'll modify a registry value entry. What I want is to set the permissions of a registry key, not to modify a value entry.
You should read some documents about the INF file, such as this:
INF AddReg Directive (Windows Drivers)

#6 User is offline   ykchanaed 

  • Junior
  • Pip
  • Group: Members
  • Posts: 90
  • Joined: 18-January 07

Posted 17 January 2013 - 06:00 AM

Then what is this section for?

Quote

[SmartCards.Add.Reg.security]
"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

As this section does not have any entry in [DefaultInstall].

#7 User is offline   Explorer09 

  • Member
  • PipPip
  • Group: Members
  • Posts: 131
  • Joined: 12-September 11

Posted 17 January 2013 - 06:56 AM

View Postykchanaed, on 17 January 2013 - 06:00 AM, said:

Then what is this section for?

Quote

[SmartCards.Add.Reg.security]
"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

As this section does not have any entry in [DefaultInstall].


When I told to Read the Manual, I really mean it. The URL I gave to you have described very well about what is the .security section.

Quote

http://msdn.microsof...0(v=vs.85).aspx
Each named add-registry section referenced by an AddReg directive has the following format:
[add-registry-section]
reg-root, [subkey],[value-entry-name],[flags],[value][,[value]]
reg-root, [subkey],[value-entry-name],[flags],[value][,[value]]
 ...
[[add-registry-section.security]
"security-descriptor-string"]


An add-registry-section can have any number of entries, each on a separate line. An INF can also contain one or more optional add-registry-section.security sections, each specifying a security descriptor that is applied to all registry values described within a named add-registry-section.


Quote

http://msdn.microsof...0(v=vs.85).aspx
security-descriptor-string
Specifies a security descriptor, to be applied to all registry entries created by the named add-registry-section. The security-descriptor-string is a string with tokens to indicate the DACL (D:) security component.
If an add-registry-section.security section is not specified, registry entries inherit the security settings of the parent key.
If an add-registry-section.security section is specified, the following ACE's must be included so that installations and upgrades of devices and system service packs can occur:
  • (A;;GA;;;SY) − Grants all access to the local system.
  • (A;;GA;;;BA) − Grants all access to built-in administrators.

Do not specify ACE strings that grant write access to nonprivileged users.

This post has been edited by Explorer09: 17 January 2013 - 06:57 AM

#8 User is offline   ykchanaed 

  • Junior
  • Pip
  • Group: Members
  • Posts: 90
  • Joined: 18-January 07

Posted 18 January 2013 - 06:38 AM

Oh, thanks for your time to explain the details. :blushing:

That is really new to our newbies! :sneaky:

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users



All trademarks mentioned on this page are the property of their respective owners
Copyright © 2001 - 2013 msfn.org
Privacy Policy