/RunElevated for all sections

Antworten
Benutzeravatar
SisterOfMercy
Beiträge: 1522
Registriert: 22 Jun 2012, 19:18

/RunElevated for all sections

Beitrag von SisterOfMercy »

Some registry keys are owned by TrustedInstaller. With a workaround you can change registry keys that are 'protected' by TrustedInstaller. This involves creating a .bat file and running this with the RunFromToken program. This is a bit of a hassle.

Running a registry section elevated or with trustedinstaller credentials might prevent messages like this in the logfile, as these happen quite often:

Code: Alles auswählen

[6] [Jul 04 21:08:29:786] [win7-settings]               Registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger]  opened
[6] [Jul 04 21:08:29:786] [win7-settings]                 Key closed
[6] [Jul 04 21:08:29:786] [win7-settings]                 Info: Registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger\{2ff3e6b7-cb90-4700-9621-443f389734ed}]   could not be opened by RegOpenKeyEx,  Errorno 5 "Access is denied.<"
[6] [Jul 04 21:08:29:786] [win7-settings]                 Registry key [HKEY_LOCAL_MACHINE\]  opened
[5] [Jul 04 21:08:29:786] [win7-settings]                 Error: subkey "{2ff3e6b7-cb90-4700-9621-443f389734ed}" could not be deleted.  Errorcode 5. Message "Access is denied.<"
[6] [Jul 04 21:08:29:786] [win7-settings]                 Key closed
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
Benutzeravatar
n.wenselowski
Ex-uib-Team
Beiträge: 3194
Registriert: 04 Apr 2013, 12:15

Re: /RunElevated for all sections

Beitrag von n.wenselowski »

Hi,

thanks for the idea!

I will have to ask Detlef about the possibility of an implementation for this.


Kind regards

Niko

Code: Alles auswählen

import OPSI
Benutzeravatar
d.oertel
uib-Team
Beiträge: 3319
Registriert: 04 Jun 2008, 14:27

Re: /RunElevated for all sections

Beitrag von d.oertel »

Hi Sister,

/RunElevated means that opsi-script will start a sub process with a special permission token. This token increase some rights but also restrict some other (e.g. network access).
So it is not possible to just call a winapi function with elevated rights.

I do not expect that there will be a possibility to call a registry section elevated in the near future.

Workaround:
If you want to do this you need a separate program that calls this winapi function and than start this program with an elevated token.
Therefore it is possible to use a processsCall function or winbatch section with /runElevated (which is internally the same) and call the reg.exe program with command line parameters to manipulate the registry elevated.

There are some feature requests for /runElevated for shellInAnIcon / shellCall / Execwith.
This is possible because a sub process will be started here.
But it will take a while because the implementation is totally different here.

cheers
detlef
opsi support - uib gmbh

For productive opsi installations we recommend support contracts.
http://www.uib.de
http://www.opsi.org
Benutzeravatar
SisterOfMercy
Beiträge: 1522
Registriert: 22 Jun 2012, 19:18

Re: /RunElevated for all sections

Beitrag von SisterOfMercy »

d.oertel hat geschrieben: Therefore it is possible to use a processsCall function or winbatch section with /runElevated (which is internally the same) and call the reg.exe program with command line parameters to manipulate the registry elevated.
I'm not sure why I didn't think of that. Oh wait, probably because I also have stuff to do for every user.

Anyway, it might be workable like that (with winbatch). If you have to create a batch file every step this will make a script a bit longer, and more important, less readable. That's why a /RunElevated for the registry would be nice; everything for the registry is in the same section.
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
Antworten