Seite 1 von 1

/RunElevated for all sections

Verfasst: 04 Jul 2017, 23:51
von SisterOfMercy
Some registry keys are owned by TrustedInstaller. With a workaround you can change registry keys that are 'protected' by TrustedInstaller. This involves creating a .bat file and running this with the RunFromToken program. This is a bit of a hassle.

Running a registry section elevated or with trustedinstaller credentials might prevent messages like this in the logfile, as these happen quite often:

Code: Alles auswählen

[6] [Jul 04 21:08:29:786] [win7-settings]               Registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger]  opened
[6] [Jul 04 21:08:29:786] [win7-settings]                 Key closed
[6] [Jul 04 21:08:29:786] [win7-settings]                 Info: Registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger\{2ff3e6b7-cb90-4700-9621-443f389734ed}]   could not be opened by RegOpenKeyEx,  Errorno 5 "Access is denied.<"
[6] [Jul 04 21:08:29:786] [win7-settings]                 Registry key [HKEY_LOCAL_MACHINE\]  opened
[5] [Jul 04 21:08:29:786] [win7-settings]                 Error: subkey "{2ff3e6b7-cb90-4700-9621-443f389734ed}" could not be deleted.  Errorcode 5. Message "Access is denied.<"
[6] [Jul 04 21:08:29:786] [win7-settings]                 Key closed

Re: /RunElevated for all sections

Verfasst: 11 Aug 2017, 14:05
von n.wenselowski
Hi,

thanks for the idea!

I will have to ask Detlef about the possibility of an implementation for this.


Kind regards

Niko

Re: /RunElevated for all sections

Verfasst: 13 Aug 2017, 17:39
von d.oertel
Hi Sister,

/RunElevated means that opsi-script will start a sub process with a special permission token. This token increase some rights but also restrict some other (e.g. network access).
So it is not possible to just call a winapi function with elevated rights.

I do not expect that there will be a possibility to call a registry section elevated in the near future.

Workaround:
If you want to do this you need a separate program that calls this winapi function and than start this program with an elevated token.
Therefore it is possible to use a processsCall function or winbatch section with /runElevated (which is internally the same) and call the reg.exe program with command line parameters to manipulate the registry elevated.

There are some feature requests for /runElevated for shellInAnIcon / shellCall / Execwith.
This is possible because a sub process will be started here.
But it will take a while because the implementation is totally different here.

cheers
detlef

Re: /RunElevated for all sections

Verfasst: 14 Aug 2017, 16:38
von SisterOfMercy
d.oertel hat geschrieben:Therefore it is possible to use a processsCall function or winbatch section with /runElevated (which is internally the same) and call the reg.exe program with command line parameters to manipulate the registry elevated.


I'm not sure why I didn't think of that. Oh wait, probably because I also have stuff to do for every user.

Anyway, it might be workable like that (with winbatch). If you have to create a batch file every step this will make a script a bit longer, and more important, less readable. That's why a /RunElevated for the registry would be nice; everything for the registry is in the same section.