Reg command

Discussion in 'Windows Vista Security' started by Mike, Jul 13, 2007.

  1. Mike

    Mike Guest

    I am trying to load a user hive from a UNC path. When I do this I get access
    denied. I can do this from a Windows XP machine. If I copy the file locally
    I can the load the hive. What is preventing me from loading it through a UNC
    path?
     
    Mike, Jul 13, 2007
    #1
    1. Advertisements

  2. Mike

    Spenceation Guest

    If you are running this on the command prompt make sure you are using either
    the Run As command, or run the command prompt with admin privlileges. UAC
    will not appear during the command prompt.
     
    Spenceation, Jul 13, 2007
    #2
    1. Advertisements

  3. Mike

    Mike Guest

    I am running this with admin privileges. I turned off UAC as well. This
    problem is even reproduced with Regedit.

    Open Regedit and select HKLM
    Click File and Load Hive
    Navigate to a NTUSER.DAT file located on a network share
    Give the key a name and select OK.
    Access denied.

    Is this a new security feature with Vista and if so how do you undo it?
     
    Mike, Jul 13, 2007
    #3
  4. Mike

    Spenceation Guest

    Try running this command with the actual administrator account, this account
    bypasses alot of UAC and vista restrictions.
     
    Spenceation, Jul 13, 2007
    #4
  5. Mike

    Mike Guest

    UAC is turned off

     
    Mike, Jul 13, 2007
    #5
  6. Mike

    dean-dean Guest

    For lack of a better idea, try this. Navigate to C:\Windows\ and
    right-click on regedit.exe. Choose Run as Administrator.
     
    dean-dean, Jul 13, 2007
    #6
  7. Mike

    Mike Guest

    Same result.

    I think it has something to do with a policy from somewhere. What I mean.
    I have a Vista and XP machine in the same OU with the same policy being
    applied to them both. I can load a registry hive under XP but not Vista. I
    then made a RDP connection to a Vista machine off our domain. Opened Regedit
    and repeated the same steps and I can load the registry hive. Do you think
    it has anything to do with a trusted path that Vista looks at more closely
    than XP did?
     
    Mike, Jul 13, 2007
    #7
  8. Mike

    Spenceation Guest

    Are you trying to load this hive over the network? Vista does restrict
    certain registry paths from being editted remotely.

    System\CurrentControlSet\Control\Print\Printers
    System\CurrentControlSet\Services\Eventlog
    Software\Microsoft\OLAP Server
    Software\Microsoft\Windows NT\CurrentVersion\Print
    Software\Microsoft\Windows NT\CurrentVersion\Windows
    System\CurrentControlSet\Control\ContentIndex
    System\CurrentControlSet\Control\Terminal Server
    System\CurrentControlSet\Control\Terminal Server\UserConfig
    System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
    Software\Microsoft\Windows NT\CurrentVersion\Perflib
    System\CurrentControlSet\Services\SysmonLog

    These paths are allowed to be remotely accessible and their sub-paths. These
    settings are stored in the security settings of group poilicy under:
    Network Access: Remotely accessible registry paths and sub-paths
    Since the machines share the same OU try running a Result of Policies to see
    if any settings differ. Also open Regedit and right click on the hive that
    you are editting and select permissions. The default permissions might be
    different on this machine due to the OUs or other reasons. If your account
    has permissions and you are locally logged in, you should be able to edit the
    registry without error.
     
    Spenceation, Jul 13, 2007
    #8
  9. Mike

    Mike Guest

    Not to be dense here but I can't find Computer Configuration\Windows
    Settings\Security Settings\Network Access Protection

    Under Security Settings
    -Account Policies
    -Local Policies
    -Windows Firewall with Advanced Security
    -Public Key Policies
    -Software Restriction Policies
    -IP Security Policies on Local Computer

    What am I missing?
     
    Mike, Jul 13, 2007
    #9
  10. Mike

    Spenceation Guest

    Go to Local Policies then Security Options. the User Rights Assignment folder
    will assign rights to users and Security Options enables or disables computer
    security settings.
     
    Spenceation, Jul 13, 2007
    #10
  11. Mike

    Mike Guest

    Found it. XP does not contain Network access: Remotely accessible registry
    paths and subpaths. So this is probably blocking me. So if I understand
    this correctly, this list provides which keys can be editted when you load a
    hive. When a user's hive is loaded (NTUSER.DAT), is it then scanned to see
    if there isn't anything violating the list? If so, you get access denied?
     
    Mike, Jul 13, 2007
    #11
  12. Mike

    Spenceation Guest

    Correct. Any other registry hives will be blocked if it isn't listed or a
    sub-path of a hive on that list remotely. If you are applying this to
    multiple machines, try one first and then see the results. Hopefully this
    will fix it. Let me know, I'm curious if that is what is blocking it.
     
    Spenceation, Jul 13, 2007
    #12
  13. Mike

    Mike Guest

    I removed the entries from the list. Thinking this would disable the
    setting. Same result. I then added back to the list the top most keys of
    the hive (AppEvents, Console, Control Panel, Environment, Identities,
    Keyboard Layout, Printers, Software, UNICODE Program Groups) and again the
    same result. I still don't know if the setting is actually blocking me or
    not. I did do a gpupdate /force and restart between changes.
     
    Mike, Jul 13, 2007
    #13
  14. Mike

    Spenceation Guest

    Can you tell me what the error says word for word. And are there any events
    that popup in the event viewer? Try loading another NTUser.dat file,
    preferably one that is new and almost blank.
     
    Spenceation, Jul 13, 2007
    #14
  15. Mike

    Mike Guest

    Sorry for taking so long to get back to you. The error states: "Cannot Load
    \\server\share\folder\NTUSER.DAT: Access is denied"

    This is after trying to load the hive. I did use process monitor to see
    what was happening and this is what it reports:

    28547 8:46:25.4002811 AM reg.exe 4832 RegLoadKey HKLM\test ACCESS DENIED
    Hive Path: UNC\Domain\Share\profiles\User\NTUSER.DAT
    32293 8:46:26.0527129 AM reg.exe 4832 QuerySecurityFile
    \\Domain\Share\Profiles\User\NTUSER.DAT ACCESS DENIED Information: DACL

    There are no error messages in the event log

    I will try and load another new NTUSER.DAT
     
    Mike, Jul 13, 2007
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.