Fun with AccessEnum

[GrofLuigi]

I've been experimenting with permissions for quite some time and I would like to share a method that led me to quite nice speedup (on several computers).

It's about XP SP2 where the only user is THE ADMINISTRATOR (or possibly any other administrator) and that user has solved the issue of security in any way he deemed and verified suitable, so security implications of this method would not jeopardize the machine. So from now on, let's assume that the user has no concerns about security and only worries about how to speed up his/her machine to the highest level possible.

The goal of this method is to equalize security restrictions (not necessarily to minimize them) in order to shorten the code path as much as possible. What this means is, we want to have the least exceptions we can allow.

In the past, I experimented with NTFS and registry permissions a lot, but always came to a point when I rendered my computer unusable due to 'overzealousness' or 'forgetting myself' and digging too deep. This time I found the perfect solution:

DON'T EVER GO TO THE ROOT LEVEL OF ANYTHING, BUT STOP ONE LEVEL BELOW IT. START/WORK FROM THERE.

When you see any object that has different permissions from its parent (excluding the root level), you invoke its properties and in the security tab click the "advanced" button and there check the boxes that say "Inherit from parent..." and "Replace permissions on all child objects..."; additionally, in the upper listview, check if any item says "not inherited" and remove it.

Of course, your common sense applies. No two machines are identical and there are some objects that have legitimate excuse to differ from others. Most common I've encountered are those related to MSI (Microsoft installer) which, depending on the subversion, wants to grant "Everyone" access to some objects. Understandable, having in mind the problems it had with Windows Update some time ago. Then, there are some "protections" which are laughable if they rely on security tokens, but some can be quite nasty if poked (starforce and kin, but I never had those, so don't really know).

Then, there are odd ones that give wanton permissions to everyone (I've noticed with parts of Adobe applications). I guess that's how they overcome the problems with apps not working/installing after the 'great tightening of security' in XP SP2. It doesn't matter, because you're already administrator and have all the rights you want.

So let's try it:

When AccessEnum is started, it can scan both drives and the registry. Let's start with drives:

Click "Directory", select your drive and "Scan" it. Every time you see an object in the listview, after the scan has finished, right-click on it, select "properties", "security" tab of the dialog that pops up, and "advanced" button. Then refer to the paragraph I wrote above (below the one in capital letters).

Any non-bootable partition can be excluded from the rule printed with capital letters above and just have permissions set on the top level. It makes life easier.

For the bootable drive, remember not to touch permissions on the drive itself or on any of the top-level directories. Below that, feel free to equalize everything.

Same applies to the registry: Scan each of the branches (HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG), but don't touch THEIR permissions. You can expect some 'stubborn' entries: locked by some process, recreated on reboot (most notorious: group policy entries), or some rare ones that you will need to 'take ownership' of. If any of them 'resists' too hard, don't push it! Leave it alone and investigate later.

So, you 'equalize' most of them, say a prayer and reboot - you can expect nice 'snappiness' of the operating system.

Bonus: there are some entries that get written all the time (user tracking/instrumentation/adaptive menus etc.) which I treat 'the reverse way': remove rights of "Everyone" to SetValue/Create Subkey. Examples: ShellNoRoam/MuiCache; Explorer\StartPage; App Management\ARPCache... There is nice speedup in there too.

And please remember, I never said this would be easy or quick! (meaning: if you find too many entries, don't blame me!)

And as a final thought, this method could possibly be scripted with subinacl or similar tools, but it would take much smarter person than me.

DISCLAIMER: SECURITY RESTRICTIONS EXIST FOR A REASON AND ALTHOUGH I DON'T KNOW MICROSOFT'S OFFICIAL POSITION ON THAT, I'M SURE THEY WOULD NOT BE TOO HAPPY WITH SOMEONE MESSING WITH THEM. ADITIONALLY, YOU COULD VERY EASILY B0RK YOUR SYSTEM.

GL