(Resolved) How do I integrate registry permissions (KB909520)?

[Explorer09]

In KB909520 (Base Smart Card Cryptographic Service Provider update), there's a section in the update_winxp.inf that sets the permission of a registry key.

[SecurityRegistryAfterInstall]

    "MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards",2,"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
; x64 have this additional line:
;   "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards",2,"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

Because I observed what permissions have changed, I can briefly explain what this string does:

"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

• Allow Read permission on 'LOCAL SERVICE'
  
• Allow Read permission on 'Users'
  
• Allow Read permission on 'Power Users'
  
• Allow Full Control permission on 'Administrators'
  
• Allow Full Control permission on 'SYSTEM'
  
• Allow Full Control permission on 'CREATOR OWNER'
  

(EDIT: The string format is Security Descriptor Definition Language. For people who want to learn more, read this and this.)

Now here is my question: How do I integrate this permission change? (EDIT: Some people have confused about what I was asking, so let me say it again: I want to set the permissions of a registry key, not to modify a value entry.)

HFSLIP doesn't do anything about this, so in the slipstreamed Windows the key "HKLM\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards" retains the original permission (that is, "inherit from the parent keys").

I didn't test this on nLite though.

Because I'm trying to integrate KB909520 without nLite or HFSLIP, I'm confused about what to do with this. I accept any method (batch scripts, INF file, etc.) as long as I don't have to put the entire "Windows-KB909520-v1.000-x86-ENU.exe" into my disc. Is that possble, and how?

Thank you.

Explorer09

Edited January 17, 2013 by Explorer09

[tomasz86]

You may want to check this thread:

http://www.msfn.org/board/topic/158481-how-to-permanently-disable-driver-signing-during-windows-setup/

[Explorer09]

Thanks to tomasz86 and the reference here, I made it working now:

INF AddReg Directive (Windows Drivers)

I forgot that it is possible to set the registry permissions by just using the AddReg directive in the INF file.

So here it is. Copy the code below, save it as an INF file, and use it as an HFSLIP addon:

[Version]
Signature="$Windows NT$"

[DefaultInstall]
AddReg=SmartCards.Add.Reg

[SmartCards.Add.Reg]
HKLM,"SOFTWARE\Microsoft\Cryptography\Calais\SmartCards"
; For x64 please uncomment the line below:
; HKLM,"SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards"

[SmartCards.Add.Reg.security]
"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

Edited December 16, 2012 by Explorer09

[ykchanaed]

Should the INF file of the last post be:

[Version]

Signature="$Windows NT$"

[DefaultInstall]

AddReg=SmartCards.Add.Reg

[smartCards.Add.Reg]

HKLM,"SOFTWARE\Microsoft\Cryptography\Calais\SmartCards", 2, "D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

And if it is an INF file , it is better to put it in HFSVCPACK folder.

Edited January 16, 2013 by ykchanaed

[Explorer09]

Should the INF file of the last post be:

[smartCards.Add.Reg]

HKLM,"SOFTWARE\Microsoft\Cryptography\Calais\SmartCards", 2, "D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

If you write this way you'll modify a registry value entry. What I want is to set the permissions of a registry key, not to modify a value entry.

You should read some documents about the INF file, such as this:

INF AddReg Directive (Windows Drivers)

[ykchanaed]

Then what is this section for?

[smartCards.Add.Reg.security]

"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

As this section does not have any entry in [DefaultInstall].

[Explorer09]

Then what is this section for?

[smartCards.Add.Reg.security]

"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

As this section does not have any entry in [DefaultInstall].

When I told to Read the Manual, I really mean it. The URL I gave to you have described very well about what is the .security section.

http://msdn.microsoft.com/library/windows/hardware/ff546320(v=vs.85).aspx

Each named add-registry section referenced by an AddReg directive has the following format:

[add-registry-section]
reg-root, [subkey],[value-entry-name],[flags],[value][,[value]]
reg-root, [subkey],[value-entry-name],[flags],[value][,[value]]
 ...
[[add-registry-section.security]
"security-descriptor-string"]

An add-registry-section can have any number of entries, each on a separate line. An INF can also contain one or more optional add-registry-section.security sections, each specifying a security descriptor that is applied to all registry values described within a named add-registry-section.

http://msdn.microsoft.com/library/windows/hardware/ff546320(v=vs.85).aspx

security-descriptor-string

Specifies a security descriptor, to be applied to all registry entries created by the named add-registry-section. The security-descriptor-string is a string with tokens to indicate the DACL (D:) security component.

If an add-registry-section.security section is not specified, registry entries inherit the security settings of the parent key.

If an add-registry-section.security section is specified, the following ACE's must be included so that installations and upgrades of devices and system service packs can occur:

• (A;;GA;;;SY) − Grants all access to the local system.
  
• (A;;GA;;;BA) − Grants all access to built-in administrators.
  

Do not specify ACE strings that grant write access to nonprivileged users.

Edited January 17, 2013 by Explorer09

[ykchanaed]

Oh, thanks for your time to explain the details.

That is really new to our newbies!