Jump to content

(Resolved) How do I integrate registry permissions (KB909520)?


Explorer09

Recommended Posts

In KB909520 (Base Smart Card Cryptographic Service Provider update), there's a section in the update_winxp.inf that sets the permission of a registry key.

[SecurityRegistryAfterInstall]

"MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards",2,"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
; x64 have this additional line:
; "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards",2,"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

Because I observed what permissions have changed, I can briefly explain what this string does:

"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

  • Allow Read permission on 'LOCAL SERVICE'
  • Allow Read permission on 'Users'
  • Allow Read permission on 'Power Users'
  • Allow Full Control permission on 'Administrators'
  • Allow Full Control permission on 'SYSTEM'
  • Allow Full Control permission on 'CREATOR OWNER'

(EDIT: The string format is Security Descriptor Definition Language. For people who want to learn more, read this and this.)

Now here is my question: How do I integrate this permission change? (EDIT: Some people have confused about what I was asking, so let me say it again: I want to set the permissions of a registry key, not to modify a value entry.)

HFSLIP doesn't do anything about this, so in the slipstreamed Windows the key "HKLM\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards" retains the original permission (that is, "inherit from the parent keys").

I didn't test this on nLite though.

Because I'm trying to integrate KB909520 without nLite or HFSLIP, I'm confused about what to do with this. I accept any method (batch scripts, INF file, etc.) as long as I don't have to put the entire "Windows-KB909520-v1.000-x86-ENU.exe" into my disc. Is that possble, and how?

Thank you.

Explorer09

Edited by Explorer09
Link to comment
Share on other sites


Thanks to tomasz86 and the reference here, I made it working now:

INF AddReg Directive (Windows Drivers)

I forgot that it is possible to set the registry permissions by just using the AddReg directive in the INF file.

So here it is. Copy the code below, save it as an INF file, and use it as an HFSLIP addon:

[Version]
Signature="$Windows NT$"

[DefaultInstall]
AddReg=SmartCards.Add.Reg

[SmartCards.Add.Reg]
HKLM,"SOFTWARE\Microsoft\Cryptography\Calais\SmartCards"
; For x64 please uncomment the line below:
; HKLM,"SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards"

[SmartCards.Add.Reg.security]
"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

Edited by Explorer09
Link to comment
Share on other sites

  • 5 weeks later...

Should the INF file of the last post be:

[Version]

Signature="$Windows NT$"

[DefaultInstall]

AddReg=SmartCards.Add.Reg

[smartCards.Add.Reg]

HKLM,"SOFTWARE\Microsoft\Cryptography\Calais\SmartCards", 2, "D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

And if it is an INF file , it is better to put it in HFSVCPACK folder.

Edited by ykchanaed
Link to comment
Share on other sites

Should the INF file of the last post be:

[smartCards.Add.Reg]

HKLM,"SOFTWARE\Microsoft\Cryptography\Calais\SmartCards", 2, "D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

If you write this way you'll modify a registry value entry. What I want is to set the permissions of a registry key, not to modify a value entry.

You should read some documents about the INF file, such as this:

INF AddReg Directive (Windows Drivers)

Link to comment
Share on other sites

Then what is this section for?

[smartCards.Add.Reg.security]

"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

As this section does not have any entry in [DefaultInstall].

When I told to Read the Manual, I really mean it. The URL I gave to you have described very well about what is the .security section.

http://msdn.microsoft.com/library/windows/hardware/ff546320(v=vs.85).aspx

Each named add-registry section referenced by an AddReg directive has the following format:

[add-registry-section]
reg-root, [subkey],[value-entry-name],[flags],[value][,[value]]
reg-root, [subkey],[value-entry-name],[flags],[value][,[value]]
...
[[add-registry-section.security]
"security-descriptor-string"]

An add-registry-section can have any number of entries, each on a separate line. An INF can also contain one or more optional add-registry-section.security sections, each specifying a security descriptor that is applied to all registry values described within a named add-registry-section.

http://msdn.microsoft.com/library/windows/hardware/ff546320(v=vs.85).aspx

security-descriptor-string

Specifies a security descriptor, to be applied to all registry entries created by the named add-registry-section. The security-descriptor-string is a string with tokens to indicate the DACL (D:) security component.

If an add-registry-section.security section is not specified, registry entries inherit the security settings of the parent key.

If an add-registry-section.security section is specified, the following ACE's must be included so that installations and upgrades of devices and system service packs can occur:

  • (A;;GA;;;SY) − Grants all access to the local system.
  • (A;;GA;;;BA) − Grants all access to built-in administrators.

Do not specify ACE strings that grant write access to nonprivileged users.

Edited by Explorer09
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...