Jump to content

Office 16 Click-to-Run Extensibility Component could not modify 137 protected registry keys during installation or update of Office 365


glnz

Recommended Posts

dencorso and jaclaz - well, using TIdo.cmd to start both regedit and regscanner64 running as TI, I manually changed Permissions in 67± registry keys to give Full Control for SYSTEM.  Then I did an "Online Repair" of Office 2016 through O365, which looks just like a re-installation.

Unfortunately, I still got 99 Warnings that Protected Registry Keys could not be changed.  A group of 58 Warnings at 5:20pm and a group of 41 Warnings at 5:48pm, probably these being the start and end of the re-installation process.  And I can see that at least some of these Warnings are the same keys that I changed -- and they still show SYSTEM with Full Control.

Well, as far as I can tell, Office works, so I surrender.

Thanks, however, for the TIdo.cmd process, which definitely let me skip the steps of manually changing Owner on each key (and changing it back).  Both regedit and regscanner64 thought I was Trusted Installer, and F8 in regscanner64 did indeed take me to keys in regedit (which still thought I was TI) to make changes to Permissions without having to change Owner.

Edited by glnz
Link to comment
Share on other sites

  • 4 weeks later...

Update - I've also posted this problem on Spiceworks, and here is one suggestion and my reply - any thoughts?  FYI - in the brief conversation below, Phil did not get back to me.  Thanks.

Quote

Phill7895 Mar 8, 2017 at 4:45 AM

If you're still struggling, go download a copy of psexec from sysinternals, then invoke it with psexec -i -s -d regedit.exe

That'll load regedit as the SYSTEM account, you should be able to mod any key you like now, if you still can't then it's down to locks, you'll need a combo of procmon and procexp to trace those usually.

glnzglnz Mar 8, 2017 at 4:58 PM

Phill - Thanks for your suggestion - I might try.  However, that sounds like MSFN's TIdo.cmd tool, which supposedly let me run regedit as TrustedInstaller.  See the link in my first post above.

When I was in the special cmd window generated by MSFN's TIdo.cmd tool, whoami generated NT AUTHORITY\SYSTEM.   That's the same as your suggestion, yes?

When I ran regedit (and also regscanner64) from MSFN's TIdo.cmd tool, I gave Full Control permission to System on every one of my then-current list of protected registry keys, and without changing the existing Owners.  If I now run psexec -i -s -d regedit.exe, how should I mod each of those protected keys?

Maybe more important - you mention "locks".  What are they?  Could you suggest a link about that?

Thanks.

Edited by glnz
Link to comment
Share on other sites

psexec -i -s -d regedit.exe will give you System status (akin to Colonel), while Joakim's method gives you TrustedInstaller status (akin to Field Marshall)... 'nuff said!
BTW, there also is PAExec, which is free and freely redistributable...

Link to comment
Share on other sites

EDIT WITH CORRECTIONS FOR LAST KEY

dencorso -

I agree - MSFN beats Spiceworks !

In my most recent Update of Office yesterday, it generated 41 of these Warnings.  

- The first protected key says "Product: Office 16 Click-to-Run Extensibility Component. The application tried to modify a protected Windows registry key \Software\Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32."
If I go to that key, I first see that System has both Full Control and Read permissions.
If I hit Advanced and stay on the Permissions tab, I see two Systems.  One has Full Control and the other one has Read.
TrustedInstaller also has Full Control permissions.
If I go to the tab Owner, I see that the Owner is Administrators (WINDOWS-B686H5R\Administrators).

- The last protected key says "Product: Office 16 Click-to-Run Extensibility Component. The application tried to modify a protected Windows registry key \Software\Classes\Interface\{85AEE342-48B0-4244-9DD5-1ED435410FAB}\TypeLib."
If I go to that key, I first see that System has both Full Control and Read permissions.
If I hit Advanced and stay on the Permissions tab, I see two Systems.  This time both have Full Control.
TrustedInstaller also has Full Control permissions.
If I go to the tab Owner, this time Owner is SYSTEM.

See the attached Word docx for some screenshots.

Are there any clues here?  Why are there two Systems?

And what might I try to do to make these keys modifiable?

Thanks.

3-10-17 more info re permissions.docx

Edited by glnz
Link to comment
Share on other sites

2 hours ago, glnz said:

Why are there two Systems?

Because MS thought you'd be safer that way (or so they say).

2 hours ago, glnz said:

And what might I try to do to make these keys modifiable?

Beyond impersonating the TrustedInstaller? I don't know. Sorry.

Link to comment
Share on other sites

dencorso - I just looked at a third key.  This time, in Advanced - Permissions, there is only one "SYSTEM" (not two) and it has Full Control.  However, before I hit Advanced, the initial right-click Permissions window shows one System with BOTH "Full Control" and "Read" checked.

That is common to all three keys I have now looked at.  The other settings (in Advanced) vary slightly.

Hmmmm.  Why both "Full Control" and "Read" in the initial right-click window?  Is that a clue?  Should I go through these 41 "protected" keys and UNcheck the "Read" but leave checked the "Full Control"?

Maybe not, as apparently having both checked is common elsewhere.

So what is "protecting" these?

Should I ALSO give "Administrators" Full Control permission?

Edited by glnz
Link to comment
Share on other sites

Without knowing much about this particular situation, I'd expect the cause of two SYSTEMs being present would be THE SCOPE to which these sets of permissions apply. In other words, look in the field Apply to. One SYSTEM may apply to "This key and subkeys", and the other to "This key only" or "Subkeys only" (or any combination of these three).

The most comprehensive, i.e. the one you'd usually want is the first one, "This key and subkeys". After Vista, there have been many "boobytraps" in the registry where some subkeys don't inherit permissions from the parent, for no obvious reason, and could not be changed "top down", you'd need to dive down to the lowest branch and change them there first. And often work your way up.

GL


 


 

Link to comment
Share on other sites

Both System and TrustedInstaller identify simply as "System" as you can see if you try the whoami command.
I think MS reckoning about it was that if one does not know whether (s)he is the TrustedInstaller or not, that one does not deserve to know it.

Link to comment
Share on other sites

Curiouser and curiouser.

Is really like jumping down the rabbit hole after all.

I'm tempted to delete all the "protected" keys and try a re-install.  But not today.

Thanks, dencorso and GL.

Link to comment
Share on other sites

dencorso, jaclaz, heinoganda, GL, trip and team -

THREE THINGS:

FIRST -- Is it possible that TIdo.cmd is not QUITE as powerful as we want?

Please take a look at the two attached .txt files.  They are the results of my running whoami /all -- the first time in only an elevated cmd, the second time in TIdo.cmd.

Note that, in TIdo.cmd, some of the Privileges are still disabled, including "SeTakeOwnershipPrivilege - Take ownership of files or other objects - Disabled". 

Why so? 

Do we need a stronger flavor of TIdo.cmd for what I'm doing?  SuperTIdo?

SECOND -- Microsoft has something called "Windows Resource Protection", or "WRP".   Maybe that's what is protecting these keys?  If so, how do I defeat it?

See these links:  >WRP 1<>WRP 2<>WRP 3<>WRP 4<>WRP 5< .

Any thoughts about adding WRP-busting super-strength to TIdo.cmd or (better) the setup64.exe in the re-install folder that I make from the .img file for installing O365 Home?

THIRD -- There is a service called "osppsvc" and "Office Software Protection Platform".  It runs when I'm running Office (together with a process called "OSPPSVC.EXE" and "Microsoft Office Software Protection Platform").  Are these the things that are "protecting" the registry keys when I (re-)install or update O365 Home?  Is there a way to sedate them?

If we ever win this one, we can make T-shirts that say "SuperTIdo beats WRP" and wear them to the next IT trade show.

whoami elev cmd only.txt

whoamiTIDO.txt

Edited by glnz
Link to comment
Share on other sites

That TIdo.cmd is as powerful as it gets. I've done all kinds of mischief with it. :angel

The output of Whoami is not what it seems to be. It either lies (not accounting for the rights of the parent group, which apply to the current user), or the disabled/enabled state is not what we think it is:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/e24a35b3-fb72-4918-8e51-562e2ad8d8f5/what-is-the-state-column-returned-by-whoami-priv?forum=winserversecurity

And, as far as I know (at least until previous versions of Office) OSSP doesn't protect anything else besides Microsoft's profit, in the sense that it bans you from running unlicenced versions of Office, but doesn't actively protect any resources, including registry keys. I repeat, AFAIK.

GL
 

Link to comment
Share on other sites

I don't think WRP is protecting registry keys, but I am not sure. I haven't seen it in action because I usually apply many tweaks at the same time aimed to "tame down" the system, so I am not sure if any of them is preventing that. At the same time, I often go nuclear on my systems and apply blanket full permissions to myself (or Administrators group, to be exact) and SYSTEM to whole branches of registry. Sometimes it bites me back and some (many) things break, so I don't recommend you do that.

What I think you should do is this:

> Should I ALSO give "Administrators" Full Control permission?

YES.

I think that might help you, if you don't mind editing 60+ permissions.

And I returned and read this topic from the start, and now I think you shouldn't bother much about this, ink/ink divider/ink whatever is office component for tablet mode / handwriting recognition, not important at all. I suspect most other keys with errors are related to it too, the CLSID and INTERFACE registration of the "ink" components.

"Ink" has steadily progressed through Microsoft OSes to be more and more important (for them). It wasn't present in XP, only installed with Office 2003, then it became system component with many CLSIDs and other registration components in 7 (or maybe Vista, I'm not sure) and increasing its presence in later OSes.

I suspect Office 365 is expecting (being programmed to expect) Win8.1 or Win10, where "Ink" is even more prominent and is not prepared for what it sees on Win7. Just a wild guess.

Whatever the reason, I am almost sure you wil not encounter any problems even if "ink" is not working, and additionally I'm pretty sure "Ink" will still work even with these errors anyway.

GL
 

Edited by GrofLuigi
Link to comment
Share on other sites

  • 2 weeks later...

Update - So 41± "protected" registry keys have been showing up in Event Viewer Warnings when I run any update of Word or Excel (from this second O365 Home installation).

NOW, in regedit, I have given "Full Control" permission to Administrators in each of these 41± keys.  (I run regedit and regscanner64 as TrustedInstaller with the wonderful TIdo.cmd tool.  So I don't have to change Ownership to change Permissions.  Goes much faster.)

Result - in yesterday's normal "Update Now" of Word, which ran some updates, I did NOT get the 41± Warnings.  Progress ??  Risks ??

I might go back to my earlier lists of "protected" keys (which were more than 41), do the same, and then run a "Repair" of O365.  (Or a total UNinstall and REinstall.)  What do you think?  Will a Repair or UN+REinstall create different keys and so progress will be lost?

Link to comment
Share on other sites

On вторник, 28 март 2017 at 5:13 PM, glnz said:

I might go back to my earlier lists of "protected" keys (which were more than 41), do the same, and then run a "Repair" of O365.  (Or a total UNinstall and REinstall.)  What do you think?  Will a Repair or UN+REinstall create different keys and so progress will be lost?

I wouldn't bother if I were you, except if you have extreme case of OCD and want to satisfy it. I am prety sure everything works even now (without the "fixes"), except 0.01% of chance that ink/handwriting component won't. I give it such a small chance because the keys are still present and if needed Word (or any office program) could invoke the component (call it). What is potentially broken is some parts of them, or registry values, that couldn't possibly be so important. The registry values are part of COM registration (mostly used in inter-process communication), and because the main keys are present, I think it will still manage to call them just fine. That's if you ever use ink/handwriting.

Edit: the forum editor wouldn't acknoledge ENTER, even for a single newline, so I tried some key combinations and CTRL+ENTER posted the unfinished text. :)

Now where was I... "Will Repair... create different keys and so progress will be lost?" (I'm re-typing this because copy+paste also doesn't work) - Well, it depends. Obviously, the installer script is broken, but is it broken in such a way that it has unrealistic expectations (that the keys are unprotected) or it breaks them itself? I don't know, but if you insist on Repair Install, I think it could make no additional harm, except possibly the need of "de-protecting" them again later.

I think repair install has a better chance than uninstall+reinstall, and is less work anyway.


 

Edited by GrofLuigi
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...