Jump to content

Office 16 Click-to-Run Extensibility Component could not modify 137 protected registry keys during installation or update of Office 365


Recommended Posts

dencorso - many thanks for what might be a great shortcut.  And of course my friends would NEVER accuse me of looking a gift horse in the mouth.  But some Qs:

1)  To run the re-install of O365 Home 64-bit, it looks like I should be running C:\Users\glnz\Downloads\O365HomePremRetail(1).img\Office\Setup64.exe. 
Or maybe I first use 7-Zip to extract that img archive into a new folder so it would be something like   C:\Users\glnz\Downloads\O365HomePremRetailExtracted\Office\Setup64.exe
So, when I get the cmd box with TI credentials, will I be able to specify either path?  I would guess yes, but just to confirm.

2)  If I re-install "as the TI," will later automatic updates to Word and Excel be able to run, or will they be blocked because now my PC thinks that EVERYTHING in Office is TI only, and so non-TI updates are barred at the airport?

FYI - As far as I can tell, I've only had the 67 ± Warnings of protected registry keys for Click-to-Run (sometimes called C2R) and "ink" aspects of O365, not the other basic aspects of Office (but of course don't know that 100%), and I get those Warnings on each update as well as on each re-install.   If I install as TI, maybe I won't get those 67 Warnings, but will I get 103,587 Warnings on the next automatic update?

3)  If I install "as TI", will it later be impossible to uninstall?

4)  Can I get a "TI" badge?


Link to comment
Share on other sites

The extracted install seems to me to be the best idea. So, if you extract it to C:\Users\glnz\Downloads\O365HomePremRetailExtracted\Office, as per your example, I think the best precedure should be the following:

At the prompt, in the TI level cmd box you'll probably be on C:\Windows, so you'll see:



So let's move to that folder, thus:


C:\Windows\>pushd C:\Users\glnz\Downloads\O365HomePremRetailExtracted\Office <Enter>

Then you should see:



and follow up with:


C:\Users\glnz\Downloads\O365HomePremRetailExtracted\Office\>Setup64 <Enter>

 BTW, you must put runassystem64.exe, runfromtoken64.exe and TIdo.cmd somewhere they can be executed from, so C:\Windows or C:\Windows\System32 are the easiest possible choices of such a folder (viz. whence they can run). 


Link to comment
Share on other sites

Answers to the other questions: (2.) you should have no problems afterwards... we're supposedly fixing a lack of authority of the initial installer, not of those for subsequent updates... and, well, the TI should be the one to install things, anyway, so it should work all right. (3.) I don't see why... so, no, not at all. (4.) well, I guess so... :)

Link to comment
Share on other sites

dencorso -

PRELIMINARY:  I followed your links and their links and saw that the brilliant jschicht combined the two commands as a single RunAsTI on github at > RunAsTi < .  UNFORTUNATELY, even though I'm signed in to github, I cannot download his files.  I get error messages that the server won't connect or (occasionally) that the files aren't complete on the server.  SO, I shall follow your instructions, which seem very promising.

NOW:  Let's see if I actually understand your instructions, as I am only a notary public who types love letters for friends, not a code wizard like yourself and everyone on MSFN.  By the way, I did a full Macrium Reflect backup of my entire hard drive earlier today - just in case.

1)  From the links you gave (not github), I have downloaded RunasSystem_v1.0.0.3.zip and RunFromToken_v1.0.0.2.zip, and using 7-zip I have now extracted both as sub-folders in my Downloads folder.  Each folder has the pseudonymous files - *.exe, *.au3 and *64.exe, all of whose last modified dates are 10/3/2012.

2)  I will copy all six files into C:\Windows\System32 because that folder also includes both cmd.exe and net.exe (I checked).

3)  On my desktop, I will make a new file called TIdo.cmd.  In it I will insert the lines


net.exe start trustedinstaller
runassystem64.exe "runfromtoken64.exe trustedinstaller.exe 1 cmd.exe"

and save.

4)  I will move TIdo.cmd into C:\Windows\System32 ... because that's where the party is !!

5)  I will right-click TIdo.cmd and select Run as administrator.

6)  A black cmd window will open up and it will say C:\Windows\System32>

7)  Now, let's take a break, light a Gauloise and be morbidly philosophical like Michel Houellebecq:  what if I type whoami?  (French coders hit that one 15 times a day.)  Normally, I see my computer-name\glnz.  If TIdo.cmd is working, I should see nt authority\system, yes? 
(I checked already, and, yes, these steps 1 - 7 give me nt authority\system.  Zut, alors!)
Interesting!!  Do you think that might be enough to overcome the 67± protected registry keys?  I understand (from other posts here on MSFN and on 7Forum) that  "nt authority\system" is the same as "SYSTEM" in the Permissions change windows, yes?  Will that truly be as high and mighty as Trusted Installer?  I suppose we shall see.  I ask because (if I remember correctly) in a few of the protected keys, System does not have Full Control permission !!!

8)  At this point, before taking the plunge, I should turn off my anti-virus, etc.

9)  In this TIdo-created new cmd window, I now type  pushd C:\Users\glnz\Downloads\O365HomePremRetailExtracted\Office <Enter>
I should then see C:\Users\glnz\Downloads\O365HomePremRetailExtracted\Office\>
and I should then type  Setup64<Enter>

9)  O365 should now install, and that takes quite some time.  I might have to identify myself (for the 45th time).  When it's all over, I'll see what's what in Event Viewer and let you know whether those 67± Warnings returned.

10)  If the TIdo-created cmd window is still open after all the above is finished, I can just type  exit,  yes?  I don't have to type popd, do I?

11)  If everything has settled down but if Trusted Installer is still showing in my Task Manager, I can manually End Process it, yes?

Do you think I've missed anything?  Is there anything that could further strengthen the O365 installation?

Merci mille et un fois !!!

Link to comment
Share on other sites

Oww, come on, you need only the RunasTI.exe, I am attaching it nonetheless.

And - normally - you do not run .cmd's by right clicking on them, but rather you open a command prompt (as Administrator) and in it you execute the batch, this way you have more control (but yes, you can type exit, possibly more than once will be needed, when you have finished with the batch).




Link to comment
Share on other sites

jaclaz - thanks.  FYI, right now, from my day office, when I clicked on your link for RunAsTI.exe, the Symantec security gave me a warning:


Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Gen.2
File: C:\Users\glnz\AppData\Local\Temp\ZbTRvsRW.exe.part
Location: C:\Users\glnz\AppData\Local\Temp
Computer: xxxx####
User: glnz
Action taken: Pending Side Effects Analysis : Access denied
Date found: Monday, February 06, 2017  12:09:36 PM

Anyway, dencorso's two RunAs items do work through steps 1 - 7 in my email above.  I haven't yet run the O365 installation.  But it sounds like I'm not missing anything in the steps above.

Link to comment
Share on other sites

Trojan.Gen.2 = "Generic Trojan Whatsoever"...

What do you think the heuristics of an Antivirus would think about a program that impersonates the TI?
Of course that's a false positive... anyway, RunAsTI is just a variant of those proggies I pointed you to plus the batch file I provide you all thrown together in a single .exe... it works the same but it's even more prone to trigger false positives from paranoid enough heuristics... relax: no reason to be alarmed by that, at all! \m/  (see? I'm back to my old self! Yay!). :)

Link to comment
Share on other sites

Well, guys, thanks very much for help and teaching me something new.  The new install of O365 Home again triggered 69 Warnings about not being able to change Protected Registry Keys.

Maybe instead of installing as Trusted Installer, can we install as Donald Trump?

Link to comment
Share on other sites

Unless he smokes the Gauloises.

I did notice that the TrustedInstaller.exe process in Task Manager disappeared about 2/3 of the way through the lengthy installation, but the OfficeClickToRun processes had been running for some time, so I doubt that's the issue.

I do have a list of the keys and can probably change their permissions manually to give Full Control to ... what?  System?  Everyone?

(Hey, if I run regedit from the TIcmd window, will I need to change Owner to add the Permissions?)

Edited by glnz
Link to comment
Share on other sites

dencorso - From fixing other errors, I learned a tiny bit about Ownership and Permissions.  It seems I should change the Permissions on the 67± registry keys so that System or Administrators (or maybe Everyone) has "Full Control", and then reinstall O365.  However, to change Permissions, I would first need to change Ownership of each key to Administrators and then change it back to whatever it was - usually Trusted Installer.

But -- if I run regedit from TI.cmd, could I skip the two "change Ownership" steps because regedit thinks I'm Trusted Installer? 

(I would still need to change the Permissions on each key manually.)

Does that sound right?  Thanks.

Link to comment
Share on other sites

Yes. I think those keys should be set to "Full Controll" by TI anyway, so you may change to that and not change back at the end. As it is, it seems nobody has currently "Full Control" of those keys, which is odd, to say the least.

Link to comment
Share on other sites


dencorso - I haven't looked at more than a few keys.  On most, as to Permissions, TI has Full Control, and other user accounts have only "Read" permissions.  I'm certainly going to leave TI with "Full Control" but will also give "Full Control" to System and -- not sure -- Administrators ?

But then, if the Owner is TI, I'd prefer to leave it that way.  Unless you think I should move Owner to a different user account?

And, per your "Yes", I hope that going first to TIdo.cmd and running regedit from there will let me skip the steps of changing Owner in order to change Permissions.  I'm going to to have to do this manually, so the fewer steps , the better.

I'll let you know when I get a chance to dive in. 

EDIT - I used regscanner64 to search for the keys and (using CTRL+k and then paste) to make a manual list of the keys in a notepad .txt file, as the EventViewer Warning message did not give complete key names.  And regscanner 64 is faster than regedit to get around. But if I right-click on a regscanner64 search result line to go to that key in regedit, I won't be in TI anymore.  Is there a way to run both regedit and regscanner64 in the same TI bubble?

Or does regscanner64 have a secret step that works directly on the registry (in this case as TI) without going to regedit?


Edited by glnz
Link to comment
Share on other sites

While regedit, when launched from the CMD Box generated by TIdo.cmd retains the TI credentials, other programs may not. Windows Explorer never does, it seems to be due to the fact that it was started at login and each new instance of it inherits the same credentials from the one that contains the login session (or some reason like this). Now, it seems that regscanner64, even if run as TI, does not propagatr the TI credentials to the processes it spawns, from what you said. This is a non-documented area we're in so the only guide as to what happens is experimentation (besides crystal balls and haruspices, of course!).

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Create New...