View Full Version : Registry permissions not being written

03-14-2007, 08:07 PM
Hi All,

I use AdminStudio 7.5, I have an MSI that installs an app for all users (ALLUSERS=2) on an XP and Win2000 machines. The Properties for the app reside in the HKLM hive of the registry which the app attempts to write to during startup. If the user doesn't have rights to write to the registry the app fails to start, for all other uses its fine.

I've attempted to set Registry permission on the MSI to give "Domain Users" or "Users" access to that particular registry key for the application. After installing the security permissions for the registry still appear as before. Its as if the security permissions aren't even being set.

Attached is an image of what I have set. Considering the GUI interface for setting permissions is pretty straight forward I can't imagine there would be much problem. I've attempted to look for KB documents relating to this but couldn't really find anything. Helpfiles also don't any real traps I need to look out for. Install logs don't show anything at all about even attempting to set permissions for the registry key. I did manage to find a small footnote in my training notes that said you have to release the MSI in uncompressed format, which I tried but it still doesn't work.

Personally I think its bad app design as it should account for this or put stuff the user needs access to into the HKCU hive. Vendor who built the app doesn't think there is a problem and is unwilling to change it.

Can anyone help?


David Thornley
03-15-2007, 09:49 AM
There is a limitation in Editor such that child objects do not inherit security permissions from their parent. You will have to explicitly set this permission on all of the child registry keys.

03-15-2007, 06:14 PM
Okay I understand, but its not even setting it on the parent. Are you able to explain why this is happening and how I can fix it?

03-15-2007, 10:29 PM
For whatever reason this is not working I've found a work around for now. If someone later can point out what the proper fix is I'd be interested to hear it.

This is what I did (refer to picture). I downloaded an app called RegDACL.exe and inserted it as a custom action as a "EXE stored in the Binary table" and ran it as a "Deferred Execution in the System Context" passing it the arguments as seen. It put it into the Install Exec sequence after "After WriteRegistryValues".

Seems to work fine for users of varying priveleges (or lack there of).

03-26-2007, 05:44 PM
Usually when I'm setting permissions on any objects via the Permissions dialog, I don't use the [%DOMAINUSER] property because if the target machine does not have %DOMAINUSER environment variable set, then it will not work. An easier approach is to leave the Domain field blank. This way, it will try to set the permission for a user in the domain under which the installation is running (current domain). Also you may want to add the SIDLookup Merge Module in your setup to ensure that the appropirate SIDs are used to map Well Known Names such as Domain Users to their localized Windows names. You can download this merge module from www.installsite.org.