How do I get Registry key permissions for a specific user or group via WMI?

07-11-2005, 01:40 PM

To all:

The code below checks to see if the user account running the script has the
specified permissions; in this case, QUERY_VALUE.

What I would like is a similar code example on how to ask if a 'specified
user or group' has a specific permission. Does anyone know of a code
example that will do this? Or can post a link to a URL somewhere. I've
checked all over MS and MSDN, and on Google but after checking about 100
sites, nothing looks promising.

'---------------------------------------------------------------------------
------
' Create constants for access rights and registry hive
const KEY_QUERY_VALUE = &H0001
const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."
Set objReg=GetObject("winmgmts:{impersonationLevel=imp ersonate}!\\" &_
strComputer & "\root\default:StdRegProv")

strKeyPath = "SYSTEM\CurrentControlSet"

' Does the account under which the script runs have the
' right to query the SYSTEM\CurrentControlSet key
'---------------------------------------------------------------
objReg.CheckAccess HKEY_LOCAL_MACHINE, strKeyPath, KEY_QUERY_VALUE,
bHasAccessRight

If bHasAccessRight = True Then
Wscript.Echo "Has Query Value Access Rights on
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
Else
Wscript.Echo "No Query Value Access Rights on
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
End If

'---------------------------------------------------------------------------
------

There are example for using WMI for checking the DACLs of file objects;
files and folders. But I haven't been able to find something similar for
Regsitry keys.

many thanks for all the help,

--
Mark-Allen Perry
ALPHA Systems
Marly, Switzerland
mark-allen_AT_mvps_DOT_org

07-12-2005, 09:30 AM

Hi all,

Ok, my boss found something buried deep inside MSDN but I was able to use it
to accomplish my task. Below is the code I wrote to compare a list of
user/groups and permissions for each against a list of Registry DACLs.

================================================== =============

Sub AuditReg(ByVal sRegKey, _
ByVal iAccessMask, _
ByVal sGroupName, _
ByVal sAccessText, _
ByVal iAttribCounter, _
ByVal iGroupCounter)
Dim oRegSD, oDACL_ACEs, oADsSecurityUtility

'--
' THIS LINE WAS WHAT WE NEEDED TO DO WHAT WE WANTED.
' --------------------------------------------------
'
' Create an ADsSecurityUtlity object.
'--
Set oADsSecurityUtility = CreateObject("ADsSecurityUtility")

'
' Get the Security Descriptor for the given NTFS File path.
' - specify a Registry path
'
Set oRegSD = oADsSecurityUtility.GetSecurityDescriptor(sRegKey, _
ADS_PATH_REGISTRY, ADS_SD_FORMAT_IID)

'
' Get the Discrectionary ACL for the key.
'
Set oDACL_ACEs = oRegSD.DiscretionaryAcl

Call CheckDacl(oDACL_ACEs, iAccessMask, sGroupName, sRegKey, _
sAccessText, iAttribCounter, iGroupCounter)

Set oADsSecurityUtility = Nothing
Set oRegSD = Nothing
Set oDACL_ACEs = Nothing

End Sub

===================================

Hope this may someone else.
--
Mark-Allen Perry
ALPHA Systems
Marly, Switzerland
mark-allen_AT_mvps_DOT_org

"Mark-Allen Perry" <mark-allen@mvps_dot_org> wrote in message
news:uTrRi4hhFHA.2560@TK2MSFTNGP10.phx.gbl...

Quote:

> To all:
>
> The code below checks to see if the user account running the script has

the

Quote:

> specified permissions; in this case, QUERY_VALUE.
>
> What I would like is a similar code example on how to ask if a 'specified
> user or group' has a specific permission. Does anyone know of a code
> example that will do this? Or can post a link to a URL somewhere. I've
> checked all over MS and MSDN, and on Google but after checking about 100
> sites, nothing looks promising.
>
>

'---------------------------------------------------------------------------

Quote:

> ------
> ' Create constants for access rights and registry hive
> const KEY_QUERY_VALUE = &H0001
> const HKEY_LOCAL_MACHINE = &H80000002
>
> strComputer = "."
> Set objReg=GetObject("winmgmts:{impersonationLevel=imp ersonate}!\\" &_
> strComputer & "\root\default:StdRegProv")
>
> strKeyPath = "SYSTEM\CurrentControlSet"
>
> ' Does the account under which the script runs have the
> ' right to query the SYSTEM\CurrentControlSet key
> '---------------------------------------------------------------
> objReg.CheckAccess HKEY_LOCAL_MACHINE, strKeyPath, KEY_QUERY_VALUE,
> bHasAccessRight
>
> If bHasAccessRight = True Then
> Wscript.Echo "Has Query Value Access Rights on
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
> Else
> Wscript.Echo "No Query Value Access Rights on
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
> End If
>
>

'---------------------------------------------------------------------------

Quote:

> ------
>
> There are example for using WMI for checking the DACLs of file objects;
> files and folders. But I haven't been able to find something similar for
> Regsitry keys.
>
> many thanks for all the help,
>
> --
> Mark-Allen Perry
> ALPHA Systems
> Marly, Switzerland
> mark-allen_AT_mvps_DOT_org
>
>
>

07-11-2005, 01:40 PM	#1 (permalink)
How do I get Registry key permissions for a specific user or group via WMI? To all: The code below checks to see if the user account running the script has the specified permissions; in this case, QUERY_VALUE. What I would like is a similar code example on how to ask if a 'specified user or group' has a specific permission. Does anyone know of a code example that will do this? Or can post a link to a URL somewhere. I've checked all over MS and MSDN, and on Google but after checking about 100 sites, nothing looks promising. '--------------------------------------------------------------------------- ------ ' Create constants for access rights and registry hive const KEY_QUERY_VALUE = &H0001 const HKEY_LOCAL_MACHINE = &H80000002 strComputer = "." Set objReg=GetObject("winmgmts:{impersonationLevel=imp ersonate}!\\" &_ strComputer & "\root\default:StdRegProv") strKeyPath = "SYSTEM\CurrentControlSet" ' Does the account under which the script runs have the ' right to query the SYSTEM\CurrentControlSet key '--------------------------------------------------------------- objReg.CheckAccess HKEY_LOCAL_MACHINE, strKeyPath, KEY_QUERY_VALUE, bHasAccessRight If bHasAccessRight = True Then Wscript.Echo "Has Query Value Access Rights on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet" Else Wscript.Echo "No Query Value Access Rights on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet" End If '--------------------------------------------------------------------------- ------ There are example for using WMI for checking the DACLs of file objects; files and folders. But I haven't been able to find something similar for Regsitry keys. many thanks for all the help, -- Mark-Allen Perry ALPHA Systems Marly, Switzerland mark-allen_AT_mvps_DOT_org	Mark-Allen Perry Guest Posts: n/a

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
How do I get Explorer to open to a specific folder?	Abe Klagsbrun	Windows Vista File Management	6	08-04-2007 12:00 AM
NTFS/registry permissions for a service-specific SID	Sharon2323	Windows Vista Security	3	08-05-2006 07:31 PM
Internet Access Blocking for certain user group	Darren Li	Windows Vista Networking & Sharing	5	03-07-2006 09:35 PM
RD - enable via registry hack or group policy?	jaw0807	Windows XP Work Remotely	1	08-01-2003 09:51 PM
Can I teach XP to do specific tasks?	stevensly	Windows XP Help & Support	2	07-27-2003 11:06 PM

How do I get Registry key permissions for a specific user or group via WMI?

Similar Threads