locked
HKCR Permission changes at top level RRS feed

  • Question

  • Hi,

    My self developed / built COM+ and even regular MS COM DLL's were giving ASP Server.CreateObject errors for the IUSR_machinename (800401f3).  I had Anon logon in IE. Worked on other machines but on mine gave the above error - (Win2003 SP1 by the way - that I'm using).

    I google'ed for hours, listened to Webcasts (and learnt some cool info on IIS Auth.) but could not get it to work. VBS was fine; as I am Admin on my box. CreateObject works - cool. IIS Anon browser FAILS.

    I can tell you this was driving me NUTS.

    Finally found the progID friendly name entry (which lists the CLSID) had no "Users" permissions!!
    Worse - top of HKCR was set to Everyone Full control - which means something I installed ruined the default permissions for the reg key.

    Worse - another dev machine of mine had the very same problem. So this is two boxes, not an accident or malware / rootkit. Probably the installation of 'something' did this.

    Anyone having this problem - Check your ACE for HKCR!!!. Anyone know what software I could have installed to cause this pain?

    Tonight I am going to progressively "ghost back" from monthly images to see when this problem first occurred.

    Thanks,

    Ring0

    Monday, March 27, 2006 7:49 AM

Answers


  • OK, after a "ghost back" from a Jan 2006 image of my system drive, I finally worked this out. It was a program I installed that destroyed the default permission set at the ROOT of HKEY_CLASSES_ROOT.

    Not the installation - but the activation (shareware key entry) that reset HKCR to Everyone full control.

    I don't want to name the company of course, however I can say that if you have installed any third party apps that generate cool javascript menus for your web sites - then you had better run up Regedit and take a look.

    Check the root permissions for HKCR and compare it with your moms XP or a known good Win2003 SP1 or R2 etc...

    If you have only "Everyone full control" - then you know the program that changed it.

    I have advised the company of course. I imagine they will fix this errant behavior in due course.

    This is a nightmare for developers who must rely on an intact HKCR with regular permissions.

    So, I hope this helps.

    Ring0

     

    Thursday, March 30, 2006 11:42 PM