Permissions to registry using setacl

Recently I was trying giving permission to one of the registry hives with Subinacl, but it was not working despite all efforts and checking all the syntax and a lot of troubeshooting.

Then I came across another permission granting utility known as SetACL. It worked like a charm. So you can try using this utility is Subinacl fails.

You can download SetACL from http://helgeklein.com/download/

Here is an example to run SetACL to give registry permissions.

"SetACL.exe" -on "hkcr\Interface" -ot reg -actn setowner -ownr "n:Administrators"
"SetACL.exe" -on "hkcr\Interface" -ot reg -actn ace -ace "n:Users;p:full"

• Object name (-on): This is the path to the object SetACL should operate on (file/directory/registry key/network share/service/printer).
• Object type (-ot): What kind of object does the object name refer to: file or directory (file), registry key (reg), service (srv), printer (prn), network share (shr)?
• Action (-actn): What should SetACL do with the object specified?

A lot more details and description can be found at this awesome site: http://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/

Subinacl to give permissions to registry/Files

Subinacl is a useful utility to give permissions to registries.

Here is a simple example how to give permissions to registry.

subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Optika /grant=administrators=f /grant=system=f /grant=users=f /setowner=administrators >> %temp%\subinacl_output.txt
/keyreg HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Optika /grant=administrators=f /grant=system=f /grant=users=f /setowner=administrators >> %temp%\subinacl_output.txt

Subinacl can be downloaded from net.

More detailed Usage as per your requirements. This contains lots of features.
You can write your comments on what you used and if it worked. Help others by posting your real time examples.

Usage :
     SubInAcl [/option...] /object_type object_name [[/action[=parameter]...]



/options    :
    /outputlog=FileName                 /errorlog=FileName
    /noverbose                          /verbose (default)
    /notestmode (default)               /testmode
    /alternatesamserver=SamServer       /offlinesam=FileName
    /stringreplaceonoutput=string1=string2
    /expandenvironmentsymbols (default) /noexpandenvironmentsymbols
    /statistic (default)                /nostatistic
    /dumpcachedsids=FileName            /separator=character
    /applyonly=[dacl,sacl,owner,group]
    /nocrossreparsepoint (default)      /crossreparsepoint

/object_type :
    /service            /keyreg             /subkeyreg
    /file               /subdirectories[=directoriesonly|filesonly]
    /clustershare       /kernelobject       /metabase
    /printer            /onlyfile           /process
    /share              /samobject

/action      :
    /display[=dacl|sacl|owner|primarygroup|sdsize|sddl] (default)
    /setowner=owner
    /replace=[DomainName\]OldAccount=[DomainName\]New_Account
    /accountmigration=[DomainName\]OldAccount=[DomainName\]New_Account
    /changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]
    /migratetodomain=SourceDomain=DestDomain=[MappingFile[=Both]]
    /findsid=[DomainName\]Account[=stop|continue]
    /suppresssid=[DomainName\]Account
    /confirm
    /ifchangecontinue
    /cleandeletedsidsfrom=DomainName[=dacl|sacl|owner|primarygroup|all]
    /testmode
    /accesscheck=[DomainName\]Username
    /setprimarygroup=[DomainName\]Group
    /grant=[DomainName\]Username[=Access]
    /deny=[DomainName\]Username[=Access]
    /sgrant=[DomainName\]Username[=Access]
    /sdeny=[DomainName\]Username[=Access]
    /sallowdeny==[DomainName\]Username[=Access]
    /revoke=[DomainName\]Username
    /perm
    /audit
    /compactsecuritydescriptor
    /pathexclude=pattern
    /objectexclude=pattern
    /sddl=sddl_string
    /objectcopysecurity=object_path
    /pathcopysecurity=path_container

Usage  : SubInAcl   [/option...] /playfile file_name

Usage  : SubInAcl   /help [keyword]
         SubInAcl   /help /full
    keyword can be :
    features  usage syntax sids  view_mode test_mode object_type
    domain_migration server_migration substitution_features editing_features
- or -
    any [/option] [/action] [/object_type]


SYNTAX
------

describe SubInAcl syntax

The SubInAcl syntax is analog to the UNIX find tool.
For each object, SubInAcl :
    1. retrieves the security descriptor of the object
    2. applies the /action(s). The /actions are executed in the order of
       the command line
    3. If :
       - the security descriptor has been modified and
       - the /testmode switch has not been specified
       the changes are applied to the object
    For instance :
       - SubInAcl /outputlog=result.txt /subdirectories \\Server\c$\temp\*.*
                  /grant=Dom\John=F /noverbose /display
         For each file below \\Server\c$\temp, SubInAcl will
         - open the file
  - grant full control for dom\john
         - display the security setting in noverbose mode
         - save the security descriptor.
         All outputs will be saved in result.txt

You can specify as many /actions as you wish. You must specify at least 3
characters for each action.
The command line is not case-sensitive

Ex: SubInAcl /file c:\temp\*.txt /replace=John=Smith /display
    for each *.txt file will - replace John with Smith
                             - display the whole security descriptor
                             - apply the changes if any

SubInAcl error messages are sent to the Standard error.
You can use the /output switch to save both outputs
and errors in the same file.


FEATURES
--------

describes SubInAcl main features
SubInAcl was designed to help administrators to manage security on
various objects.
It provides :
   - a unified way to manipulate security for different kinds of objects
     (files, registry keys, services, printer,...)
   - a console tool that allows to write scripts to automate
     security tasks
   - some features that help administrators to modify security if some
     changes occur in their organization:
         - user, group deletions (/suppresssid, /cleandeletedsidsfrom )
         - user, group migrations (/replace , /accountmigration)
         - domain, server  migration (/changedomain, /migratetodomain)
         ...
   - security descriptor editing features :
         - owner ( /setowner )
         - primary group ( /setprimarygroup )
         - permissions ( /grant , /deny , /revoke )
         - audit ( /sgrant, /sdeny, /sallowdeny)
   - access to remote objects
   - save and restore permissions (/playfile , /outputlog , /display )

You need SeBackupPrivilege SeRestorePrivilege
SeSecurityPrivilege SeTakeOwnershipPrivilege
SeChangeNotifyPrivilege privileges (locally or remotely) to run this tool

Type SubInAcl /help to get extended help




SIDS
----

sids : explain how SubInAcl retrieves and translates SIDs

The security descriptor references users and groupswith a SID (Security
Identifier). A SID can be expressed in one of the following form:
         + DomainName\Account (ex: DOM\Administrators )
         + StandaloneServer\Group
         + Account ( see LookupAccount API )
         + s-1-x-x-x-x . x is expressed in decimal
           (ex: S-1-5-21-56248481-1302087933-1644394174-1001)
           Warning : In that case, no check is done to verify the existence
           of this SID.

SubInAcl maintains a local cache of SIDs to minimize SID to "Human Name"
translation network cost.

SubInAcl queries the server where the ressource object is located to
translate or retrieve SIDs. If needed, you can specify another SAM
server to translate SIDs (see /alternatesamserver).
If you try to replace SIDs and the originated domain or server is not online,
you can provide a file containing the needed SIDs (see /offlinesam).
You can dump the local cache of SIDs in a file (see /dumpcachedsids).


VIEW_MODE
---------

/noverbose /verbose

SubInAcl can be used in a quiet mode (/noverbose) or a in verbose mode
(/verbose , /Noverbose )
You can specify these switches either :
  - for the entire comand line :
       SubInAcl /noverbose /file *.dat /display
  - after a specific action    :
        SubInacl /file *.dat /display /noverbose /display



TEST_MODE
---------

/testmode /notestmode (default)

If /testmode is specified, the changes will not be reflected to the object
security descriptor. This option is useful to test the validity of a comand.
Ex : SubInacl /subdirec \\server\share\*.* /changedomain=DOMA=DOMB
              /ifchangecontinue /noverbose /display /testmode
     For each file modified this comand displays the modified security
     descriptor. But these changes will not physically apply to the files



OBJECT_TYPE
-----------

/file /subdirectories /onlyfile /keyreg /subkeyreg /service /share /clustershare /printer
/kernelobject /metabase /process /samobject

SubInAcl can work with various objects:
- Files         :
      /file
      /subdirectories
      /onlyfile
- Registry keys :
      /keyreg
      /subkeyreg
- Services      :
      /service
- Shares        :
      /share
      /clustershare
- Printer       :
      /printer
- Kernel named objects :
      /kernelobject
- IIS adminidstration rights :
      /metabase
// - Process       :
      /process
- Sam       :
      /SamObject

The actions are valid for all objects
Most of them support the enumeration with the * character


DOMAIN_MIGRATION
----------------

explain how to migrate security between domain SIDs

The main purpose of SubInAcl is to help administrators to migrate user(s)
if the domain architecture has changed.
For instance, the user John has moved and is now member of the DOMB domain.
You can reflect this change with :
SubInAcl /subdirec \\server\share\*.* /replace=OldDomain\John=DOMB\John
N.B: A trust relationship must be enabled between the domain of server and
OldDomain and NEWDOMAIN
N.B: If a trust relationship cannot be enabled, you can use the
/alternatesamserver=Server. Server should be the name of Domain Controller
Server

Sample :
  You have worked with a unique domain.
  You want to migrate a BDC named MIGRCONTROL with all the files and the
  users utilized on a new domain
  1. Reinstall the BDC as PDC to the NEWDOMAIN (without erasing the files)
  2. Create the users on NEWDOMAIN
  3. Create a "trusted relationship" with OLDDOMAIN
  4. Run SubInAcl /noverbose /subdirectories x:\*.*
                             /changedomain=OLDDOMAIN=NEWDOMAIN
  5. Verify the changes with SubInAcl /noverbose /subdirectories x:\*.*

Sample :
  You have worked with a standalone server named SERVER in a workgroup
  environment. You want to move this server (including users) to a domain DOM.
  1. Move SERVER to the domain DOM
  2. Create the users in the DOM domain
  3. SubInAcl /noverbose /subdirectories \\server\share
              /changedomain=SERVER=DOM

See /changedomain /migratedomain /replace actions


SERVER_MIGRATION
----------------

explain how to migrate SIDs when objects are moved from one server to another one

Migrating file system from one local server to another local server is not
a trivial task. SubInAcl Version 2.2 has been enhanced to help this migration
process.
To migrate file system files from one local server and to preserve security,
you can perform the following steps:
1. use scopy to copy files and ACLs on destination server
2. create local groups on the destination server
3. Use /changedomain or /changedomain with the /alternatesamserver option :
    By default SubInAcl queries the server where the objects are located to
    retrieve SIDS. This server is not aware of the SIDs valid on another
    standalone server
    To address this issue, you can use the /alternatesamserver option to ask
    SubInAcl to to use the alternamesamserver server if a SID resolution is
    not successfull on the initial server.
Sample :
    SubInAcl /alternatesamserver=SourceServer /subdirect
    \\DestServer\Share\*.*
             /migratedomain=SourceServer=DestServer

See /alternatesamserver /migratedomain /offlinesam


EDITING_FEATURES
----------------

how to edit parts of the security descriptor

SubInAcl allows to modify each part of a a security descriptor :
- owner
       see /owner=SID or /setowner=SID
- primary group
       see /setprimarygroup=GroupSID
- system ACL (SubInAcl name = Audit ACL) with Access Control Entries
   (SubInAcl name= AAce = Audit ACE)
see /audit /sgrant /sdeny /sallowdeny
- discretionnary ACL (SubInAcl name = Perm ACL ) with Access Control Entries
   (SubInAcl name= PAce = Perm ACE)
  see /perm   /pace=xxx  /revoke=SID /grant=SID=Access /deny=SID=access
       /sgrant=SID=Access /sdeny=SID=access
/sallowdeny=SID=access- or the full security descriptor
  see /sddl=sddl_string



/SERVICE
--------

/service service_name

manipulate service
- \\ServerName\Messenger
- \\ServerName\M*
- Messenger
N.B: /driver can be used also.
      /driver  * will display all driversm
      /service * will display all services


/KEYREG
-------

/keyreg registry_key

manipulate registry keys
- HKEY_CURRENT_USER\Software
- HKEY_CURRENT_USER\Software\*Version
- \\Srv\HKEY_LOCAL_MACHINE\KeyPath


/SUBKEYREG
----------

/subkeyreg registry_key

manipulate registry keys and subkeys
- HKEY_CURRENT_USER\Software
- HKEY_CURRENT_USER\Software\*Version
- \\Srv\HKEY_LOCAL_MACHINE\KeyPath


/FILE
-----

/file filename

manipulate files
N.B: SubInAcl is not supported on DFS volumes
- *.obj
- c:\temp\*.obj
- \\servername\share\*.exe
- c:\
/file=directoriesonly will apply parameters on directories only
/file=filesonly will apply parameters on files only


/SUBDIRECTORIES
---------------

/subdirectories file_path

manipulate files in specified directory and all subdirectories
- c:\temp\*.obj     : work with all obj files
- c:\temp\test      : work with all test files below the c:\temp directory
- c:\temp\test\*.* : work with all files below temp\test
- c:\temp\test\    : work with all files below temp\test
/subdirectories=directoriesonly will apply parameters on directories only
/subdirectories=filesonly will apply parameters on files only


/ONLYFILE
---------

/onlyfile file_name

open a file without using the FindFilexxx mechanism.
Can be used to access named pipes or mailslot
- \\.\pipe\pipename


/SAMOBJECT
----------

/samobject samobject

allow to access ACL associated to SAM objects(users,localgroup,globalgroup).
Can be used to allow a localgroup(alias) created by a power users on a member
to be updated by another power users member
- \\samserver\localgroup
- \\samserver\*users*
- *group*
- Subinacl /samobject \\sams\testgroup /grant=poweruser1=f


/SHARE
------

/share file_share_name

access a network file share.
- \\server\share
- \\server\test*


/CLUSTERSHARE
-------------

/clustershare \\clustername\fileshareresource

access a cluster file share resource.
- \\clustername\FileShare_Resource_Name
- \\clustername\s*


/KERNELOBJECT
-------------

/kernelobject kernel_object_name

access a named kernel object.
Can be used to view mutex, sections, events objects


/PROCESS
--------

/process pid_or_executable_pattern

access a process object.
- notepad.* or pid_in_decimal


/METABASE
----------

/metabase metabase_path

access to IIS metabase AdminACL metabase property
Note that this property can only be used with these Metabase paths
/LM/MSFTPSVC , /LM/MSFTPSVC/n , /LM/W3SVC , /LM/W3SVC/
This object doesn't support enumeration.
- SubInAcl /metabase \\ServerName\LM\W3SVC /grant=administrator=F



/PRINTER
---------

/printer printername

access to printer
- \\server\printer1
- \\server\*



/DISPLAY
--------

/display[=dacl|sacl|owner|primarygroup|sdsize|sddl]

display the security descriptor
You can also view part of the security descriptor. /display=dacl will
display the discretionary acl. /display=sddl will display the security
using the Win32 SDDL security descriptor string format (see Platform SDK)
The /noverbose display can be used to reapply the security descriptor
(see /playfile)


/PLAYFILE
---------

/playfile playfile

The /playfile feature allows SubInacl to run in a batch mode.
The format of the playfile command file is :
   + object_type object_name
   /action[=parameter]...
   /action[=parameter]...
   +object_type object_name
   /action[=parameter]...

SubInacl /playfile=playfile.txt with
With playfile :
+subdirec *.txt
/grant=everyone=R
+service RkillSrv
/display
will give the same result than
SubInAcl /subdirectories *.txt  /grant=everyone=R
SubInAcl /service RkillSrv /display

One typical usage of the playfile feature is to allow to reapply security settings
saved previously because the output format of the noverbose /display is a playfile
compatible format:
1.a) SubInAcl  /noverbose /outputlog=d:\SubInaclSave.txt /subdirectories c:\*.* /display
This command saves all security settings for the files on C: drive.
Sids will be saved in the Domain\user string format
The /display option in a noverbose mode uses an output playfile compatible format
or
1.b)  SubInAcl /error=d:\Err.txt /outputlog=d:\SubInaclSave.txt /subdirectories c:\*.* /display=sddl
This command saves all security settings using the Win32 SDDL format.
Sids will be saved in the S-1-x-x form. This will not require SubInacl to translate Sids
This may minimize the elapsed time and resource usage
2) SubInAcl /playfile d:\SubInaclSave.txt
This command will reapply the previously saved settings.

One other advantage of using a playfile is to improve performance and save network
bandwidth because SubInacl maintains a local cache of SIDs.
For instance if you issue :
SubInacl /subdirectories c:\*.* /migrate=domain1=domain2
And
SubInacl /subdirectories d:\*.* /migrate=domain1=domain2

Batching  these commands will reduce the network usage bandwidth and improve
performance because SID TO HUMAN NAME resolution process will be reduced.


/OUTPUTLOG
----------

/outputlog=filename

all outputs will be send in filename. You need to use /errlog switch to
redirect all errors in a different file


/ERRORLOG
---------

/errorlog=filename.txt

all errors will be send in the filename.txt


/ALTERNATESAMSERVER
-------------------

/alternatesamserver=Server

SubInAcl queries the Server where the object is located to lookup Sids.
Under some circumstances , you may need ( see server_migration or
domain_migration) to retrieve Sids from another server. If a Sid resolution is
unsuccessful, this option allows SubInAcl to query the alternamesamserver.


/OFFLINESAM
-----------

/offlinesam=FileName

By default, SubInAcl queries the Server where the object is located to lookup
Sids.Under some circumstances (migration where the source server is offline
or if a domain is no longer available, want to avoid network round trip
for SIDs retrievals), you may allow SubInAcl.exe to retrieve SIDs from
the FileName file.
File format is :
__cachefileonly__=s-1-9-cacheonly
domain\simon=S-1-5-21-1190502449-1716722630-1654032285-1105
nat\julien=S-1-5-21-1060284298-436374069-1708537768-1005

where domain\simon and nat\julien can be a domain account or server account.
With the __cachefileonly__ line in the file, SubInAcl.exe will not query
SAM Server(s) anymore. All needed SIDs should be found in the SAM
cache file


/DUMPCACHEDSIDS
---------------

/dumpcachedsids=FileName

At the end of the subinacl execution,
you can dump the contents of the local cache Sids in a file.
This file can later be used for future SubInacl execution (see .
/offlinesam) to speed up the Sids resolution process)


/SETOWNER
---------

/setowner=SID

will change the owner of the object
/owner=SID or /setowner=SID
owner = DomainName\Administrators will retrieve the Administrators Sid on
the server where the object is (see Win32 SDK LookupAccountName function).


/REPLACE
--------

/replace=DomainName\OldAccount=DomainName\New_Account

    replace all ACEs (Audit and Permissions) in the object
    Ex: /replace=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan will replace
        all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID
        retrieves from NEWDOM domain
    Warning: if DomainName\New_Account has already an ACE, ACE replacement is
    skipped


/ACCOUNTMIGRATION
-----------------

/accountmigration=DomainName\OldAccount=DomainName\New_Account

    (see /replace)
    will :
    - replace owner or primary group if one of them is DomainName\OldAccount.
    - duplicate ACE(s) with reference to DomainName\OldAccount for New_Account
    Ex: /accountmigration=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan will
    duplicate all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID
    retrieves from NEWDOM domain
    Warning : if DomainName\New_Account has already an ACE, ACE replacement is
    skipped


/CLEANDELETEDSIDSFROM
---------------------

/cleandeletedsidsfrom=domain[=dacl|sacl|owner|primarygroup|all]

    delete all ACEs containing deleted (no valid) Sids from DomainName
    You can specify which part of the security descriptor will be scanned
    (default=all)
    If the owner is deleted, new owner will be the Administrators group.
    If the primary group is deleted, new primary group will be the Users group.


/CHANGEDOMAIN
-------------

/changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]

     replace all ACEs with a Sid from OldDomainName
     with the equivalent Sid found in NewSamServer
     Ex: /changedomain=DOM_MARKETING=NEWDOMAIN
     replace all ACEs containing DOM_MARKETING\ChairMan SID
     with the ChairMan's SID retrieved on NEWDOMAIN computer
     The NEWDOMAIN must have a trusted relationship with the server
     containing the object

     If you want to explicitly specify the users affected , you can specify a
     mapping file. The MappingFile file will allow you to specify the list of
     users affected and the name of the replacing user in the NewDomain

     Below a sample of a MappingFile

     simon=julien
     administrator=administrator

     OldDomainName\Simon will be replaced by NewDomainName\Julien and
     OldDomainName\Administrator will be replaced with
     NewDomainName\Administrator

     If you use /changedomain=OldDomainName=NewDomainName=MappingFile notation
     ,only users defined in this file will be migrated.
     If you use /changedomain=OldDomainName=NewDomainName=MappingFile=Both,
     the mapping file will be examined first to determine if a mapping user
     exist. If not, SubInacl will try to find the equivalent user in the
     NewDomainName


/MIGRATETODOMAIN
----------------

/migratetodomain=FromDomainName=ToDomainName[=MappingFile[=Both]]

     same behavior than /changedomain except that news ACEs will added instead
     of replacing
     Ex: /migratetodomain=DOM1=DOM2
     each ace with DOM1\User will be duplicated with DOM2\User
     (If DOM2\User exists)
     If during the migration there was a serious oversight
     you can instruct the user to log back onto DOM1.
     N.B: Owner and Primary Group are migrated to DOM2


/FINDSID
--------

/findsid=DomainName\Account[=stop|continue]

     display the object name containing a reference to DomainName\Account
     in the security descriptor
     stop     - if Account is found, next parameters will be skipped
                and changes will not be applied
              - if Account is not found, next parameter will be executed
     continue - if Account found, next parameters will be executed
              - if Account not found, next parameters will be skipped
                and changes will not be applied


/SUPPRESSSID
------------

/suppresssid=DomainName\Account

     suppress all ACES containing the DomainName\Account SID.
     If the object's owner is DomainName\Account, the owner is set to
     Everyone's SID.


/PERM
-----

/perm

     suppress all existing permissions aces (PACEs)


/AUDIT
------

/audit

     suppress all existing auditing aces (AACEs)


/IFCHANGECONTINUE
-----------------

/ifchangecontinue

     continue to process the next actions only if some changes have been
     made in the previous actions


/TESTMODE
---------

/testmode

     changes will not be applied to the object. This allows to test the
     modifications


/ACCESSCHECK
------------

/accesscheck=Domain\Username

     display the access granted to the Domain\Username. The password will
     be asked. This option requires the SeTcbName privilege (Act as Part
     of the Operating System). This option cannot be used with remote object.
     Note : the access is checked with the NETWORK security identified
     granted to the Domain\UserName


/SETPRIMARYGROUP
----------------

/setprimarygroup=[DomainName\]Group

     change the primary group


/DENY
-----

/deny=[DomainName\]User[=Access]

     add a  denied Permission Ace for the specified User (or group)
  If Access is not specified, all accesses will be denied.

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

     Process:
       F : Full Control
       R : Read
       W : Write
       X : eXecute

     SamObject:
       F : Full Control
       W : Write
       R : Read
       X : Execute


/REVOKE
-------

/revoke=[DomainName\]User

     suppress all Permission Ace(s) for the specified User (or group)


/GRANT
------

/grant=[DomainName\]User[=Access]

     will add a Permission Ace for the user.
     if Access is not specified, the Full Control access will be granted.

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

     Process:
       F : Full Control
       R : Read
       W : Write
       X : eXecute

     SamObject:
       F : Full Control
       W : Write
       R : Read
       X : Execute


/SALLOWDENY
-----------

/sallowdeny=[DomainName\]User[=Access]

     will add an Allow/Failed Audit Ace for the user and remove all existing
     Audit Ace for this user(or group).
     if Access is not specified, the Full Control access mask will be used.
     Ex: SubInacl /file c:\windows\explorer.exe /sallowdeny=everyone=R
         will set the audit for everyone's successful and failed access


/SGRANT
-------

/sgrant=[DomainName\]User[=Access]

     will add a Successfull (Allow) Audit Ace for the user and remove all existing
     Audit Ace for this user(or group).
     if Access is not specified, the Full Control access mask will be used.
     Ex: SubInacl /file c:\windows\explorer.exe /sgrant=everyone=R
         will set the audit for everyone's successful access

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

     Process:
       F : Full Control
       R : Read
       W : Write
       X : eXecute

     SamObject:
       F : Full Control
       W : Write
       R : Read
       X : Execute


/SDENY
------

/sdeny=[DomainName\]User[=Access]

     will add a Failed Audit Ace for the user and remove all existing
     Audit Ace for this user(or group).
     if Access is not specified, the Full Control access mask will be used.

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

     Process:
       F : Full Control
       R : Read
       W : Write
       X : eXecute

     SamObject:
       F : Full Control
       W : Write
       R : Read
       X : Execute


/OBJECTEXCLUDE
--------------

/objectexclude=pattern

      all objects matching the pattern string will be skipped (eXcluded).
   The only wildcard valid is *. It can be used everywhere in the string.
      Pattern may be a name ( *Name.exe ) or a path ( *dir\subdir\*ToExclude* ).


/PATHEXCLUDE
------------

/pathexclude=pattern

      all containers matching the pattern string will not be enumerated.
      See /objectexclude
      N.B: the Actions specified will not be applied to the container too.


/STATISTIC
----------

/statistic

      will display statistics when processing is finished.


/CROSSREPARSEPOINT
------------------

/crossreparsepoint

      When processing a file system path, SubInacl will enumerate
      file and directories below a reparsepoint except if /nocrossreparsepoint.
      is specified.


/STRINGREPLACEONOUTPUT
----------------------

/stringreplaceonoutput=string1=string2

      All occurrences of string1 will be replaced by string2 in subinacl output.


/SDDL
-----

/sddl=sddl_string

      specify the Security descriptor for the object using the Win32 security
      descriptor definition language (SDDL)


/APPLYONLY
----------

/applyonly=dacl,sacl,owner,group

      Some subinacl options may change parts (owner,group,dacl,sacl) of the security descriptor.
      You may restrict the change to some parts of the security descriptor only .
      For instance /applyonly=dacl,sacl,owner will not modify the primary group field


/PATHCOPYSECURITY
-----------------

/pathcopysecurity=path_container

      SubInacl will reset the security descriptor for the object with the same named object
      in the container path.
      Ex: - SubInacl /file c:\temp\*.txt /pathcopysecurity=d:\test
          will replace the security (acls,owner,primarygroup) for c:\temp\1.txt with the security
          retrieved from d:\test\1.txt (if this file exists)
          -SubInacl /service Messenger /pathcopysecurity=\\Server
          will update the security on the service Messenger with the security existing on the remote
          messenger service


/OBJECTCOPYSECURITY
-------------------

/objectcopysecurity=object_path

      SubInacl will reset the security descriptor with the object object_path
      in the container path.
      Ex: - SubInacl /file c:\temp\*.txt /objectcopysecurity=d:\test\mask.txt
          will replace the security (acls,owner,primarygroup) for all txt files
          in c: emp with the security retrieved on d:\test\amsk.txt
          will update the security on the service Messenger with the security existing on the remote
          messenger service

With help from this awesome post: http://www.vanstechelman.eu/windows/how_to_use_subinacl

My First Powershell script

Seems that Powershell is the way to go forward as it is well supported with Windows 7 and Microsoft. It is a powerful script. I think it will revolutionize the way we script today.
I just wrote my first powershell script and thought it would be good to share with all. I am not going to give any tutorial for Powershell as there are a lot of them available.
There are a few things which are worth noting in this script:

1) You can get the script directory from the below script in Get-ScriptDirectory function.
2) You can suppress the remote exe installation prompt by command: $env:SEE_MASK_NOZONECHECKS = 1
code
Remove-Item env:\SEE_MASK_NOZONECHECKS
3) Installation of setup.exe with parameters can be seen in function InstallPackage
4) Permissions can be set in Powershell script using the GivePermissions function below.


Here is the code:
------------------------------------------------------

function Get-ScriptDirectory
{
$Invocation = (Get-Variable MyInvocation -Scope 1).Value
Split-Path $Invocation.MyCommand.Path
}
$env:SEE_MASK_NOZONECHECKS = 1
$val1 = Get-ScriptDirectory
$CurrentPath = $val1.ToString()
$Setup = $CurrentPath + "\setup.exe"
$Config = " " 
function InstallPackage
{
# Write-host $Setup
# Write-host $Config
    $process = [Diagnostics.Process]::Start($Setup,$Config)
    $process.WaitForExit()
}
function GivePermissions
{
$acl = Get-Acl "C:\Program Files\PLSQL"
$acl.SetAccessRuleProtection($True, $True)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl "C:\Program Files\PLSQL" $acl
}
# -Main ----------------------------------
InstallPackage
GivePermissions
Remove-Item env:\SEE_MASK_NOZONECHECKS

Different Ways of Giving Permissions in Your Windows Installer

Windows XP/Windows 7 works under a locked down environment in most organisations. The MSI authors generally have to provide permissions to the installation directory, so that the users without admin rights are able to access and write data into the installation directory.
When you set permissions, you are specifying what level of access the user has to the folder and its files and what users can do within that folder such as save, delete, or read files.
If you would like to know how to set permissions through Powershell Script, then I would recommend you to read my new blog entry here:
http://msiworld.blogspot.com/2012/01/my-first-powershell-script.html

There are six standard permission types which apply to files and folders in Windows XP/Windows 7:

Full Control

Modify

Read & Execute

List Folder Contents

Read

Write

Each level represents a different set of actions users can perform. See the table below for more information.

For folders you can also set your own unique permissions or create a variation of any of the standard permission levels. Within each of the permission levels are many possible variations.

The following table represents the available standard permission types with their descriptions:

Full Control - Permits the user(s) to:

view file name and subfolders

navigate to subfolders

view data in the folder's files

add files and subfolders to the folder

change the folder's files

delete the folder and its files

change permissions

take ownership of the folder and its files

Modify - Permits the user(s) to:

view the file names and subfolders

navigate to subfolders

view data in the folder's files

add files and subfolders to the folder

change the folder's files

delete the folder and its files

Read & Execute - Permits the user(s) to:

view file names and subfolder names

navigate to subfolders

view data in the folder's files

add files and subfolders to the folder

List Folder Contents - Permits the user(s) to:

view folders

navigate to subfolders

view folders

does not permit access to the folder's files

Read - Permits the user(s) to:

view the file names and subfolder names

navigate to subfolders

run applications

open files

copy and view data in the folder's files

Write - The Read permissions, plus permits the user(s) to:

create folders

add new files

open and change files

delete files

You can set permission to folders in following ways:

Secedit

XCACLS/ICACLS

LockPermission table.

Full Control - Permits the user(s) to:

view file name and subfolders

navigate to subfolders

view data in the folder's files

add files and subfolders to the folder

change the folder's files

delete the folder and its files

change permissions

take ownership of the folder and its files

Modify - Permits the user(s) to:

view the file names and subfolders

navigate to subfolders

view data in the folder's files

add files and subfolders to the folder

change the folder's files

delete the folder and its files

Read & Execute - Permits the user(s) to:

view file names and subfolder names

navigate to subfolders

view data in the folder's files

add files and subfolders to the folder

List Folder Contents - Permits the user(s) to:

view folders

navigate to subfolders

view folders

does not permit access to the folder's files

Read - Permits the user(s) to:

view the file names and subfolder names

navigate to subfolders

run applications

open files

copy and view data in the folder's files

Write - The Read permissions, plus permits the user(s) to:

create folders

add new files

open and change files

delete files

You can set permission to folders in following ways:

Secedit

XCACLS/ICACLS

LockPermission table.

SECEDIT:

SECEDIT command-line tool can be used to impose group policy object settings upon a target workstation immediately.
To use Secedit to give permission in your package, perform the following steps:
Go to Run and type MMC.
A Console will open up as shown in the below picture.
Go to File -> and click on Add / Remove Snap in.



The Add / Remove Snap in window opens up as shown in the below picture.



After this Click on Add...
Add standalone Snap in console opens up as shown in the below picture.



Choose Security Template from the list of Snap in, and click on Add.
The Security template will be added to the console.
You can see the File System, with all the listed directories on the right. This is shown in below picture.



Now, delete all files on right.
Right click and click on Add File, browse and select the required directory to give permission to.
Similarly you can give permission to registry too.



Now, delete all files on right.
Right click and click on Add File, browse and select the required directory to give permission to.
Similarly you can give permission to registry too.



Click on OK and save this template as .inf (such as {PackageName}.inf) file.
Now we have to include this file in the package.
Add this file to %Windir%\security\templates folder.
Use the following Custom Action in your package to implement Secedit.

Use Execute Program from Destination Custom Action.

Give Custom Action name as per your standards

Working Directory to be set is Templates folder (where we have placed the .inf file.

In exe and Command line give the following command:

secedit /configure /db "[security]Database\{PackageName}.sdb" /cfg "[security]templates\{PackageName}.inf" /log "[security]logs\{PackageName}.log" /quiet

Here [security] refers to the security folder is C:\Windows or %Windir%\Security. It is always good to use directory instead of hardcoded paths.

{PackageName} refers to the name you would like to give to your .inf file, to your log file you create and to the .sdb file you create.

Note that this will create .sdb file in %windir%\security\Database folder and .log file in %windir%\security\logs folder. So while un-installation of package you need to remember to delete these files from the folder. You can do that by using remove file table.

The location of the Custom action should be just before install finalize.

The Condition for launch of Custom Action should be "NOT REMOVE"

The Custom action can be run in deferred mode in system context.

XCACLS/ICACLS:

XCACLS or Extended Change Access Control List tool, is an advanced version of CACLS, the difference being that we do not have to answer Yes/No prompts in XCACLS. CACLS and XCACLS are tools which are used to modify the ACLs (Access Control Lists), by which in turn we are modifying the folder permissions for users in windows. ICACLS is another tool like XCACLS.

CACLS is installed in all users machine in System32 folder.

XCACLS ships with the Windows NT Resource Kit or can be easily downloaded from net. XCACLS allows you to set permissions to the same granular level of control that you have with the GUI.

CACLS Syntax

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]

filename	Displays ACLs.
/T	Changes ACLs of specified files in the current directory and all subdirectories.
/E	Edit ACL instead of replacing it.
/C	Continue on access denied errors.
/G user:perm	Grant specified user access rights. Perm can be: R Read C Change (write) F Full control
/R user	Revoke specified user's access rights (only valid with /E).
/P user:perm	Replace specified user's access rights. Perm can be: N None R Read C Change (write) F Full control
/D user	Deny specified user access.

Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.

XCACLS Syntax

XCACLS filename [/T] [/E] [/C] [/G user:perm;spec] [/R user [...]][/P user:perm;spec [...]] [/D user [...]] [/Y]

filename	Displays ACLs.
/T	Changes ACLs of specified files in the current directory and all subdirectories.
/E	Edit ACL instead of replacing it.
/C	Continue on access denied errors.
/G user:perm;spec	Grant specified user access rights. Perm can be: R Read C Change (write) F Full control P Change Permissions (Special access) O Take Ownership (Special access) X EXecute (Special access) E REad (Special access) W Write (Special access) D Delete (Special access) Spec can be the same as perm and will only be applied to a directory. In this case, Perm will be used for file inheritence in this directory. If not omitted: Spec=Perm. Special values for Spec only: T NoT Specified (for file inherit, only for dirs valid) At least one access right has to follow! Entries between ';' and T will be ignored!
/R user	Revoke specified user's access rights.
/P user:perm;spec	Replace specified user's access rights. for access right specification see /G option
/D user	Deny specified user access.
/Y	Replace user's rights without verify

Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.
You can combine access rights.

Example of XCACLS can be:

xcacls "[INSTALLDIR]FOLDER" /e /g users:ewxd;ewx

Usage for ICACLS

ICACLS "[INSTALLDIR]FOLDER" /T /grant USERS:M

LockPermission table:

LockPermission table can be also used to give permission to files, folders and registries.
With the help of Lockpermission table you can give permission to only those users who already exist on the computer or domain.
For giving permission through LockPermission table follow the below procedure:
On the File section in Installation expert (You can do the same with Registry too) , Either go to file or the directory (depending on to which you want to give permission) and click on Details. There will be a permission tab there. For giving permission to file you will get the below screen where there will be a permissions tab among other tabs as shown in the picture. If you have chosen directory then there will only be a permissions tab. Click on Add. In the domain, you can mention the domain of the user for which permissions are to be set. You can either give a standalone machine or a domain name. I have used an environment variable here [%USERDOMAIN] which will pick the domain at run time for the user for which the package is being installed. The user which you can set can be Administrator, Everyone or Logged on User. I have selected every one here.



After that you can select the permissions from below what all permissions you want to give to the user. Click ok and the permissions work is over.

Now when you go to the LockPermissions table in Tables section, you can see the following columns there:

Lock Object, Table, Domain, User and permission.

Lock Object and Table column together specify the file, directory or registry key to be given permission to. Lock Object contains the name of the file, directory or the registry name. Table column can be filled with File, Create Folder or Registry. Lock Object is the foreign key to the primary key of Table mentioned by Table column.

Domain as I have mentioned earlier is the domain of the user.
User too as I have mentioned earlier is the User to whom we want to give the permission.
Permission is the Generic number to the permissions we have specified.

Every file, registry key, or directory that is listed in the LockPermissions Table receives an explicit security descriptor, whether it replaces an existing object or not. The Windows Installer attempts to preserve the security on objects that already exist on the system. If an object is not listed in the LockPermissions Table, and replaces an existing object, the replacement gets the security settings of the object that it replaces.

If an object is not listed in the LockPermissions Table, and does not replace an existing object, it receives no explicit security descriptor. The access to the new object is based on the attributes of its parent or container object. If an object is not listed in the table, and replaces an object with no explicit security descriptor, the access to the new object is based on the attributes of its parent or container object.

Hope this article helps you to builds up your knowledge on how to give permissions to your files, folders and registries.