none
Import a reg file with the OSD script

    Question

  • I am having some issues with importing a registry file before launching Easy Grade Pro. The issue appears to be UAC as on my system that has UAC turned down, the process works like a charm, but on systems with UAC set to default, it prompts for the Import and at that time does import the Reg file but the App doesnt read it in.

    i have loaded the app using SFTTRAY and going to a command prompt so i can trouble shoot and i can see that the registry import was successful on the host machine but in the Virtual Registry the entry is not there.  however on my system that has UAC turned down, both registries match. When an app launches is there a way to run the script using the system account so that it has access to change the registry? we currently do this with our SCCM package for local installs of this program and it works just fine, so not sure why the virtual app isnt doing the same. 

    We dont want to turn UAC down on regular domain systems just for the added protection and functionality that it brings.

    just to make sure im not doing something wrong, here is my osd script im using

    <ENVLIST>
          <ENVIRONMENT VARIABLE="__COMPAT_LAYER">RunAsInvoker</ENVIRONMENT> *saw on another post to try this*
     </ENVLIST>
     <DEPENDENCY>
      <CLIENTVERSION VERSION="4.6.0.0"/>
      <SCRIPT TIMING="PRE" EVENT="STREAM" PROTECT="TRUE" WAIT="TRUE">
       <HREF>"\\Hillnet\Software\EasyGradePro\VMEGP.bat"</HREF
      </SCRIPT>
     </DEPENDENCY>

    the batch file just looks at the computer name and jumps to the corresponding school and runs the following, so for a computer named LI********** the following would run

    Regedit /s "\\Hillnet\Software\EasyGradepro\LHSEGP.reg"

    Thursday, March 29, 2012 10:07 PM

Answers

  • The only feasible Way I would see is having a small pre-script which is running pre-launch rather than pre-stream. It can then write to the virtual registry on each launch with Security Descriptors not enforced. It shouldn't have a heavy hit on the performance as it's a small task.

    e.g.  a script which checks their variable and writes a particular reg into the virtual registry on each launch.

    Alternatively for the other way you would need to set permissions on the local registry to allow users to write to where your reg needs to go e.g. set Users with permissions on HKLM\Software\Test . Then have a pre-stream script. Which sets the correct Reg based on the location.


    Blog: rorymon.com Twitter: @Rorymon

    Wednesday, April 04, 2012 11:50 PM
  • OK, there's a few things that I'm not clear on:

    • Are users a member of the local Administrators group?
    • Does the target registry key or value exist inside the package or are you attempting to make the change outside of the package (PRE STREAM would indicate outside of the package)
    • Which hive is the target key or value in (HKCU or HKLM)

    Scripts run as the current user and you can't run these as other accounts. If the target registry key/value is outside of the package and exists in HKLM and the user is not a local Administrator the write will fail. If the user is a member of the local Administrators account, then I would expect UAC prompts.

    If the target registry key/value is outside of the package, can you put it inside the package and disable security descriptors instead? (I would expect this approach to work)



    Twitter: @stealthpuppy | Blog: stealthpuppy.com

    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.

    Tuesday, April 03, 2012 9:49 PM

All replies

  • Disable security descriptors in your package.



    Twitter: @stealthpuppy | Blog: stealthpuppy.com

    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.

    Thursday, March 29, 2012 10:23 PM
  • Security Descriptors are disabled, however the same results are seen.
    Friday, March 30, 2012 6:27 PM
  • Can I ask if you want the Registry to go to the local machine or into the virtual Registry? Also have you considered just doing it natively through the OSD itself. If you want a good example of doing this have a look at Tim Mangans OSD illustrated and search for the REGISTRY tag.

    Aside from that do you want the reg local?

    http://www.tmurgent.com/osd_illustrated.aspx


    Blog: rorymon.com Twitter: @Rorymon


    • Edited by RorymonMVP Friday, March 30, 2012 9:34 PM
    Friday, March 30, 2012 9:34 PM
  • It needs to be in the virtual registry because the sequenced program doesnt seem to read the local registry. thats the reason i am running the script as a pre stream event so that the local registry is updated before the virtual registry is created when the virtual environment is set up.

    The reason to not do it natively is due to the reg needing to be changed depending on where its ran from. this is used at 30+ schools and each school has its own reg file(license and school name) that needs to be loaded so doing it natively in the OSD would require 30+ OSD files and then each corresponding file being published to each specific school group, if i understand that example correctly.

    The only issue im having at this point is getting the reg import to work without the UAC prompt, as regular staff can not make registry changes. on systems with UAC turned down, this process works without issue.

    Monday, April 02, 2012 3:12 PM
  • What if you use the command: REG IMPORT RegFile.reg instead of Regedit?

    Blog: rorymon.com Twitter: @Rorymon

    Monday, April 02, 2012 3:37 PM
  • Did you get a chance to try that Obannon.

    Something like

    REG IMPORT "\\Hillnet\Software\EasyGradepro\LHSEGP.reg"

    It doesn't seem to throw a UAC for me anyway. Whilst RegEdit does.


    Blog: rorymon.com Twitter: @Rorymon

    Tuesday, April 03, 2012 7:15 PM
  • the UAC prompt goes away but i get "ERROR: Error accessing the registry" message
    Tuesday, April 03, 2012 7:16 PM
  • What does a REG ADD command produce? If UAC isn't the issue, it sounds like you're attempting to access a registry key that either doesn't exist in the package or security descriptors aren't actually disabled.


    Twitter: @stealthpuppy | Blog: stealthpuppy.com

    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.

    Tuesday, April 03, 2012 7:37 PM
  • REG ADD produces a UAC prompt for each key required. this is a UAC issue as on systems that have UAC turned down, there is no prompt and the import is successful even for staff accounts. its only on systems with UAC in the default setting that the prompt happens, upon clicking Yes to the UAC prompt the import happens.

    I purposely didnt include the registry entry in the sequenced package as then if it didnt get imported properly then the schools would have the wrong license file.

    I was having issues with the import actually working even after clicking yes on the UAC prompt until i added,

    <POLICIES>
            <VIRTUAL_REGISTRY_DISABLED>TRUE</VIRTUAL_REGISTRY_DISABLED>
    </POLICIES>

    which i assume means it no longer creates a Virtual Registry. after adding this, the import works when i click Yes to UAC and all is well. However, regular staff will not have the rights to modify the registry.

    Tuesday, April 03, 2012 7:57 PM
  • That's a tough one then. If it's a case that even when you get past the UAC prompt you are getting an access denied it seems like not only is it a UAC issue like Aaron has said, it's a permissions issue. Your users seem to require actual elevation. If the RunAsInvoker isn't helping. Or the reg isn't already there with a null value.

    Then there's no real easy solution as far as I know. Maybe somebody else can help more. But I would think if you do it as a pre-script it still won't work because that will be executed in the user context. You could use a tool like AutoIT to force it to RunAs an actual local Admin but I don't really like that as a solution as it's crackable. You could look at using SecEdit for setting permissions to hive that requires to be written to. Or you could use third party tools like SetAcl.

    You could of course deploy it as a GPO in a script or through SCCM itself. It just requires an extra layer of management as it's not attached to the actual application.

    Sorry, that's probably not too helpful. I had a similar issue running advanced firewall before but it was ok because we decided to do through GPO


    Blog: rorymon.com Twitter: @Rorymon

    Tuesday, April 03, 2012 9:14 PM
  • OK, there's a few things that I'm not clear on:

    • Are users a member of the local Administrators group?
    • Does the target registry key or value exist inside the package or are you attempting to make the change outside of the package (PRE STREAM would indicate outside of the package)
    • Which hive is the target key or value in (HKCU or HKLM)

    Scripts run as the current user and you can't run these as other accounts. If the target registry key/value is outside of the package and exists in HKLM and the user is not a local Administrator the write will fail. If the user is a member of the local Administrators account, then I would expect UAC prompts.

    If the target registry key/value is outside of the package, can you put it inside the package and disable security descriptors instead? (I would expect this approach to work)



    Twitter: @stealthpuppy | Blog: stealthpuppy.com

    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.

    Tuesday, April 03, 2012 9:49 PM
  • Why not using OSD scripting to import the registry value you need?

    Use this code to start with (with the VIRTUALENV-tag):

    <REGISTRY>
    	<REGKEY HIVE="HKCU" KEY="SOFTWARE\blaat" NOREDIR="FALSE">
    		<REGVALUE REGTYPE="REG_DWORD" NAME="someName">24200242</REGVALUE>
    	</REGKEY>
    </REGISTRY>

    Wednesday, April 04, 2012 8:54 AM
  • Thanks everyone for assisting in this, its been driving me crazy. I am currently trying Aarons suggestion of placing the reg entry(HKLM) in the package and i have verified that security descriptors have been diabled.

    As for the questions, regular users are limited users and as such they cant install/modify the system/registry. And the reason to not hard code this in the OSD Script is the reg entry needs to change based on what site this is being ran from. 

    Wednesday, April 04, 2012 3:31 PM
  • Good luck with it. The most obvious one is the security descriptors like Aaron suggested. I hope that's it.

    Blog: rorymon.com Twitter: @Rorymon

    Wednesday, April 04, 2012 4:18 PM
  • So still the same behavior. im curious how do i access the virtual registry directly to import the reg file to? Isnt the virtual registry created when the virtual environement is set up, at which time it creates a copy from the local registry?
    Wednesday, April 04, 2012 9:19 PM
  • Wednesday, April 04, 2012 9:27 PM
  • Unless im reading it wrong, using that method wouldnt work because the reg key would the be hard coded in the sequenced app. I need the key to be changeable based on location, which is why i was trying to import into the local registry, which does work with accounts that have admin rights.

    i currently have the key hard coded in the sequenced app, but i am a bit unclear as to how i specifically change the Virtual Key using a script to determine what site key it needs instead of the local key.

    Wednesday, April 04, 2012 10:55 PM
  • The only feasible Way I would see is having a small pre-script which is running pre-launch rather than pre-stream. It can then write to the virtual registry on each launch with Security Descriptors not enforced. It shouldn't have a heavy hit on the performance as it's a small task.

    e.g.  a script which checks their variable and writes a particular reg into the virtual registry on each launch.

    Alternatively for the other way you would need to set permissions on the local registry to allow users to write to where your reg needs to go e.g. set Users with permissions on HKLM\Software\Test . Then have a pre-stream script. Which sets the correct Reg based on the location.


    Blog: rorymon.com Twitter: @Rorymon

    Wednesday, April 04, 2012 11:50 PM
  • Ensure security descriptors are disabled and the script runs with the following settings in the OSD file:

    SCRIPT TIMING="PRE" EVENT="LAUNCH" PROTECT="TRUE"

    At launch, you don't get a copy of the local registry, you get a merged view of the local and virtual registries (with the virtual on top of the local). Changes to the regsitry will cause a copy-on-write into the virtual environment.

    You can hard code a value into the package and then use your script to change that value at launch. As long as all components that need to see that value exist within the virtual environment, then the registry value should be able to exist wholly in the virtual environment as well without requiring any changes to the real registry.

    Thursday, April 05, 2012 6:38 AM
  • I am at a loss on this one. i have made sure Security Descriptors are disabled and made the above changes to the OSD file. however i still get the UAC prompt and even when clicking yes the program still doesnt read in the reg key even though its there in the registry.

    I may not have to resolve this issue as i hard coded in the school district name and that may be good enough for reporting, just waiting to see if i need to proceed with trying to get the reg change to work.

    Thursday, April 05, 2012 7:07 PM
  • I'm at a loss too. I would have thought RunAsInvoker could help and similarly the permissions on the reg hive would work. Let us know how you fix it

    Blog: rorymon.com Twitter: @Rorymon

    Thursday, April 05, 2012 9:36 PM