0

First I have to provide some context.

I can set procmon to run at some non-default altitude by making two changes in key 'HKLM\SYSTEM\CurrentControlSet\Services\PROCMON24\Instances\Process Monitor 24 Instance':

  1. Changing the Altitude value from its default '385200' to the required value; eg. '136500'
  2. And adding a special permission to the key: user:Everyone type:Deny permissions:('set value' | 'delete')

The reason for changing the Altitude is obvious. The reason for add a special permission is less obvious: without this procmon will simply reset the Altitude to its default value.

Okay, here is my question:

I cannot programmatically remove the added permission or change that key or its values. This is not surprising because the permission denies 'everyone' that access.

However I can easily remove that permission using regedit. I just select the permission and remove it.

So what trick is regedit using to override that permission?

I can see it is running as the current user, not 'SYSTEM'. I can use psexec to run a remove script as 'SYSTEM' but that is denied access too.

NoBrassRing
  • 483
  • 7
  • 15
  • Regedit requires administrator privileges. An admin can't be denied permissions. – Ken White Jan 15 '19 at 01:35
  • 1
    That is untrue. A user with administrator privileges (even 'Administrator') is not like a linux superuser. Such a user, like any user, is constrained by Windows permissions. Write a few simple powershell scripts to see this for yourself. However the same user running regedit seems to have special privileges. That is the essence of my question. – NoBrassRing Jan 16 '19 at 13:58
  • `PsExec -i -s regedit` (or `PsExec64 -i -s regedit`) from *elevated* command prompt _should_ help! – JosefZ Jan 17 '19 at 22:21
  • Thanks for your suggestion but it doesn't answer my question. Regedit already has a special privilege (apparently): the privilege to remove a 'deny everyone' ACL. You don't need to run it as System (using psexec) to get that privilege. My question is what is this privilege? How is regedit able to bypass all the permission restrictions that affect other programs (even those run as System or run by an Administrator user.) – NoBrassRing Jan 18 '19 at 23:24

1 Answers1

0

In retrospect it is clear that regedit is not using any special trick or privilege to remove the 'deny everyone' ACE. The problematic ACE is not denying all operations on the registry key. It is only denying 'remove' and 'set value'. With that ACE is place not even regedit can remove or set values. That is, it cannot open the key with 'remove' or 'set value' access.

What regedit can do is open the key with write-dacl access. The problematic ACE doesn't deny that.

Once regedit (or any other program) opens the key with write-dacl access, it can remove the problematic ACE and then make any other needed changes to the key.

Doh!

NoBrassRing
  • 483
  • 7
  • 15