PDA

View Full Version : Re: ASP Error



Stephen W. Meeley
10-Oct-2005, 09:39 AM
Garret, Jakob and Anders,

I recently got bit by the same condition (Invalid ProgID) and just
finished doing a lot of research into it. Here's what I've found:

1. The "normal" condition for the machine is that the HKCR registry has
all the rights necessary - there should never be a need to modify the
rights in the HKCR registry branch.

2. We've taken multiple machines from a freshly installed state and
applied all services packs and hot fixes, installed all kinds of
software and have not been able to reproduce a situation where the
appropriate rights to HKCR were removed.

3. There is obviously something that can remove the appropriate rights
to HKCR, but there doesn't seem to be any common knowledge on what the
base cause really is. If you search, you'll find multiple references to
setting rights to HKCR to solve problems, but never any mention as to
what caused the condition in the first place.

4. Based on the above, we feel that changing rights on a machine where
the appropriate rights for HKCR do not exist is treating a symptom, not
fixing the problem.

So, we won't be attempting to change the rights for HKCR in the
installation (because the appropriate rights should exist anyway).

Also, our strong recommendation to anyone who finds that HKCR does not
have the appropriate rights is to not simply make the specific changes
discussed in the various threads, but to get the machine back to the
natural state (in other words, fix the real problem - not just treat the
symptom).

Of course, if anyone knows more about how the rights for HKCR got
changed in the first place (either by natural or unnatural causes) we'd
love to get input and could even change our recommendation if new
information changes the landscape.

I've made mention to "appropriate rights" throughout this message and
that's because the actually settings are slightly different based on
which platform you run.

On all platforms, you should see:

Administrators will have Full Control and Read

CREATOR OWNER will have Special Permissions (Full Control for Subkeys
only)

Power Users will have Read and Special Permissions (though we can't
really tell what the Special Permissions actually do in this case - we
think they just signify if rights should be inherited or not).

SYSTEM will have Full Control and Read

Users will have Read

On Windows 2000 (the oldest system we tested) you will also see:

Everyone will have Read

You may also see other, specialized groups of user (like Terminal
Services Users) with Read rights.

The removal of Everyone on systems newer than Windows 2000 does NOT
impact the proper operation of the system (including Web Application
Server) - it's probably just one of the many security changes that were
made in XP and Server 2003.

Best regards,

-SWM-

PS. BTW, in my specific case my machine was having many other problems
(totally freezing on a regular basis) that started over a month ago and
steadily got worse. No specific viruses were found, and I'm still not
sure what caused the rights to disappear from HKCR. I've reinstalled
everyone that I had on my old machine (WinXP Pro, Office 2003, FrontPage
2003, Wise, RoboHelp X5, Beyond Compare, Acrobat 6, VSS, various Google
tools, Crystal XI, multiple revisions of Visual DataFlex, Spybot, Ghost
9, WinZip, various tools and multimedia applications from HP and others,
etc.) and have all updates for everything and nothing has altered the
rights on HKCR (I checked between every operation) from "normal".

Garret Mott
10-Oct-2005, 09:52 AM
Stephen -

Thanks for the detailed response.

How it happens does seem to be a mystery. How could anything but VDF change
rights in its keys? I'm sure there are many answers, but this does worry me
some.

BTW - my machine is XP Pro SP 2 with all updates current ('til there are 12
new ones this afternoon <g>).

I could easily suspect AOL, as it seems to do all kinds of
annoying/dumb/inconsiderate/ill-advised things, but before you say I should
remove it, please have a conversation with my girlfriend who shares the
computer when we're traveling <vbg>...

Does anyone know of a tool that will track changes to permissions in the
registry? Regmon maybe? If so - any ideas on how to configure it?

Thanks to all -

Garret



"Stephen Meeley" <stephen-m@dataaccess.com> wrote in message
news:p57xfhazFHA.2904@dacmail.dataaccess.com...
Garret, Jakob and Anders,

I recently got bit by the same condition (Invalid ProgID) and just
finished doing a lot of research into it. Here's what I've found:

1. The "normal" condition for the machine is that the HKCR registry has
all the rights necessary - there should never be a need to modify the
rights in the HKCR registry branch.

2. We've taken multiple machines from a freshly installed state and
applied all services packs and hot fixes, installed all kinds of
software and have not been able to reproduce a situation where the
appropriate rights to HKCR were removed.

3. There is obviously something that can remove the appropriate rights
to HKCR, but there doesn't seem to be any common knowledge on what the
base cause really is. If you search, you'll find multiple references to
setting rights to HKCR to solve problems, but never any mention as to
what caused the condition in the first place.

4. Based on the above, we feel that changing rights on a machine where
the appropriate rights for HKCR do not exist is treating a symptom, not
fixing the problem.

So, we won't be attempting to change the rights for HKCR in the
installation (because the appropriate rights should exist anyway).

Also, our strong recommendation to anyone who finds that HKCR does not
have the appropriate rights is to not simply make the specific changes
discussed in the various threads, but to get the machine back to the
natural state (in other words, fix the real problem - not just treat the
symptom).

Of course, if anyone knows more about how the rights for HKCR got
changed in the first place (either by natural or unnatural causes) we'd
love to get input and could even change our recommendation if new
information changes the landscape.

I've made mention to "appropriate rights" throughout this message and
that's because the actually settings are slightly different based on
which platform you run.

On all platforms, you should see:

Administrators will have Full Control and Read

CREATOR OWNER will have Special Permissions (Full Control for Subkeys
only)

Power Users will have Read and Special Permissions (though we can't
really tell what the Special Permissions actually do in this case - we
think they just signify if rights should be inherited or not).

SYSTEM will have Full Control and Read

Users will have Read

On Windows 2000 (the oldest system we tested) you will also see:

Everyone will have Read

You may also see other, specialized groups of user (like Terminal
Services Users) with Read rights.

The removal of Everyone on systems newer than Windows 2000 does NOT
impact the proper operation of the system (including Web Application
Server) - it's probably just one of the many security changes that were
made in XP and Server 2003.

Best regards,

-SWM-

PS. BTW, in my specific case my machine was having many other problems
(totally freezing on a regular basis) that started over a month ago and
steadily got worse. No specific viruses were found, and I'm still not
sure what caused the rights to disappear from HKCR. I've reinstalled
everyone that I had on my old machine (WinXP Pro, Office 2003, FrontPage
2003, Wise, RoboHelp X5, Beyond Compare, Acrobat 6, VSS, various Google
tools, Crystal XI, multiple revisions of Visual DataFlex, Spybot, Ghost
9, WinZip, various tools and multimedia applications from HP and others,
etc.) and have all updates for everything and nothing has altered the
rights on HKCR (I checked between every operation) from "normal".

Jakob Kruse
13-Oct-2005, 01:03 AM
I will be sure to track registry permissions the next time I do a reinstall.
I know (now) that this problem has existed consistently on the last three
machines I have reinstalled. I also know that it occurs quite early in my
installation routine, limiting the number of possible offenders.

From a security standpoint it would probably make sense for antivirus
software to do this (lock down the system as much as possible - if it
doesn't work at all it can't be infected, right). However I always use
Norton Antivirus 2005 and I would suspect the problem to be a lot more
common if that was the culprit.

Regards,
Jakob


"Stephen Meeley" <stephen-m@dataaccess.com> wrote in message
news:p57xfhazFHA.2904@dacmail.dataaccess.com...
Garret, Jakob and Anders,

I recently got bit by the same condition (Invalid ProgID) and just
finished doing a lot of research into it. Here's what I've found:

1. The "normal" condition for the machine is that the HKCR registry has
all the rights necessary - there should never be a need to modify the
rights in the HKCR registry branch.

2. We've taken multiple machines from a freshly installed state and
applied all services packs and hot fixes, installed all kinds of
software and have not been able to reproduce a situation where the
appropriate rights to HKCR were removed.

3. There is obviously something that can remove the appropriate rights
to HKCR, but there doesn't seem to be any common knowledge on what the
base cause really is. If you search, you'll find multiple references to
setting rights to HKCR to solve problems, but never any mention as to
what caused the condition in the first place.

4. Based on the above, we feel that changing rights on a machine where
the appropriate rights for HKCR do not exist is treating a symptom, not
fixing the problem.

So, we won't be attempting to change the rights for HKCR in the
installation (because the appropriate rights should exist anyway).

Also, our strong recommendation to anyone who finds that HKCR does not
have the appropriate rights is to not simply make the specific changes
discussed in the various threads, but to get the machine back to the
natural state (in other words, fix the real problem - not just treat the
symptom).

Of course, if anyone knows more about how the rights for HKCR got
changed in the first place (either by natural or unnatural causes) we'd
love to get input and could even change our recommendation if new
information changes the landscape.

I've made mention to "appropriate rights" throughout this message and
that's because the actually settings are slightly different based on
which platform you run.

On all platforms, you should see:

Administrators will have Full Control and Read

CREATOR OWNER will have Special Permissions (Full Control for Subkeys
only)

Power Users will have Read and Special Permissions (though we can't
really tell what the Special Permissions actually do in this case - we
think they just signify if rights should be inherited or not).

SYSTEM will have Full Control and Read

Users will have Read

On Windows 2000 (the oldest system we tested) you will also see:

Everyone will have Read

You may also see other, specialized groups of user (like Terminal
Services Users) with Read rights.

The removal of Everyone on systems newer than Windows 2000 does NOT
impact the proper operation of the system (including Web Application
Server) - it's probably just one of the many security changes that were
made in XP and Server 2003.

Best regards,

-SWM-

PS. BTW, in my specific case my machine was having many other problems
(totally freezing on a regular basis) that started over a month ago and
steadily got worse. No specific viruses were found, and I'm still not
sure what caused the rights to disappear from HKCR. I've reinstalled
everyone that I had on my old machine (WinXP Pro, Office 2003, FrontPage
2003, Wise, RoboHelp X5, Beyond Compare, Acrobat 6, VSS, various Google
tools, Crystal XI, multiple revisions of Visual DataFlex, Spybot, Ghost
9, WinZip, various tools and multimedia applications from HP and others,
etc.) and have all updates for everything and nothing has altered the
rights on HKCR (I checked between every operation) from "normal".

Dennis Piccioni
13-Oct-2005, 08:38 AM
On Thu, 13 Oct 2005 08:03:03 +0200, "Jakob Kruse" <kruse@kruse-net.dk>
wrote:

>I will be sure to track registry permissions the next time I do a reinstall.
>I know (now) that this problem has existed consistently on the last three
>machines I have reinstalled. I also know that it occurs quite early in my
>installation routine, limiting the number of possible offenders.
>
>From a security standpoint it would probably make sense for antivirus
>software to do this (lock down the system as much as possible - if it
>doesn't work at all it can't be infected, right). However I always use
>Norton Antivirus 2005 and I would suspect the problem to be a lot more
>common if that was the culprit.
>
>Regards,
>Jakob
>

I use Norton Internet Security 2005 at home and I don't have this
problem, so I don't think that's an issue.

Regards,
Dennis

Dennis Piccioni
Data Access Worldwide
http://www.DataAccess.com/support