Drop.auditing in the key or keys in question cia regedt32 and then ensure that file auditing in windows is turned on the access the key and read.the securiry log to determine access.
Ed On May 27, 2015 7:12 AM, "geoff taylor" <[email protected]> wrote: > my google-foo is eluding me but will keep searching > > > Still supporting Waterloo & BlackBerry > *From: *Michael B. Smith > *Sent: *Tuesday, May 26, 2015 09:44 > *To: *[email protected] > *Reply To: *[email protected] > *Subject: *RE: [NTSysADM] Registry Key Permissions > > Yes. > > I spent a couple of minutes looking for it on technet, but couldn't find > it. It's there. I know it is. I remember reading it just a few weeks ago. > > -----Original Message----- > From: [email protected] [ > mailto:[email protected] <[email protected]>] > On Behalf Of geoff taylor > Sent: Monday, May 25, 2015 7:56 AM > To: [email protected] > Subject: [NTSysADM] Registry Key Permissions > > Hi all: > > Looking for some deeper knowledge about reg key permissions similar to > that easily available for file & folder permissions. My security group has > changed their scanning and we have a new finding. > > Specifically, Windows 2012R2 though I think it may apply more > universally. At HKey Classes Root, our security policy require the user > group is to have read only. At the basic level that is exactly what shows > "Read". However they are flagging a subsetting they call "execute" which I > suspect may be actually "Query Value" or "Enumerate subkeys" when I look at > the Effective Permissions. > > Does anyone have anything that would confirm my suspicion that similar to > Traverse and List under file & folder permissions, in order to read a > subkey you must have the Query Value & Enumerate subkeys permission? > > tks > gt > > >
