RegAuditThe Audit Manager for Registry keys
Version 1.0
Help file
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) - All rights reserved!
Last changed: 10. January 2001
Introduction

What is RegAudit good for?
RegAudit allows you to query and change the security access control list (SACL) of any Windows NT Registry key. The name of this ACL is a little bit misleading, because it handles only the audit settings of an object. You can of course use the program RegEdt32 to view and change auditing entries of Registry keys, but if you need to edit more than a few machines then you are faced with quite a boring job, not to mention being more prone to make mistakes. RegAudit gives you the ability to use a batch script to perform this job.
There are quite some differences how the programs RegEdt32 for NT 4 and RegEdt32 for NT 5 (often referred to as Windows 2000) set and read the SACL of a Registry key. These differences are explained in the Security FAQ for the Windows NT Registry. Because most administrators have to manage networks with mixed versions of NT, RegAudit first checks which version of NT runs on the target machine and then decides what options are allowed, what bugs it needs to emulate, and what method might be the most successful when trying to read and change auditing entries.

What licence terms apply to the use of RegAudit?
This software was developed with the greatest attention to detail. However, the author can not guarantee that it runs under every version of Windows NT or on each computer flawlessly. Use of this program is at your own discretion. The copyright holder provides the program "as is" without warranty of any kind. RegAudit is a very powerful tool, so make sure you know what you do when using this tool! Reading and understanding this document should help you to avoid mistakes!
RegAudit is available only as part of RegTools for Windows NT. You are not allowed to use or distribute it outside the company or organization where it is licensed for!

What is a SACL?
The Security Access Control List (SACL) specifies the auditing entries for particular users or groups to that object.With RegAudit you can manage SACLs of Registry keys.
An access-control entry (ACE) is an element in an access-control list (ACL). An ACL can have zero or more ACEs. Each ACE controls or monitors access to an object by a specified trustee and contains several fields, all of which you will see in detail by using the command /L.
 

What are the requirements to use the program successfully?

Options
This is the (quite long ;) help screen you will see when you type RegAudit /?:
RegAudit 1.0 - Audit Manager for Registry keys for Windows NT 
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) 

Usage: RegAudit Key Commands 
  Key: [\\computer\]root[\subkey] 
    \\computer:  remote machine 
    root: HKLM, HKU, HKCU, HKCC or HKCR 
    subkey: path to the key you want to query or change 

  Query commands: 
    /L            List SACL (show current auditing entries) 
    /Qxx:yy(I)[T] Query yy for xx ("Does ACE with yy exist?") 
    /Fxx:yy(I)[T] Find all subkeys with yy for xx 
    /PI           Find all protected subkeys 

  Change commands: 
    /Sxx:yy(I)[T] Set (overwrite existing auditing entries with yy) for xx 
    /Axx:yy(I)[T] Add yy to existing auditing entries for xx 
    /Rxx:yy(I)[T] Remove yy from existing auditing entries for xx 
    /Dxx          Delete all ACEs for xx 
    /PC           Protect key and Copy formerly inherited auditing entries to it 
    /PR           Protect key and Remove all formerly inherited auditing entries 
    /P-           Remove Inheritance protection and explicitly defined audit 
                  settings from this key 
    /Propagate    Propagate current SACL to all subkeys and remove explicitly 
                  defined auditing entries from all subkeys 
    /Clear        Clear all noninherited ACEs 

  Other commands: 
    -Subtree      Apply to entire subtree (needless with /F, /PI, /Propagate) 
    -ANSI         Use ANSI character set instead of OEM character set 
    -?            This help screen 

  Options for xx: 
    GE = really "Everyone" 
    GA = predefined group "Administrators" 
    GU = predefined group "Users" 
    GT = predefined group "Authenticated Users" 
    GI = predefined group "Interactive" 
    GN = predefined group "Network" 
    GS = predefined group "System" 
    GO = predefined group "Creator Owner" 
    GV = predefined group "Service" 
    GL = predefined group "Local" 
    GB = predefined group "Batch" 
    GY = predefined group "Anonymous Logon" 
    GP = predefined group "System operators" 
    DA = group "Domain-Administrators" 
    DU = group "Domain-Users" 
    DG = group "Domain-Guests" 
    ALzzz =        Local account zzz of the machine 
    ADzzz =        Domain account zzz 
    AQsource\zzz = any Qualified account source\zzz 

  possible options for yy (combinations allowed): 
    Q - Query value             L - create Link 
    W - Write value             D - Delete 
    C - Create subkey           S - read Security info 
    E - Enumerate subkeys       A - write dAcl 
    N - Notify changes          O - write Owner 
    F - Full (same as QWCENLDSAO) 

  possible options for (I) (Inheritance options): 
   (NI)    - No Inheritance (ACE is valid only for the current key) 
   (CI)    - Container Inherit (ACE is valid for the current key and subkeys) 
   (CI-NP) - Container Inherit No Propagation (ACE is valid for the current key 
             and all children, but not for any grandchildren) 
   (IO)    - Inherit Only (ACE is not valid for the current key, but for 
             all subkeys) 
   (IO-NP) - Inherit Only No Propagation (ACE is not valid for the current key 
             but for all children, but not for any grandchildren) 
   (ID-NI) - InheriteD ACE which is valid only for this key, but no subkeys 
   (ID-CI) - InheriteD ACE which is valid for the current key and all subkeys 
   (ID-IO) - InheriteD ACE which is not valid for this key, but for subkeys 

  possible options for [T] (Type of access): 
   [S] - Success 
   [F] - Failure 
   [A] - All (Success as well as Failure) 

Type "RegAudit /? | more" if your window is too small for this help screen. 
Examples are available in the help file RegAudit_e.htm
The help screen of RegAudit
These many parameters might seem a little confusing at first glance, but I will describe every option to you in turn, so finally no questions will be left unanswered.
First you need to provide the following information to RegAudit:
  1. The full path to the Registry key whose SACL you wish to modify.
  2. Provide at least one command for the query to ask or the changes to make to the specified registry key. If no command is specified the program will do (surprise!) nothing.
Note: Parameters are not case sensitive.

Specifying a Registry key

The Registry key that you specify may be on the local machine or on a remote machine. The path must be the first parameter and in UNC format if the key is on a remote machine:
[\\Computer\]Root[\Subkey]

Example:[\\PegasusNT1\]HKLM\System\CurrentControlSet\Enum

If no computer name is specified then the local machine will be used. If you don't specify a subkey, the root key is used. One of the following abbreviations is used for the five possible root keys:
HKLM - HKEY_LOCAL_MACHINE
HKU  - HKEY_USERS
HKCU - HKEY_CURRENT_USER
HKCC - HKEY_CURRENT_CONFIG
HKCR - HKEY_CLASSES_ROOT
If the registry path contains spaces, then the entire path must be enclosed within "double quotes". (You may use double quotes anyway as a practice as doing so will have no adverse effects.)
Note: HKCU is not allowed on remote machines, because this would make no sense!

Switchs
The switch -ANSI
With the -ansi switch you tell the program to use the ANSI character set instead of the default OEM character set. As you probably know, OEM is the default character set of the command line window. ANSI is the usual character set for most GUI programs. The use of this option is recommended if you pipe the output of the utility into a file, which will be processed with a GUI program later.

The switch -SUBTREE
With the -subtree switch you tell RegAudit to employ all command(s) to the specified key and its subtree, instead of just working with the key itself. There are some exceptions: When using the commands /F, /PI or /PROPAGATE, no switch -SUBTREE is allowed because these commands scan the subtree by default.. In addition, it would be a problem to interpret the return values of the command /Q in conjunction with -SUBTREE. For this reason this combination is not allowed either.

Commands
You can group as many commands as you like at the same time, with the exception of /F, /PI and /PROPAGATE, which are not allowed together with other commands. Commands are processed in the following order:

  1. If found, one of the commands /F, /PI or /PROPAGATE  is executed and the program will halt.
  2. If found, the command /L is executed.
  3. If found, the command /Q is executed and the program will halt.
  4. If the program is not halted at this point, then any remaining commands are executed from left to right.
The command /L
With the /L command (List SACL) you extract and display, in their exact order, all SACL entries. The ACEs are shown as rows in a table with 4 columns. See Example 1:
 
C:\Reg> RegAudit hklm\software\test /L 

auditing entries for Registry key "hklm\software\test": 
[S](CI)    ------DSA   Everyone 
[F](CI)    QWCENL---   Everyone 
[A](CI)    -W-------   BUILTIN\Administrators 
Example 1
The SACL for this key has 7 entries. The four columns have the following meaning:

Column 1 - Audit flags
Windows NT allows to distinguish between successful completed actions and those which returned a failure:
[S] means that the ACE does only generate audit events when the action matching its settings completed Successfully.
[F] means that the ACE does only generate audit events when the action matching its settings returned a Failure.
[A] means that the ACE does Always generate audit events.
Important: If no audit flag is specified, RegAudit uses [A] as default flag.

Column 2 - Inheritance flags
Windows NT allows some very specific inheritance settings, but strangely enough they cannot be applied using the built in registry editors that come with NT 4. RegAudit, however, allows you to take full advantage of these detailed settings as explained below.

(CI) (Container Inherit) - By default, when a new registry subkey is created with Regedit or Regedt32,  it inherits the settings of its parent, (which is what the key located one level above in the tree structure is referred to as) .
(IO) (Inherit Only) This ACE is applied only on entries created under a parent subkey (children and grandchildren), but not for the parent key (= this key) itself. This is the only useful setting for the pseudo account Creator-Owner, as shown in tutorial 2.
(NI) (No Inherit) - You may create an ACE which won't be inherited at all - it will apply only to the specified key.
(NP) (No Progpagate) -Valid only together with either (CI) or (IO). The option NP has the effect that the ACE placed on a key is inherited only by its child keys, but will not propagate further to grandchild keys.
Thus:
(CI-NP) would mean that the ACE is valid for the key itself and any subkeys (children) created under it, but not for any possible grandchildren created under these subkeys .
(IO-NP) means that the ACE will apply only to the subkeys of the specified key, not to the key itself or any grandchild keys.
(ID) (InheriteD) - New in Windows 2000. Earlier versions of Windows NT did inherit permissions only when a child object was created. When you later changed the settings of the parent (without specifying that the settings of the entire subtree beneath it should be changed as well, thus overwriting all changes made to the SACLs of any subkeys), no audit settings of child keys were changed. Because Windows 2000 marks inherited ACEs with a combination of (ID) and one of (CI), (IO) or (NI), it knows everytime whether an ACE was inherited or explicitly applied to this object. This way Windows 2000 can propagate changes of auditing entries of parent keys to all subkeys which inherited them, while leaving additional ACEs applied to its subkeys alone.
(ID-CI) (InheriteD - Container Inherit) - The inherited ACE is valid for this key and its subkeys. When the origin of this ACE will be changed, the inherited ACE changes as well. It originates from a (CI) entry.
(ID-IO) (InheriteD - Inherit Only) This inherited ACE is valid for entries under the current key (children and grandchildren), but not for the key itself. It originates from an (IO) entry.
(ID-NI) (InheriteD - No Inherit) - This inherited ACE is valid for the current key, but not for its subkeys. It originates from an entry containing the (NP) flag.

Important: If no inheritance flag is specified, RegAudit uses a default value which depends on the selected action. Actions reading something look for ACEs with any inheritance flags. Actions writing something use (CI) as a default - just as it would be if you set your security manually using Regedt32.

Column 3 - Actions
NT allows to audit 10 basic actions for Registry keys, which may be combined at your convenience:
Q Query value (like Read for a file) 
W Write value (Regedt32 "Set Value")
C Create subkey (like creating a subdirectory in a file system)
E Enumerate subkeys (like listing files and subdirectories with the DIR command)
N Notify (needed for using the Win32-API function RegNotifyChangeKeyValue)
O write Owner (changing the owner associated with the specified key) 
L create Link (normally only the operating system uses this permission)
D Delete (Removing the specified key, its subkeys, and all associated values) 
S read Security information (Regedt32 "Read Control"- allows the permission holder to read the ACL for the key)
A write DAC  (Allows the permission owner to change the DACL entries attached to the specified key)
F (Full access like QWCENLDSAO) audits all of the above listed actions, saving quite a lot of writing:
Important: In Windows NT 4 there is no possibility to audit O access with RegEdt32. In deed, setting this option would cause RegEdt32 to display nonsense in some cases. For this reason RegAudit does not allow to set O access on target machines with NT 4. On NT 4 F resolves to QWCENLDSA.

Column 4 - Account
This column reports which group or account the entry is in effect for. This can be a predefined (account groups built into NT) group, or any custom created local or domain group, or individual user account.

The command /Q
With this command you can Query a key - whether an entry with one or more auditing entries exists in its SACL or not. RegAudit will return the result of the query in two different ways. At first it prints the answer as a line of text, at second it answers with different return values. If all queried auditing entries exist then RegAudit will return 0. If at least one of the queried auditing entries is missing, then the return value will be 1.

Attention!
You alone are responsible for insuring that RegAudit is called with valid parameters when you want to start certain actions in dependence on the return value! For instance, when you specify a path to a nonexistant key, the program will always halt with an error! A good practice would be to call RegAudit first with the command /L. If this returns a value of 0, you can be sure that the path exists and that you can access it (You have the necessary permission and the network connection is up.) When you then in this case use the command /Q, you can be sure that the return value really will be an answer to your question instead of an error code. Using /Q in conjunction with an invalid command or switch (like -SUBTREE) will also return an error code instead of the result of the query!

The command /F
This command scans the ACEs of all keys in the specified subtree of the Registry. It returns a list of all keys which contain ACEs with the auditing entries you specified.

The command /PI
As discussed earlier in this document, beginning with Windows NT 5 objects inherit their auditing entries from parents in a new way: Changes made to the SACL of a parent will always propagate to all objects in the subtree beneath the parent. This is very useful in most cases, but there are situations where it is not so good. But there is a solution for such cases: You can uncheck "Allow inheritable permissions from parent to propagate to this object" in the Security | Permissions | Audit dialog of RegEdt32. Doing so protects the object from inheriting any ACE from its parents.
The command /PI lists all subkeys which are protected. It does not work in Windows NT 4.0 and earlier.

This concludes the description of the commands that allow you to query the SACLs of Registry keys. Now you will become acquainted with the commands which allow you to modify the SACLs of Registry keys. The functions which change ACEs do not accept inheritance options with the (ID) flag set, because this would make no sense! If you want to change such an ACE, do it in the key where it is defined, not in the dependent subkey!

Let us start with the commands /P... which control inheritance. They all work only in Windows NT 5 and above.

The command /P-
This command removes the inheritance protection of a key. Current ACEs of the key (and its unprotected subkeys) will be replaced by the inheritable ACEs of its parents.
Using this command correspondents to checking "Allow inheritable auditing entries from parent to propagate to this object" in the Security | Permissions | Advanced | Auditing dialog of RegEdt32

The command /PC
This command Protects a key and Copies formerly inherited permissions to it. ACEs defined directly for this key will not change, and in addition all inherited ACEs will be added without the (ID) flag set.
Using this command correspondents to unchecking "Allow inheritable auditing entries from parent to propagate to this object" in the Security | Permissions | Advanced | Auditing dialog of RegEdt32 and answering the following question with "Copy".

The command /PR
This command Protects a key and Removes formerly inherited permissions. ACEs defined directly for this key will not change, but all inherited ACEs with the (ID) flag set will be removed.
Using this command correspondents to unchecking "Allow inheritable auditing entries from parent to propagate to this object" in the Security | Permissions | Advanced | Auditing dialog of RegEdt32 and answering the following question with "Remove".

The command /PROPAGATE
This command PROPAGATES auditing entries. It matches the checkbox "Reset auditing entries on all child objects and enable propagation of inheritable auditing entries" in RegEdt32. The command removes explicitly defined auditing entries on all subkeys and enables propagation of inheritable auditing entries to those subkeys. Only inheritable auditing entries propagated from the specified key will take effect after applying this command. Be warned, even the SACLs of formerly protected subkeys will be overwritten by this powerful command!

The command /A
This command adds the specified auditing entry for the specified account. After the command was executed successfully, the account has at least the specified auditing entry. If there was another auditing entry with the same audit and inheritance flags before, the new auditing entry will contain the sum of the old and the newly added actions.

The command /S
This command re-sets the specified auditing entry for the specified account. After the command was executed successfully, the account has exactly the specified auditing entry.  If there were other noninherited auditing entries for the account before, these entries will be removed.
 
The command /D
This command deletes all explicit ACEs for the specified account from the SACL, but not the inherited ACEs.

The command /CLEAR
With the /clear command you tell RegAudit to delete all noninherited ACEs of the SACL. Alternatively it is possible to remove superfluous ACEs with the command /D, but with this command you need to name all accounts you want to remove one by another.

Is everything clear now?
When you have read this document carefully and you still have a question or are vague regarding a topic, you can email to fh@heysoft.de. But please check first the Security FAQ for the Windows NT Registry - your question might be already answered there. If you find errors or would like to contribute knowledge to this document, you are encouraged to email us, too.