1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

MS patches changing registry entries

Discussion in 'Windows XP' started by wjr, Feb 17, 2010.

  1. wjr

    wjr Flightless Bird

    Is there a way to prevent MS updates from changing a specified registry
    setting? For one of the text converters, we point to a specific one we
    install, but for some reason, MS recently has started to set that entry
    back to the default setting. I don't want to see that setting changed
    from our custom setting.

    FYI, we are a vendor at the site and the site is responsible for admin
    of their AD. We have little/no say over what can happened in their AD.
    So any AD solution will have to run to the Admin group get approved
    then go through an executive committee and the security group before it
    can be deployed. Individual users do not get admin rights.
     
  2. MowGreen

    MowGreen Flightless Bird

    Which specific registry setting are you referring to ?

    Is it related to the registry settings that resulted from installing
    KB973904 ?

    MS09-073: Description of the security update for Windows XP, Windows
    2000, and Windows Server 2003: December 8, 2009
    http://support.microsoft.com/kb/973904/


    MowGreen
    ================
    *-343-* FDNY
    Never Forgotten
    ================

    banthecheck.com
    "Security updates should *never* have *non-security content* prechecked


    wjr wrote:
    > Is there a way to prevent MS updates from changing a specified registry
    > setting? For one of the text converters, we point to a specific one we
    > install, but for some reason, MS recently has started to set that entry
    > back to the default setting. I don't want to see that setting changed
    > from our custom setting.
    >
    > FYI, we are a vendor at the site and the site is responsible for admin
    > of their AD. We have little/no say over what can happened in their AD.
    > So any AD solution will have to run to the Admin group get approved then
    > go through an executive committee and the security group before it can
    > be deployed. Individual users do not get admin rights.
     
  3. Pegasus [MVP]

    Pegasus [MVP] Flightless Bird

    "wjr" <usenet@gomonarch.com> said this in news item
    news:uNlMV2AsKHA.728@TK2MSFTNGP04.phx.gbl...
    > Is there a way to prevent MS updates from changing a specified registry
    > setting? For one of the text converters, we point to a specific one we
    > install, but for some reason, MS recently has started to set that entry
    > back to the default setting. I don't want to see that setting changed
    > from our custom setting.
    >
    > FYI, we are a vendor at the site and the site is responsible for admin of
    > their AD. We have little/no say over what can happened in their AD. So
    > any AD solution will have to run to the Admin group get approved then go
    > through an executive committee and the security group before it can be
    > deployed. Individual users do not get admin rights.


    You could right-click that key, then click Security. Now make yourself the
    owner and give everyone else nothing but read-access. Best to test your
    modification - some MS Automatic Updates might fail when they cannot do
    their usual job.
     
  4. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    Which updates?

    Most updates change all sorts of things in the Registry by default.


    wjr wrote:
    > Is there a way to prevent MS updates from changing a specified registry
    > setting? For one of the text converters, we point to a specific one we
    > install, but for some reason, MS recently has started to set that entry
    > back to the default setting. I don't want to see that setting changed
    > from our custom setting.
    >
    > FYI, we are a vendor at the site and the site is responsible for admin
    > of their AD. We have little/no say over what can happened in their AD.
    > So any AD solution will have to run to the Admin group get approved
    > then go through an executive committee and the security group before it
    > can be deployed. Individual users do not get admin rights.
     
  5. wjr

    wjr Flightless Bird

    PA Bear [MS MVP] wrote:
    > Which updates?
    >
    > Most updates change all sorts of things in the Registry by default.
    >
    >
    > wjr wrote:
    >> Is there a way to prevent MS updates from changing a specified registry
    >> setting? For one of the text converters, we point to a specific one we
    >> install, but for some reason, MS recently has started to set that entry
    >> back to the default setting. I don't want to see that setting changed
    >> from our custom setting.
    >>
    >> FYI, we are a vendor at the site and the site is responsible for admin
    >> of their AD. We have little/no say over what can happened in their AD.
    >> So any AD solution will have to run to the Admin group get approved
    >> then go through an executive committee and the security group before it
    >> can be deployed. Individual users do not get admin rights.

    I don't know the specific key as I am waiting for details from the
    on-site engineer. But the specific key really doesn't answer the basic
    question which I have asked. Which was "Is there a way to prevent MS
    patch updates from changing a registry entry?". They way I see it,
    someone doesn't need the specific reg entry to answer the general
    question, assuming they know an answer.
     
  6. Bob I

    Bob I Flightless Bird

    wjr wrote:

    > PA Bear [MS MVP] wrote:
    >
    >> Which updates?
    >>
    >> Most updates change all sorts of things in the Registry by default.
    >>
    >>
    >> wjr wrote:
    >>
    >>> Is there a way to prevent MS updates from changing a specified registry
    >>> setting? For one of the text converters, we point to a specific one we
    >>> install, but for some reason, MS recently has started to set that entry
    >>> back to the default setting. I don't want to see that setting changed
    >>> from our custom setting.
    >>>
    >>> FYI, we are a vendor at the site and the site is responsible for admin
    >>> of their AD. We have little/no say over what can happened in their AD.
    >>> So any AD solution will have to run to the Admin group get approved
    >>> then go through an executive committee and the security group before it
    >>> can be deployed. Individual users do not get admin rights.

    >
    > I don't know the specific key as I am waiting for details from the
    > on-site engineer. But the specific key really doesn't answer the basic
    > question which I have asked. Which was "Is there a way to prevent MS
    > patch updates from changing a registry entry?". They way I see it,
    > someone doesn't need the specific reg entry to answer the general
    > question, assuming they know an answer.


    Patches WILL change registry entries. So the answer is no, not if you
    want patches installed.
     
  7. Daave

    Daave Flightless Bird

    Bob I wrote:
    > wjr wrote:
    >
    >> PA Bear [MS MVP] wrote:
    >>
    >>> Which updates?
    >>>
    >>> Most updates change all sorts of things in the Registry by default.
    >>>
    >>>
    >>> wjr wrote:
    >>>
    >>>> Is there a way to prevent MS updates from changing a specified
    >>>> registry setting? For one of the text converters, we point to a
    >>>> specific one we install, but for some reason, MS recently has
    >>>> started to set that entry back to the default setting. I don't
    >>>> want to see that setting changed from our custom setting.
    >>>>
    >>>> FYI, we are a vendor at the site and the site is responsible for
    >>>> admin of their AD. We have little/no say over what can happened
    >>>> in their AD. So any AD solution will have to run to the Admin
    >>>> group get approved then go through an executive committee and the
    >>>> security group before it can be deployed. Individual users do not
    >>>> get admin rights.

    >>
    >> I don't know the specific key as I am waiting for details from the
    >> on-site engineer. But the specific key really doesn't answer the
    >> basic question which I have asked. Which was "Is there a way to
    >> prevent MS patch updates from changing a registry entry?". They way
    >> I see it, someone doesn't need the specific reg entry to answer the
    >> general question, assuming they know an answer.

    >
    > Patches WILL change registry entries. So the answer is no, not if you
    > want patches installed.


    Exactly.

    The only other option is that once the update is applied -- and assuming
    that this update is indeed responsible for the changing of the specific
    registry entry (which is unknown!) -- , change the registry setting to
    what one wishes it to be (and hope that it won't compromise one's
    security!).
     
  8. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    wjr wrote:
    >>> Is there a way to prevent MS updates from changing a specified registry
    >>> setting? For one of the text converters, we point to a specific one we
    >>> install, but for some reason, MS recently has started to set that entry
    >>> back to the default setting. I don't want to see that setting changed
    >>> from our custom setting.
    >>>
    >>> FYI, we are a vendor at the site and the site is responsible for admin
    >>> of their AD. We have little/no say over what can happened in their AD.
    >>> So any AD solution will have to run to the Admin group get approved
    >>> then go through an executive committee and the security group before it
    >>> can be deployed. Individual users do not get admin rights.

    >>
    >> Which updates?
    >>
    >> Most updates change all sorts of things in the Registry by default.

    >
    > I don't know the specific key as I am waiting for details from the
    > on-site engineer. But the specific key really doesn't answer the basic
    > question which I have asked. Which was "Is there a way to prevent MS
    > patch updates from changing a registry entry?". They way I see it,
    > someone doesn't need the specific reg entry to answer the general
    > question, assuming they know an answer.


    [OK, we'll bottompost...]

    Then the answer is No, nor can you have your hair cut without cutting your
    hair.
     
  9. wjr

    wjr Flightless Bird

    PA Bear [MS MVP] wrote:
    > wjr wrote:
    >>>> Is there a way to prevent MS updates from changing a specified registry
    >>>> setting? For one of the text converters, we point to a specific one we
    >>>> install, but for some reason, MS recently has started to set that entry
    >>>> back to the default setting. I don't want to see that setting changed
    >>>> from our custom setting.
    >>>>
    >>>> FYI, we are a vendor at the site and the site is responsible for admin
    >>>> of their AD. We have little/no say over what can happened in their AD.
    >>>> So any AD solution will have to run to the Admin group get approved
    >>>> then go through an executive committee and the security group before it
    >>>> can be deployed. Individual users do not get admin rights.
    >>>
    >>> Which updates?
    >>>
    >>> Most updates change all sorts of things in the Registry by default.

    >>
    >> I don't know the specific key as I am waiting for details from the
    >> on-site engineer. But the specific key really doesn't answer the basic
    >> question which I have asked. Which was "Is there a way to prevent MS
    >> patch updates from changing a registry entry?". They way I see it,
    >> someone doesn't need the specific reg entry to answer the general
    >> question, assuming they know an answer.

    >
    > [OK, we'll bottompost...]
    >
    > Then the answer is No, nor can you have your hair cut without cutting
    > your hair.

    Nice try but fail. It's more can I get my hair but don't touch the
    cowlick. Still, I will give you a C- for effort.
     
  10. Shenan Stanley

    Shenan Stanley Flightless Bird

    wjr wrote:
    > Is there a way to prevent MS updates from changing a specified
    > registry setting? For one of the text converters, we point to a
    > specific one we install, but for some reason, MS recently has
    > started to set that entry back to the default setting. I don't
    > want to see that setting changed from our custom setting.
    >
    > FYI, we are a vendor at the site and the site is responsible for
    > admin of their AD. We have little/no say over what can happened in
    > their AD. So any AD solution will have to run to the Admin group
    > get approved then go through an executive committee and the
    > security group before it can be deployed. Individual users do not
    > get admin rights.


    First off - if the entry is being changed to default by a patch - it must be
    in some place the patch writers deems it important to change. Which patch?
    All patches?

    You say you are a vendor and this is a 'text converter' and a 'specific one
    we install' <-- is that your resistance in giving the name of said
    converter? Or the registry key location? Or the patch that supposedly
    changes the registry value?

    Also - I caught your, "I don't know the specific key as I am waiting for
    details from the on-site engineer..." reply. So you are not one of the
    trouble-shooters or the people who do the actual work on the product in
    question - I assume? And if you are - couldn't you recreate the issue
    easily enough and thus 'know the specific key'?

    Here's a simple set of facts - as you seem resistant to exposing your
    product to ridicule and/or to pointing out the registry key(s) in question
    and/or even specifying what patch(es) are supposedly changing the registry
    key(s) in question - that should be fairly obvious...

    - If someone/something has administrative rights on a system - that
    someone/something can (in the end) do just about anything they want to said
    system (excluding cracking into encryption that is not theirs in most cases
    without subterfuge and returning at a later date.)
    - Windows/Microsoft Updates are not installed with 'lesser' priviledges.
    They are installed with administrative level priviledges (and/or as
    "system".) Thus - they can, using logic, "do just about anything they want
    to said system."

    That being said, just like malware writers, you could change the permissions
    on the registry entry(ies) in question so that everyone could read it but no
    one can write/change it without taking ownership and changing the
    permissions first. Not saying you are a malware writer - just using them as
    an example, you see. In theory - that would prevent a patch from changing
    said registry key - however it would also prevent (most likely) the patch
    from being reported back as 'installed successfully' and - you have a whole
    new problem because - well - you have become an annoyance (*at least) in the
    eyes of those who probably will, sooner or later, discover the issue.

    So - other than the above (permissions change) possibility (it is not a
    certainty that it could not be changed - as I pointed out - administrative
    level accounts can do just about anything) - the answer to your generic
    question (barring any specifics you brave to put out such as the specific
    patch(es) you believe do this, the specific product (text converter?)
    installed or the location of the registry key/value that gets changed) is,
    "No."

    --
    Shenan Stanley
    MS-MVP
    --
    How To Ask Questions The Smart Way
    http://www.catb.org/~esr/faqs/smart-questions.html
     

Share This Page