• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

MS patches changing registry entries

W

wjr

Flightless Bird
Is there a way to prevent MS updates from changing a specified registry
setting? For one of the text converters, we point to a specific one we
install, but for some reason, MS recently has started to set that entry
back to the default setting. I don't want to see that setting changed
from our custom setting.

FYI, we are a vendor at the site and the site is responsible for admin
of their AD. We have little/no say over what can happened in their AD.
So any AD solution will have to run to the Admin group get approved
then go through an executive committee and the security group before it
can be deployed. Individual users do not get admin rights.
 
M

MowGreen

Flightless Bird
Which specific registry setting are you referring to ?

Is it related to the registry settings that resulted from installing
KB973904 ?

MS09-073: Description of the security update for Windows XP, Windows
2000, and Windows Server 2003: December 8, 2009
http://support.microsoft.com/kb/973904/


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked


wjr wrote:
> Is there a way to prevent MS updates from changing a specified registry
> setting? For one of the text converters, we point to a specific one we
> install, but for some reason, MS recently has started to set that entry
> back to the default setting. I don't want to see that setting changed
> from our custom setting.
>
> FYI, we are a vendor at the site and the site is responsible for admin
> of their AD. We have little/no say over what can happened in their AD.
> So any AD solution will have to run to the Admin group get approved then
> go through an executive committee and the security group before it can
> be deployed. Individual users do not get admin rights.
 
P

Pegasus [MVP]

Flightless Bird
"wjr" <usenet@gomonarch.com> said this in news item
news:uNlMV2AsKHA.728@TK2MSFTNGP04.phx.gbl...
> Is there a way to prevent MS updates from changing a specified registry
> setting? For one of the text converters, we point to a specific one we
> install, but for some reason, MS recently has started to set that entry
> back to the default setting. I don't want to see that setting changed
> from our custom setting.
>
> FYI, we are a vendor at the site and the site is responsible for admin of
> their AD. We have little/no say over what can happened in their AD. So
> any AD solution will have to run to the Admin group get approved then go
> through an executive committee and the security group before it can be
> deployed. Individual users do not get admin rights.


You could right-click that key, then click Security. Now make yourself the
owner and give everyone else nothing but read-access. Best to test your
modification - some MS Automatic Updates might fail when they cannot do
their usual job.
 
P

PA Bear [MS MVP]

Flightless Bird
Which updates?

Most updates change all sorts of things in the Registry by default.


wjr wrote:
> Is there a way to prevent MS updates from changing a specified registry
> setting? For one of the text converters, we point to a specific one we
> install, but for some reason, MS recently has started to set that entry
> back to the default setting. I don't want to see that setting changed
> from our custom setting.
>
> FYI, we are a vendor at the site and the site is responsible for admin
> of their AD. We have little/no say over what can happened in their AD.
> So any AD solution will have to run to the Admin group get approved
> then go through an executive committee and the security group before it
> can be deployed. Individual users do not get admin rights.
 
W

wjr

Flightless Bird
PA Bear [MS MVP] wrote:
> Which updates?
>
> Most updates change all sorts of things in the Registry by default.
>
>
> wjr wrote:
>> Is there a way to prevent MS updates from changing a specified registry
>> setting? For one of the text converters, we point to a specific one we
>> install, but for some reason, MS recently has started to set that entry
>> back to the default setting. I don't want to see that setting changed
>> from our custom setting.
>>
>> FYI, we are a vendor at the site and the site is responsible for admin
>> of their AD. We have little/no say over what can happened in their AD.
>> So any AD solution will have to run to the Admin group get approved
>> then go through an executive committee and the security group before it
>> can be deployed. Individual users do not get admin rights.

I don't know the specific key as I am waiting for details from the
on-site engineer. But the specific key really doesn't answer the basic
question which I have asked. Which was "Is there a way to prevent MS
patch updates from changing a registry entry?". They way I see it,
someone doesn't need the specific reg entry to answer the general
question, assuming they know an answer.
 
B

Bob I

Flightless Bird
wjr wrote:

> PA Bear [MS MVP] wrote:
>
>> Which updates?
>>
>> Most updates change all sorts of things in the Registry by default.
>>
>>
>> wjr wrote:
>>
>>> Is there a way to prevent MS updates from changing a specified registry
>>> setting? For one of the text converters, we point to a specific one we
>>> install, but for some reason, MS recently has started to set that entry
>>> back to the default setting. I don't want to see that setting changed
>>> from our custom setting.
>>>
>>> FYI, we are a vendor at the site and the site is responsible for admin
>>> of their AD. We have little/no say over what can happened in their AD.
>>> So any AD solution will have to run to the Admin group get approved
>>> then go through an executive committee and the security group before it
>>> can be deployed. Individual users do not get admin rights.

>
> I don't know the specific key as I am waiting for details from the
> on-site engineer. But the specific key really doesn't answer the basic
> question which I have asked. Which was "Is there a way to prevent MS
> patch updates from changing a registry entry?". They way I see it,
> someone doesn't need the specific reg entry to answer the general
> question, assuming they know an answer.


Patches WILL change registry entries. So the answer is no, not if you
want patches installed.
 
D

Daave

Flightless Bird
Bob I wrote:
> wjr wrote:
>
>> PA Bear [MS MVP] wrote:
>>
>>> Which updates?
>>>
>>> Most updates change all sorts of things in the Registry by default.
>>>
>>>
>>> wjr wrote:
>>>
>>>> Is there a way to prevent MS updates from changing a specified
>>>> registry setting? For one of the text converters, we point to a
>>>> specific one we install, but for some reason, MS recently has
>>>> started to set that entry back to the default setting. I don't
>>>> want to see that setting changed from our custom setting.
>>>>
>>>> FYI, we are a vendor at the site and the site is responsible for
>>>> admin of their AD. We have little/no say over what can happened
>>>> in their AD. So any AD solution will have to run to the Admin
>>>> group get approved then go through an executive committee and the
>>>> security group before it can be deployed. Individual users do not
>>>> get admin rights.

>>
>> I don't know the specific key as I am waiting for details from the
>> on-site engineer. But the specific key really doesn't answer the
>> basic question which I have asked. Which was "Is there a way to
>> prevent MS patch updates from changing a registry entry?". They way
>> I see it, someone doesn't need the specific reg entry to answer the
>> general question, assuming they know an answer.

>
> Patches WILL change registry entries. So the answer is no, not if you
> want patches installed.


Exactly.

The only other option is that once the update is applied -- and assuming
that this update is indeed responsible for the changing of the specific
registry entry (which is unknown!) -- , change the registry setting to
what one wishes it to be (and hope that it won't compromise one's
security!).
 
P

PA Bear [MS MVP]

Flightless Bird
wjr wrote:
>>> Is there a way to prevent MS updates from changing a specified registry
>>> setting? For one of the text converters, we point to a specific one we
>>> install, but for some reason, MS recently has started to set that entry
>>> back to the default setting. I don't want to see that setting changed
>>> from our custom setting.
>>>
>>> FYI, we are a vendor at the site and the site is responsible for admin
>>> of their AD. We have little/no say over what can happened in their AD.
>>> So any AD solution will have to run to the Admin group get approved
>>> then go through an executive committee and the security group before it
>>> can be deployed. Individual users do not get admin rights.

>>
>> Which updates?
>>
>> Most updates change all sorts of things in the Registry by default.

>
> I don't know the specific key as I am waiting for details from the
> on-site engineer. But the specific key really doesn't answer the basic
> question which I have asked. Which was "Is there a way to prevent MS
> patch updates from changing a registry entry?". They way I see it,
> someone doesn't need the specific reg entry to answer the general
> question, assuming they know an answer.


[OK, we'll bottompost...]

Then the answer is No, nor can you have your hair cut without cutting your
hair.
 
W

wjr

Flightless Bird
PA Bear [MS MVP] wrote:
> wjr wrote:
>>>> Is there a way to prevent MS updates from changing a specified registry
>>>> setting? For one of the text converters, we point to a specific one we
>>>> install, but for some reason, MS recently has started to set that entry
>>>> back to the default setting. I don't want to see that setting changed
>>>> from our custom setting.
>>>>
>>>> FYI, we are a vendor at the site and the site is responsible for admin
>>>> of their AD. We have little/no say over what can happened in their AD.
>>>> So any AD solution will have to run to the Admin group get approved
>>>> then go through an executive committee and the security group before it
>>>> can be deployed. Individual users do not get admin rights.
>>>
>>> Which updates?
>>>
>>> Most updates change all sorts of things in the Registry by default.

>>
>> I don't know the specific key as I am waiting for details from the
>> on-site engineer. But the specific key really doesn't answer the basic
>> question which I have asked. Which was "Is there a way to prevent MS
>> patch updates from changing a registry entry?". They way I see it,
>> someone doesn't need the specific reg entry to answer the general
>> question, assuming they know an answer.

>
> [OK, we'll bottompost...]
>
> Then the answer is No, nor can you have your hair cut without cutting
> your hair.

Nice try but fail. It's more can I get my hair but don't touch the
cowlick. Still, I will give you a C- for effort.
 
S

Shenan Stanley

Flightless Bird
wjr wrote:
> Is there a way to prevent MS updates from changing a specified
> registry setting? For one of the text converters, we point to a
> specific one we install, but for some reason, MS recently has
> started to set that entry back to the default setting. I don't
> want to see that setting changed from our custom setting.
>
> FYI, we are a vendor at the site and the site is responsible for
> admin of their AD. We have little/no say over what can happened in
> their AD. So any AD solution will have to run to the Admin group
> get approved then go through an executive committee and the
> security group before it can be deployed. Individual users do not
> get admin rights.


First off - if the entry is being changed to default by a patch - it must be
in some place the patch writers deems it important to change. Which patch?
All patches?

You say you are a vendor and this is a 'text converter' and a 'specific one
we install' <-- is that your resistance in giving the name of said
converter? Or the registry key location? Or the patch that supposedly
changes the registry value?

Also - I caught your, "I don't know the specific key as I am waiting for
details from the on-site engineer..." reply. So you are not one of the
trouble-shooters or the people who do the actual work on the product in
question - I assume? And if you are - couldn't you recreate the issue
easily enough and thus 'know the specific key'?

Here's a simple set of facts - as you seem resistant to exposing your
product to ridicule and/or to pointing out the registry key(s) in question
and/or even specifying what patch(es) are supposedly changing the registry
key(s) in question - that should be fairly obvious...

- If someone/something has administrative rights on a system - that
someone/something can (in the end) do just about anything they want to said
system (excluding cracking into encryption that is not theirs in most cases
without subterfuge and returning at a later date.)
- Windows/Microsoft Updates are not installed with 'lesser' priviledges.
They are installed with administrative level priviledges (and/or as
"system".) Thus - they can, using logic, "do just about anything they want
to said system."

That being said, just like malware writers, you could change the permissions
on the registry entry(ies) in question so that everyone could read it but no
one can write/change it without taking ownership and changing the
permissions first. Not saying you are a malware writer - just using them as
an example, you see. In theory - that would prevent a patch from changing
said registry key - however it would also prevent (most likely) the patch
from being reported back as 'installed successfully' and - you have a whole
new problem because - well - you have become an annoyance (*at least) in the
eyes of those who probably will, sooner or later, discover the issue.

So - other than the above (permissions change) possibility (it is not a
certainty that it could not be changed - as I pointed out - administrative
level accounts can do just about anything) - the answer to your generic
question (barring any specifics you brave to put out such as the specific
patch(es) you believe do this, the specific product (text converter?)
installed or the location of the registry key/value that gets changed) is,
"No."

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
 
Top