1. How can I set permissions for a Registry value instead of a Registry key? 03. January 2001

You need to look at all the values which belong to a Registry key like you look at the content of a file. Though you can assign permissions to the file, you can not set permissions to parts of its content. When for instance, somone can open the file with read access, he can view the entire content of the file. In analogy, when someone can open a Registry key with read access, he always can read all values of this key. 

2. How can I scan the Registry to get a list of all keys an user or group has, for instance, Write access to? 03. January 2001

The registered version of RegDACL does allow you to search an entire Registry subtree for specified permissions. You even can search for effective permissions. For instance, when you search for ACLs containing "Interactive", there might be no matching entry, but nevertheless this group might have some access, if Everyone has access. Searching for effective permissions for Interactive will show you the access Interactive really has in this case. 

3. I have no idea which accounts those groups contain: Service, Batch, Network, Interactive, Local 03. January 2001

You can not add an user account to such a group permanently. The membership in such a group is aquired temporary by the user during a certain kind of logon. It is valid only for this logon session and lasts only until this session is finished. At the same time an user can be logged on in different kinds of logon sessions on the same machine. Thus, different programs running under the same account in different logon sessions might have different permissions because their logons forced temporary memberships in different groups.

• A logon session of a service belongs to the predefined groups Service and Local for all processes running in this session.
• A program that was started by the task scheduler belongs to the predefined groups Batch and Local for all processes it starts.
• An account who is logged on locally belongs to the predefined groups Interactive and Local for all processes running in this session.
• An account who is logged on remotely belongs to the predefined group Network for all processes running in this session.

4. Will RegDACL allow me to stop normal users from installing software on a Windows workstation? 03. January 2001

RegDACL allows you to tighten the security of your Registry settings, so normal users won't be able to install software that requires to create new keys in the Registry successfully. It is necessary to use a tool like cacls (part of Windows) to tighten the settings of your file system, so users can't install files under %systemroot% and other public folders.

5. Can you give an example how I would use the /AQ command on a remote machine with RegTools? 03. January 2001

You need the registered version of RegTools to access network machines.

set computer=pc1
set acct_name=testuser
RegDACL \\%computer%\HKU\S-1-5-21-865348-386294-40770-1013 /GAQ%computer%\%acct_name%:F /Subtree

6. Are there known problems when setting Permissions of a remote Windows NT 4 machine with RegEdt32 on a W2K machine? 08. January 2001

It depends from your point of view. Microsoft considers it a feature, we prefer to call it an annoyance. On NT 4 there is no inheritance, so when you change the permissions of a key, the permissions of existing subkeys will not change, if you do not check "Replace permissions in existing subkeys".
When setting permissions of a remote NT 4 machine with RegEdt32 on a W2K machine, the result is unpredicable:

• If the permissions for the key and a subkey differ, the new permissions will not inherit to the subkey.
• If the permissions for the key and a subkey do not differ, the new permissions will inherit to the subkey except
• If there is also an entry for Creator Owner, then the new permissions will not inherit to the subkey or
• If you (or somebody else) already changed the permissions of both (key and subkey) multiple times, then even if they are now exactly the same for key and subkey, sometimes the new permissions will not inherit to the subkey.

So in most cases you will not know what happens, and if you change the permissions of a key with a large subtree, you might end up with changed permissions in one part of the subtree and unchanged permissions in the other part of the subtree.

You can check how the permissions will inherit, though: "Only" for every subkey, you need to check whether "Allow inheritable permissions from parent to propagate to this object" is checked or not. Because NT 4 knows no inheritance, this flag is never set on any key on a NT 4 machine, but RegEdt32 for W2K sometimes thinks it should be set, and according to Microsoft:

> "This is expected behavior. When editing/viewing NT4 style security from
> Win2K we decide whether or not inheritance was intended using the
> exisiting security on the parent and the object. If all the inheritable
> aces from the parent exist on the object, we mark the inheritance checkbox."

They still did not answer my question why it does not work this way when Creator Owner is involved, by the way.
Of course, this is not only a problem with Registry permissions! The same happens when you change permissions of NT 4 directorys with W2K Explorer!

7. Are there known problems when changing Audit settings of a remote NT 4 machine with RegEdt32 on a W2K machine? 08. January 2001

Oh yes. This issue is more serious than the problem above regarding the permissions. RegEdt32 for W2K does know nothing about the bugs in RegEdt32 for NT 4. After you added an audit entry with RegEdt32 for W2K, RegEdt32 for NT 4 is unable to show any audit entry, even those entries it did set itself. It deletes the entire SACL when you try to open it :-(
RegEdt32 for NT 4 also deletes audit settings on W2K machines, so you can't change audit settings of all machines in a mixed NT 4/5 environment with any version of RegEdt32!
The solution is to use RegAudit in mixed NT 4/5 environments, which first checks which version of Windows runs on the target machine and then decides what options are allowed and what bugs it needs to emulate.

8. You claim RegTools now can enumerate all keys. Is this true for all subkeys of hklm\security\Policy\Secrets\ on W2K as well? Even using the LocalSystem trick I could not open all subkeys there! 08. January 2001

You mean these keys, for instance?
hklm\security\Policy\Secrets\SAC
hklm\security\Policy\Secrets\SAC\CupdTime
hklm\security\Policy\Secrets\SAC\CurrVal
hklm\security\Policy\Secrets\SAC\OldVal
hklm\security\Policy\Secrets\SAC\OupdTime
hklm\security\Policy\Secrets\SAC\SecDesc
hklm\security\Policy\Secrets\SAI
hklm\security\Policy\Secrets\SAI\CupdTime
hklm\security\Policy\Secrets\SAI\CurrVal

The registered versions of RegTools know the tricks ;-))

9. But I can not open a subkey with a DENY ALL ACCESS entry for me, where I am NOT the owner, can I? 08. January 2001

Even the Freeware version of RegDACL knows the trick ;-)) But you need to be a member of the Administrators group! If RegDACL would not allow you to do such things, how would you repair weird security settings of keys which someone set abnormally?

10. What is the LocalSystem trick? 08. January 2001

Run the scheduler service under the Local System account, then type
at 12:00 /i regedt32
At noon, you will find an instance of RegEdt32 running as System. It will allow you to have a look, for instance, into hklm\security without changing any security settings.

11. When I use RegDACL to change security of a key like "hklm\software\Data Access Corporation"
it just says "Can't open Registry key hklm\software\Data" 29. Jul 2002

Try:
regdacl "hklm\software\Data Access Corporation" /Sge:F
As with every other command which contains spaces in a parameter, you need to wrap the parameter in double quotes.

12. I can't figure out how to span a command over multiple lines 29. July 2002

Normally a command uses one line. If you span a command over multiple lines, you need to tell the system that the command will proceed on the next line. You do this by appending a "^" as the last character on the line and by starting the following line with a space:

RegDACL hklm\software /qgu:r ^
  && echo Every user can install software on this machine :-(^
  || echo Not every user can install software easily :-)

13. RegDACL does not work in a script. Is there a debug mode or a verbose mode that we could use to see any error? 29. July 2002

• You can append a "/L" to the RegDACL command.
  This will list the ACLs of the key.
   
• If you do not see any output, because you call the script in a batch job, you should append
    >> c:\result.txt 2>> c:\errors.txt
  This will send the output from stdout to c:\result.txt and the output from stderr to c:\errors.txt
   
• Remember: Always provide the full path in scripts!

14. What is the abbreviation for the group Power Users on a local machine? I tried to use the AL option but RegDACL always says there is no such local group. 29. July 2002

Power Users is not predefined in RegDACL.
You were on the right track, you need to use AL"Power Users", but this command works only in the registered version of RegDACL.
Example:
regdacl hklm\software\test /sal"Power Users":f(ci)

15. I am wondering if there are any programs that work on a set of registry files (e.g. registry files copied from compromised system to your computer for forensics analysis), rather than on a "live registry". 29. July 2002

RegEdt32 (from any Windows) will load registry hives. Reg (from the ResKit) does the same.
Make sure to load the hive into a key with new name!

When you copy a hive from another machine on yours and load the hive in your Registry, nothing will change in this hive (until YOU change something, of course).
Because the Registry does only know the Last WRITE Time, this time will not change in your hive until you write to it. For instance RegLast allows you to read the last write time.
Windows itself will not access the extra hive because it does not care about extra hives (until you give them a name of an existing hive, which is not a good idea).

My concern is that once you boot up a compromised system and the registry is being loaded, some of the keys would have already being modified.
This is true. May be you can move the HD to another machine or create another installation of Windows in an empty partition on the compromised machine, to get access to the unmodfied Registry hives.

16. I want to type in a command to act on a registry key HKLM\Software\XXX and propogate Users and Everyone down all keys from XXX 29. July 2002

The correct syntax depends from the version of Windows. For instance, to give Users Read+Write and Everyone Read access, you do the following:

On NT4:
RegDACL HKLM\Software\XXX /ggu:RW /gge:R -subtree

On NT5.x:
RegDACL HKLM\Software\XXX /pc
RegDACL HKLM\Software\XXX /ggu:RW /gge:R
RegDACL HKLM\Software\XXX /propagate

You could merge the first two lines, I only did separate for clarity.
The first command does cut inheritance from parent keys.
The second command does set the perms you want.
The third command just propagates this settings to the entire subtree.
The reason the /Propagate switch needs to stand alone is that it is very powerful, and I was too anxious someone could mix up its permissions in an unexpected way if he uses too much options in one call.

17. When using the windows 2000 regedt32 I can toggle the "Allow inheritable permissions parent to propagate to this object" on a remotely connected NT4 box. Can I toggle this with RegDACL? 29. July 2002

You can do it with RegDACL, but I strongly recommend against it! The reason is that RegEdt32 for NT4 does not know about inheritance and therefore will ignore this flag.
But when you already touched the Security permissions of the NT4 box with RegEdt32 for W2K, you could try to use RegDACL to clean up the mess RegEdt32 for W2K made.

18. What is HKEY_USERS\.DEFAULT good for? 29. July 2002

This is the profile used for the local SYSTEM account. All the services running under this account can use it. For example, you can change the Wallpaper of the Control-Alt-Del logon screen there.

19. Are there problems with auditing of the Registry root keys? 29. May 2006

On important machines it might be useful to know when someone wants to connect to the file system or Registry of the machine. Connecting to the Registry of a computer over the network always involves connecting to one of the root keys HKEY_LOCAL_MACHINE or HKEY_USERS first. So you could enable the security policy auditing object access and you could add an audit entry in the properties of both root keys.

The problem is: After you reboot the computer, it has lost its audit settings for both root keys of the Registry. This is a problem of all current versions of Windows.

Workaround: Put a RegAudit command for recreating the audit entries into the startup script of the machine.