What permissions/rights are needed to run regsvr32 /s /c "myocx.ocx"

Question

I have a WindowsXP configured as a build machine. The build process runs under an account which isn't an administrator.

Some projects register as a last step an ocx control with something like

regsvr32 /s /c ".\debug\myocx.ocx"

This step fails and I assume that this has something to do with rights because doing the same under an admin account works fine.

What rights/permissions/policies do I need to give the build account and where do I do it? (Browsing Local Users and Groups and Local Security Settings haven't helped me)

score 12 · Accepted Answer · answered Feb 20 '09 at 12:30

12

Via regedit you need to give the build account rights on "HKEY_CLASSES_ROOT.

Right-click on HKEY_CLASSES_ROOT and choose Permissions...Full Control.

answered Feb 20 '09 at 12:30

Christian Rodemeyer

1,972
1
17
21

1

You just saved my build machine scripts ! Thanks. (I have an old COM object that I register (then build the dotnet code) the unregister. – granadaCoder Jan 16 '13 at 22:59
Back up your system first. Not sure why but after granting full control on HKEY_CLASSES_ROOT to the Network Service account my windows 2008 R2 server became utterly corrupted and unusable. – GeorgeBarker Jun 13 '14 at 17:57
This fixed my problem registering an OCX from finalbuilder. registering on elevated command line was fine, but from finalbuilder (as administrator) failed. Chaning the permissions in the registry did the triick. – H.Hasenack Aug 28 '18 at 15:46

score 1 · Answer 2 · answered Feb 20 '09 at 12:07

Registering an OCX comes down to writing entries in the registry under HKLM. Non-admin accounts by default don't have rights there, and I'm not too sure your build account should (installation of debugging OCX's is still "installation" (v.s. building) in my book).

score 0 · Answer 3 · answered Jan 24 '20 at 20:01

PowerShell Script to apply permissions for regsvr32 without being an Admin

Whilst it's possible to just grant full control of the HKCR key, that might result in granting more access than necessary. While researching how to do this, at one point I ended up hosing the permissions on HKCR, resulting in the need to reimage my machine. In order to come up with this script, I used the procmon tool, and filtered for registry permissions denied, then granted them in the script.

The following PowerShell script creates (non-inherited) permissions on just those keys that I've determined necessary for registration of DLLs (and thus OCXs). This allows a single account (in this case, a build server code builder account) to be granted access to register DLLs without being an administrator. Replace the first variable - $buildAcctUserName - with the account to use when setting rules.

$buildAcctUserName = "AzureDevOpsBuilder"

# Create Rule for full control of keys that need to be added to/updated/deleted from
$user = New-Object System.Security.Principal.NTAccount("$($env:COMPUTERNAME)\$buildAcctUserName")
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(
  $user, 
  [System.Security.AccessControl.RegistryRights]"FullControl", 
  [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit",  <# ContainerInherit / None / ObjectInherit #>
  [System.Security.AccessControl.PropagationFlags]::None, 
  [System.Security.AccessControl.AccessControlType]::Allow)

# Grant access to HKCR
$regHKCRHive=[Microsoft.Win32.RegistryHive]::ClassesRoot;
$regHKCRBaseKey=[Microsoft.Win32.RegistryKey]::OpenBaseKey($regHKCRHive,[Microsoft.Win32.RegistryView]::Default)
$regkey=$regHKCRBaseKey.OpenSubKey("", $true) 
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)

# Grant access to HKLM\Software
$regHKLMHive=[Microsoft.Win32.RegistryHive]::LocalMachine
$regHKLMBaseKey=[Microsoft.Win32.RegistryKey]::OpenBaseKey($regHKLMHive,[Microsoft.Win32.RegistryView]::Default)
$regkey=$regHKLMBaseKey.OpenSubKey("SOFTWARE", $true) 
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)

# Grant access to HKLM\Software\Wow6432Node
$regkey=$regHKLMBaseKey.OpenSubKey("SOFTWARE\Wow6432Node", $true) 
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)

# Grant access to HKCR\Wow6432Node\CLSID
$regkey=$regHKCRBaseKey.OpenSubKey("Wow6432Node\CLSID", $true) 
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)

# Grant access to HKCR\TypeLib
$regkey=$regHKCRBaseKey.OpenSubKey("TypeLib", $true) 
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)

# Grant access to HKCR\Wow6432Node\Interface
$regkey=$regHKCRBaseKey.OpenSubKey("Wow6432Node\Interface", $true) 
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)

# Grant access to HKCR\Interface
$regkey=$regHKCRBaseKey.OpenSubKey("Interface", $true) 
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)

# Grant access to HKCR\AppID
$regkey=$regHKCRBaseKey.OpenSubKey("AppID", $true) 
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)

score -1 · Answer 4 · answered Feb 20 '09 at 11:50

-1

Please check for error messages of regsvr32 as given in

http://support.microsoft.com/kb/249873

and also I am not sure about /c switch..

Hope this may help.

answered Feb 20 '09 at 11:50

lakshmanaraj

4,102
20
12

What permissions/rights are needed to run regsvr32 /s /c "myocx.ocx"

4 Answers4

PowerShell Script to apply permissions for regsvr32 without being an Admin