Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: blue2 on June 04, 2008, 12:38:29 AM
-
As the previous thread became too long, I though it best to start this. After several weeks and various suggestions, I've finally gotten Avast to work for a limited user account. But a few questions still remain.
By loading the local hive, HKCU, while running as the administrator, and navigating to the Avast\4.0 key, I was able to add the limited user account to permissions and grant it FULL CONTROL. (The limited user hive previously had only permissions for Admin, Restricted, System and S-1-5-21..., so that's why it could not run as a local user.) Then when I logged on as the limited user, Avast opened as it should and the CPU was no longer running at 100%. I ran a full scan and it completed. How the limited user key was written to the registry without limited user permission remains a mystery.
--> However, I'd still like to have the Avast team confirm that the limited user should have FULL CONTROL of that 4.0 Key under HKCU. I don't want to make an error and compromise the machine's security. Is there some further testing that should be done to be sure that it is working correctly/safely?
On this limited user hive, the branch goes Software\ALWIL Sofware\Avast\4.0\ and then there are sub-branches for ashSimp and ashUint. However, on the adminstrator hive, the branch ends at 4.0 WITHOUT these two sub-branches. What it also odd is that when I ran in safe mode, I seem to remember the Avast\4.0 branch under the HKCU key having THREE sub-branches (ahsLogV, ashSimp2 and ashUInt,
--> So, should there be 0, 2 or 3 sub-branches under the 4.0 key for admin and limited users? I'm not sure that logging of scan results is working.
On the administrator hive, in Software I saw Symantec\ with branches to Common and Systemworks, and also Software\Symantec\Norton Utilities. Both of these branches have permissions to all users, but will not let me delete them. I don't think these had any effect on the issue, but it's odd that they are still there since I had used Add\Remove, the Norton Removal Tool and swept the registry for Norton\Symantec\NAV.
-- > Is there some other procedure to delete these keys that won't permit deletion? I tried creating a NEW admin account, granting it permission to the original admin account, loading the original hive under this NEW admin acct to delete these original admin's keys, but it still would not work.
Thanks.
-
--> However, I'd still like to have the Avast team confirm that the limited user should have FULL CONTROL of that 4.0 Key under HKCU. I don't want to make an error and compromise the machine's security. Is there some further testing that should be done to be sure that it is working correctly/safely?
I think that any user should have full control for the whole HKCU hive (I mean, the hive mapped as HKCU when the particular user is logged on).
On this limited user hive, the branch goes Software\ALWIL Sofware\Avast\4.0\ and then there are sub-branches for ashSimp and ashUint. However, on the adminstrator hive, the branch ends at 4.0 WITHOUT these two sub-branches. What it also odd is that when I ran in safe mode, I seem to remember the Avast\4.0 branch under the HKCU key having THREE sub-branches (ahsLogV, ashSimp2 and ashUInt,
--> So, should there be 0, 2 or 3 sub-branches under the 4.0 key for admin and limited users? I'm not sure that logging of scan results is working.
The data stored in HKCU\Software\ALWIL Software\Avast\4.0 are mostly GUI stuff - settings for the particular executables, positions of toolbars, windows, etc. So, some oft hem are created only on-demand (when you run the particular executable, or change some setting). So, it's normal that some subkeys may be present/missing, compared to different users.
On the administrator hive, in Software I saw Symantec\ with branches to Common and Systemworks, and also Software\Symantec\Norton Utilities. Both of these branches have permissions to all users, but will not let me delete them. I don't think these had any effect on the issue, but it's odd that they are still there since I had used Add\Remove, the Norton Removal Tool and swept the registry for Norton\Symantec\NAV.
What does the error message say? (when you try to delete them)
-
On the administrator hive, in Software
Is there some other procedure to delete these keys that won't permit deletion?
Are you sure you're not referring to Legacy keys?
Which are the full path of these keys?
-
The Symantec keys were in HKCU\Software\Symantec and HKCU\Software\Software\Symantec. They both gave "access denied" messages, even when in Safe Mode in the administrator profile, though the administrator had full permissions.
Even running the Norton Remove tool in Safe Mode had no effect on the keys. The reason I believe is because they both had subraches, to Common, Systemworks, and Norton Utilities, and those sub-branches were corrupted. I was unable to even see the values.
In the end, I ran SubInACL, a tool in the Windows Resource Kit to reset file and registry ACLs caused by incorrect access control list (ACL) permissions on some registry hives. I followed the instructions indicated here (http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx) to create the following reset command that I then ran from a command prompt:
cd /d "%programfiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=%USERNAME%=f /setowner=administrators
subinacl /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=%USERNAME%=f /setowner=administrators
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators
subinacl /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators
subinacl /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f /grant=users=e
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f /grant=users=e
And it then allowed me to delete these keys as administrator. Then I re-ran the Norton Removal tool from Safe Mode just to be sure.
Although changing the permissions on the local hive while running as adminstrator fixed Avast to run as a limited user, I'm still tempted to uninstall Avast (from Safe Mode with self-protection turned off), rebooting, using the Remove Tool, rebooting, and re-installing again to see if it then installs correctly without my having to make any changes. That would confirm that it was a registry issue that prevented the proper install.
You may want to note these steps in case someone else has Avast install problems due to a permission issue. From what I read on the SubInACL thread, denied permission is not that uncommon and often prevents software from installing properly.
-
I'm still tempted to uninstall Avast (from Safe Mode with self-protection turned off), rebooting, using the Remove Tool, rebooting, and re-installing again to see if it then installs correctly without my having to make any changes. That would confirm that it was a registry issue that prevented the proper install.
Indeed it won't be a bad idea...
Thanks for posting back the solution.
-
The test was successful. Once the incorrect ACL permissions had been corrected, the re-install of Avast worked for the limited user without the previous needed modification of the registry. So it appears that the incorrect permissions were likely the cause of the Avast installation issue.
The only thing I can't figure out is if reports can be generated when a few files/folder are scanned or only when the entire system is scanned? It seems that a number of files are reported as skipped, and although I checked this to be reported in the notification area, no report was generated when just these folders were re-scanned.
-
The only thing I can't figure out is if reports can be generated when a few files/folder are scanned or only when the entire system is scanned?
Using the interface, each scanning has a report (independent of file number).
It seems that a number of files are reported as skipped, and although I checked this to be reported in the notification area, no report was generated when just these folders were re-scanned.
Which are your report settings?
-
I'm not in front of the machine, but as I remember I had it set up to report hard & soft errors, skipped files, etc. I can click to see the results of the last scan, but as I normally won't be in front of this machine, I had hoped to set it up to generate txt file reports that could be forwarded on to me for review at a distance to determine if actions needed to be taken.
-
I'm not in front of the machine, but as I remember I had it set up to report hard & soft errors, skipped files, etc. I can click to see the results of the last scan, but as I normally won't be in front of this machine, I had hoped to set it up to generate txt file reports that could be forwarded on to me for review at a distance to determine if actions needed to be taken.
The report is kept only if the interface is loaded, i.e., Home version keep only the last report generated. The Pro version allows to keep any reports (called Sessions) you want.
-
The report is kept only if the interface is loaded
That's what I don't understand. Then why ask in the configuration of settings to specify a custom location to store the report rather than the default?
-
The report is kept only if the interface is loaded
That's what I don't understand. Then why ask in the configuration of settings to specify a custom location to store the report rather than the default?
Why not? The user could want to save the last report in another folder than the default. The user can also append the report or overwrite existing. To use the report (i.e., make actions with the detected file), you need to have interface opened and you just finish scan). But you can keep the old reports (although you can 'work' with them).
-
Sorry, I think we're not understanding each other. With the interface open, no report gets saved. And my point was, if no report is savable in the Home version, then why ask me to chose a location to save the report. Am I missing something?
-
Sorry, I think we're not understanding each other. With the interface open, no report gets saved. And my point was, if no report is savable in the Home version, then why ask me to chose a location to save the report. Am I missing something?
The reports are savable, just you can't work with them.
Sorry, maybe I'm messing something as a long of time that I use the Pro version...
-
I'm only trying to save them as txt files not work with them as files with active links. Since it lets me chose a location, I would think this should be possible.
-
I'm only trying to save them as txt files not work with them as files with active links. Since it lets me chose a location, I would think this should be possible.
Go ahead, can you test and post back?
-
Maybe I am missing something but I am always a bit puzzled by this "I cannot see the results of my last scan in the Home edition".
I have the results of every single scan I have ever run with avast Home edition on this system as a (very long) text file in the Reports folder of avast telling me the start and end date/time of each scan and the problems (like folders that could not be scanned etc).
Just by setting the Report options in the avast program settings you can have huge amounts of data from the scans or just the important stuff.
So, I see no reason why blue2 should not be able to do this to.
If you select a custom folder for the file it can even fall outside the barbed wire of the avast self protection feature.
-
So, I see no reason why blue2 should not be able to do this to.
Nor do I. I could not imagine that the report location would be customizable IF this feature did not work in the Home version. Of course I tested it (several times) and it did not work. If a AV scanner skips certain files, you'd like to know which ones they are to verify if they are expected types in expected locations (e.g. archive or password protected files) or system files which would cause concern.
Since the registry permissions were all cleaned up, and the program was uninstalled and re-installed carefully, just to be safe, I can't see why reports would not be created.
Is this controlled by a registry key value or is there some other way to check this?
Thanks.
-
What exactly did you enter as the custom location?
-
I just browse to a pre-defined folder in the root directory. Why would the location matter (as long as its on the principle master drive)?
-
I just browse to a pre-defined folder in the root directory. Why would the location matter (as long as its on the principle master drive)?
Can't you write down the full path of this folder here?
The problem could be in non-Ascii characters on it, on the missing of ""...
-
Yes, it's:
c:\downloads
As you can see, it should not be the source of the problem, as the name contains no spaces, and is in root.
I could always try the default as a test, but I'd be surprised if it worked.
-
Hmmm... it's beyond my knowledge... hope Igor help troubleshooting this.
-
Never mind.
In all the excitement over solving the registry permissions issue, I never checked how I set up the folder. Of course it was during the re-install...as adiministrator, thereby forgetting to grant local user permissions to write to it. How ironic!
Everything is working. Igor can dedicate his time to someone else. Thank you.
-
Oh... I'm just thinking if avast self-defense module has anything related to this...
Maybe the reports can't be moved anymore... But, as you're saying they're working...
-
No, self-defense apparently did not create an issue.
However, the coding on Avast should probably be changed. If the user selects a folder that he doesn't have permission to write to, Avast won't create the report BUT won't display a message that the report could not be written. In my mind, that should be fixed, because the user should be alerted when anything they've chosen cannot be done.