Author Topic: Default Registry Keys for Avast  (Read 10219 times)

0 Members and 1 Guest are viewing this topic.

blue2

  • Guest
Default Registry Keys for Avast
« on: June 04, 2008, 12:38:29 AM »
As the previous thread became too long, I though it best to start this. After several weeks and various suggestions, I've finally gotten Avast to work for a limited user account. But a few questions still remain.

By loading the local hive, HKCU, while running as the administrator, and navigating to the Avast\4.0 key, I was able to add the limited user account to permissions and grant it FULL CONTROL. (The limited user hive previously had only permissions for Admin, Restricted, System and S-1-5-21..., so that's why it could not run as a local user.) Then when I logged on as the limited user, Avast opened as it should and the CPU was no longer running at 100%. I ran a full scan and it completed. How the limited user key was written to the registry without limited user permission remains a mystery.

--> However, I'd still like to have the Avast team confirm that the limited user should have FULL CONTROL of that 4.0 Key under HKCU. I don't want to make an error and compromise the machine's security. Is there some further testing that should be done to be sure that it is working correctly/safely?

On this limited user hive, the branch goes Software\ALWIL Sofware\Avast\4.0\ and then there are sub-branches for ashSimp and ashUint. However, on the adminstrator hive, the branch ends at 4.0 WITHOUT these two sub-branches. What it also odd is that when I ran in safe mode, I seem to remember the Avast\4.0 branch under the HKCU key having THREE sub-branches (ahsLogV, ashSimp2 and ashUInt,
--> So, should there be 0, 2 or 3 sub-branches under the 4.0 key for admin and limited users? I'm not sure that logging of scan results is working.

On the administrator hive, in Software I saw Symantec\ with branches to Common and Systemworks, and also Software\Symantec\Norton Utilities. Both of these branches have permissions to all users, but will not let me delete them. I don't think these had any effect on the issue, but it's odd that they are still there since I had used Add\Remove, the Norton Removal Tool and swept the registry for Norton\Symantec\NAV.
-- > Is there some other procedure to delete these keys that won't permit deletion? I tried creating a NEW admin account, granting it permission to the original admin account, loading the original hive under this NEW admin acct to delete these original admin's keys, but it still would not work.

Thanks.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Default Registry Keys for Avast
« Reply #1 on: June 05, 2008, 10:20:24 AM »
--> However, I'd still like to have the Avast team confirm that the limited user should have FULL CONTROL of that 4.0 Key under HKCU. I don't want to make an error and compromise the machine's security. Is there some further testing that should be done to be sure that it is working correctly/safely?

I think that any user should have full control for the whole HKCU hive (I mean, the hive mapped as HKCU when the particular user is logged on).

On this limited user hive, the branch goes Software\ALWIL Sofware\Avast\4.0\ and then there are sub-branches for ashSimp and ashUint. However, on the adminstrator hive, the branch ends at 4.0 WITHOUT these two sub-branches. What it also odd is that when I ran in safe mode, I seem to remember the Avast\4.0 branch under the HKCU key having THREE sub-branches (ahsLogV, ashSimp2 and ashUInt,
--> So, should there be 0, 2 or 3 sub-branches under the 4.0 key for admin and limited users? I'm not sure that logging of scan results is working.

The data stored in HKCU\Software\ALWIL Software\Avast\4.0 are mostly GUI stuff - settings for the particular executables, positions of toolbars, windows, etc. So, some oft hem are created only on-demand (when you run the particular executable, or change some setting). So, it's normal that some subkeys may be present/missing, compared to different users.

On the administrator hive, in Software I saw Symantec\ with branches to Common and Systemworks, and also Software\Symantec\Norton Utilities. Both of these branches have permissions to all users, but will not let me delete them. I don't think these had any effect on the issue, but it's odd that they are still there since I had used Add\Remove, the Norton Removal Tool and swept the registry for Norton\Symantec\NAV.

What does the error message say? (when you try to delete them)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Default Registry Keys for Avast
« Reply #2 on: June 05, 2008, 02:31:28 PM »
On the administrator hive, in Software
Is there some other procedure to delete these keys that won't permit deletion?
Are you sure you're not referring to Legacy keys?
Which are the full path of these keys?
The best things in life are free.

blue2

  • Guest
Re: Default Registry Keys for Avast
« Reply #3 on: June 05, 2008, 06:50:10 PM »
The Symantec keys were in HKCU\Software\Symantec and HKCU\Software\Software\Symantec. They both gave "access denied" messages, even when in Safe Mode in the administrator profile, though the administrator had full permissions.

Even running the Norton Remove tool in Safe Mode had no effect on the keys. The reason I believe is because they both had subraches, to Common, Systemworks, and Norton Utilities, and those sub-branches were corrupted. I was unable to even see the values.

In the end, I ran SubInACL, a tool in the Windows Resource Kit to reset file and registry ACLs caused by incorrect access control list (ACL) permissions on some registry hives. I followed the instructions indicated here (http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx) to create the following reset command that I then ran from a command prompt:

cd /d "%programfiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=%USERNAME%=f /setowner=administrators
subinacl /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=%USERNAME%=f /setowner=administrators
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators
subinacl /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators
subinacl /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f /grant=users=e
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f /grant=users=e

And it then allowed me to delete these keys as administrator. Then I re-ran the Norton Removal tool from Safe Mode just to be sure.

Although changing the permissions on the local hive while running as adminstrator fixed Avast to run as a limited user, I'm still tempted to uninstall Avast (from Safe Mode with self-protection turned off), rebooting, using the Remove Tool, rebooting, and re-installing again to see if it then installs correctly without my having to make any changes. That would confirm that it was a registry issue that prevented the proper install.

You may want to note these steps in case someone else has Avast install problems due to a permission issue. From what I read on the SubInACL thread, denied permission is not that uncommon and often prevents software from installing properly.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Default Registry Keys for Avast
« Reply #4 on: June 05, 2008, 10:19:35 PM »
I'm still tempted to uninstall Avast (from Safe Mode with self-protection turned off), rebooting, using the Remove Tool, rebooting, and re-installing again to see if it then installs correctly without my having to make any changes. That would confirm that it was a registry issue that prevented the proper install.
Indeed it won't be a bad idea...
Thanks for posting back the solution.
The best things in life are free.

blue2

  • Guest
Re: Default Registry Keys for Avast
« Reply #5 on: June 06, 2008, 02:53:46 AM »
The test was successful. Once the incorrect ACL permissions had been corrected, the re-install of Avast worked for the limited user without the previous needed modification of the registry. So it appears that the incorrect permissions were likely the cause of the Avast installation issue.

The only thing I can't figure out is if reports can be generated when a few files/folder are scanned or only when the entire system is scanned? It seems that a number of files are reported as skipped, and although I checked this to be reported in the notification area, no report was generated when just these folders were re-scanned.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Default Registry Keys for Avast
« Reply #6 on: June 06, 2008, 03:02:21 AM »
The only thing I can't figure out is if reports can be generated when a few files/folder are scanned or only when the entire system is scanned?
Using the interface, each scanning has a report (independent of file number).

It seems that a number of files are reported as skipped, and although I checked this to be reported in the notification area, no report was generated when just these folders were re-scanned.
Which are your report settings?
The best things in life are free.

blue2

  • Guest
Re: Default Registry Keys for Avast
« Reply #7 on: June 06, 2008, 03:18:03 AM »
I'm not in front of the machine, but as I remember I had it set up to report hard & soft errors, skipped files, etc. I can click to see the results of the last scan, but as I normally won't be in front of this machine, I had hoped to set it up to generate txt file reports that could be forwarded on to me for review at a distance to determine if actions needed to be taken.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Default Registry Keys for Avast
« Reply #8 on: June 06, 2008, 03:28:59 AM »
I'm not in front of the machine, but as I remember I had it set up to report hard & soft errors, skipped files, etc. I can click to see the results of the last scan, but as I normally won't be in front of this machine, I had hoped to set it up to generate txt file reports that could be forwarded on to me for review at a distance to determine if actions needed to be taken.
The report is kept only if the interface is loaded, i.e., Home version keep only the last report generated. The Pro version allows to keep any reports (called Sessions) you want.
The best things in life are free.

blue2

  • Guest
Re: Default Registry Keys for Avast
« Reply #9 on: June 06, 2008, 03:39:51 AM »
The report is kept only if the interface is loaded
That's what I don't understand. Then why ask in the configuration of settings to specify a custom location to store the report rather than the default?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Default Registry Keys for Avast
« Reply #10 on: June 06, 2008, 03:49:49 AM »
The report is kept only if the interface is loaded
That's what I don't understand. Then why ask in the configuration of settings to specify a custom location to store the report rather than the default?
Why not? The user could want to save the last report in another folder than the default. The user can also append the report or overwrite existing. To use the report (i.e., make actions with the detected file), you need to have interface opened and you just finish scan). But you can keep the old reports (although you can 'work' with them).
The best things in life are free.

blue2

  • Guest
Re: Default Registry Keys for Avast
« Reply #11 on: June 06, 2008, 04:09:29 AM »
Sorry, I think we're not understanding each other. With the interface open, no report gets saved.  And my point was, if no report is savable in the Home version, then why ask me to chose a location to save the report. Am I missing something?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Default Registry Keys for Avast
« Reply #12 on: June 06, 2008, 04:12:31 AM »
Sorry, I think we're not understanding each other. With the interface open, no report gets saved.  And my point was, if no report is savable in the Home version, then why ask me to chose a location to save the report. Am I missing something?
The reports are savable, just you can't work with them.
Sorry, maybe I'm messing something as a long of time that I use the Pro version...
The best things in life are free.

blue2

  • Guest
Re: Default Registry Keys for Avast
« Reply #13 on: June 06, 2008, 04:18:05 AM »
I'm only trying to save them as txt files not work with them as files with active links.  Since it lets me chose a location, I would think this should be possible.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Default Registry Keys for Avast
« Reply #14 on: June 06, 2008, 04:28:53 AM »
I'm only trying to save them as txt files not work with them as files with active links.  Since it lets me chose a location, I would think this should be possible.
Go ahead, can you test and post back?
The best things in life are free.